1 2 3 Previous Next 36 Replies Latest reply: May 31, 2014 9:09 PM by Joshua Johnson - CCNP R&S RSS

    Describe the IP Packet Header and each field in a Traffic Capture

    Joshua Johnson - CCNP R&S

      See attached, have fun!

        • 3. Re: Describe the IP Packet Header and each field in a Traffic Capture
          jheinrichs79

          Well this is my first time doing this... Hope I got it correct.

          I used this as my basis: http://nmap.org/book/images/hdr/MJB-IP-Header-800x576.png

           

          Then looked at the output and came up with this:

           

          eigrp-capture-header.JPG

          How did I do?

          • 4. Re: Describe the IP Packet Header and each field in a Traffic Capture
            mett

            Thanks for this wild question, it made me realized many things!!!

            Often watching sniffer lately and suddenly being able to vizualize those fields down the UI is quite exciting.

             

            I attached png as well, as I m not sure about the format on CLN forum.

             

                     1234587812345678123456781234567812345678123456781234567812345678

                    |             |             |             |              |             |             |              |             |

                    +--------------------------------------------------------------------------------------------------------------+

                    |4     |5    |c0          |0064                    |0000                    |0000                     |

                    |----------------------------------------------------------------------------------------------------------------|

                    |02          |58          |cd76                    |0a000002                                          |

                    |----------------------------------------------------------------------------------------------------------------|

                    |e000000a                                         |

                    |-------------------------------------------------------|

             

            4: IPv4(version)

            5: Header is 5x32bits words(IHL)

            c0:1100 00(00) CS6, ClassSelector6(IP precedence 6)+Explicit Congestion Notification set to 0(DS, related to TOS and used for QOS).

            0064:0000 0000 0110 0100 or 100 bits long datagram supposed to come after(Total length).

            0000:0 (Identification) Fragment's id.

            0000:0000 0000 0000 0000 or no flags set(000) and this is the first fragment(Flags,3bits)+(Fragment Offset).

            02:0000 0010 or (4) 2 hops(TTL).

            58:0101 1000 or 88 or EIGRP encapsulated next(Protocol).

            cd76:(Header Checksum).

            0a000002:0000 1010 0000 0000 0000 0000 0000 0010 or 10.0.0.2(Source IP)

            e000000a:1110 0000 0000 0000 0000 0000 0000 1010 or 224.0.0.10(Destination IP)

            ip_eigrp.png

            • 5. Re: Describe the IP Packet Header and each field in a Traffic Capture
              Joshua Johnson - CCNP R&S

              You guys talk about it, figure it out and have fun.

              • 6. Re: Describe the IP Packet Header and each field in a Traffic Capture
                Joshua Johnson - CCNP R&S

                Chandan go ahead, I was just kidding about CCNP and above not allowed.  I think we can all learn from each other.

                • 7. Re: Describe the IP Packet Header and each field in a Traffic Capture
                  Joshua Johnson - CCNP R&S

                  I'd like to pose a question to you, jheinrichs.  (I think that posing a question can help you more than giving you the answer).If the Header Length field is only 4 bits, how can it accurately describe the header length?  The maximum header length is what in bytes?

                  • 8. Re: Describe the IP Packet Header and each field in a Traffic Capture
                    jheinrichs79

                    I'm not sure... I'm going to have to go back and look at it.

                     

                     

                    Thanks Joshua for the hint.. I will see if I can figure it out!

                    • 9. Re: Describe the IP Packet Header and each field in a Traffic Capture
                      Joshua Johnson - CCNP R&S

                      Any further study on this?

                      • 10. Re: Describe the IP Packet Header and each field in a Traffic Capture
                        mett

                        Did a better version, but would need more time to dig some parts of it. Anyway, the answer didn't change much.

                         

                        So, First the IP_header

                        IP_Header.png

                         

                        Vers: Version(4bits) [0000 - 1111] [0 - 15] with 4 for IPv4 or 6 for IPv6 or SIP.

                         

                        IHL: Internet Header Length(4 bits as well). Specifies the IP packet header length in 32 bits words.

                               Minimum value is 5 ie. an IP header is at its minimum 5x32bits words but it can be more.

                               It can be at its maximum 15x32bits words(theorically).

                         

                        DS: Differentiated Services(8 bits). But the last 2 unused. Quite deep at this level, I would need more

                               time to come up with a clear explanation.

                               When only the first 3 bits are used and the last 3 are set to 0, it is called

                               Class Selector with 000 being Best Effort(BE) and 111 being highest precedence.

                               Class Selector is used for backward compatibility with IP precedence

                               (Originally, those 8 bits were used for TOS).

                               When the last 3 bits are used in conjunction with the first 3 bits, it is called Assured Forwarding

                               and is used to shape traffic.

                               Basically, this field is used for QoS shaping by a router or network device.

                         

                        Total length: 16 bits [0000 0000 0000 0000 - 1111 1111 1111 1111] [0 - 65536] The length of the

                                             datagram (Max length 65536).

                         

                        Identification: 16 bits This is used to identify fragments of one datagram from those of another.

                         

                        Flags and Offset: 16 bits Flags(3 bits)(Reserved[100]/Don't Fragment[010]/More Fragment[001])

                                                    and 13 bits offset[0 - 8192]. This is used to identify fragments places in a datagram

                                                    (if we have fragments).

                         

                        TTL: Time To Live(8bits) [0 - 256] Max 256 hops.

                         

                        Protocol: Specifies the next protocol encapsulated(8 bits) 256 possible protocols. TCP is 6, UDP is 17.

                         

                        Source IP: 32 bits (4,294,967,296 possibilities minus all network IDs and broadcast addresses and the reserved ones).

                         

                        Destination IP: Same as above

                         

                        Options: 32bits Variable length(8 bits) With the Copy flag(1bit), the Class(2bits) and the Option(5bits)

                                      + padding, used as a filler to guarantee that the data starts on a 32 bit boundary.

                         

                         

                        Then, the sample_packet_header

                         

                        Sample_Packet_Header.png

                         

                        4: [0100] IPv4(version)

                         

                        5: [0101] Header is 5x32bits words(IHL)

                         

                        c0: [1100 00(00)] CS6, ClassSelector6(IP precedence 6)+(because)Explicit Congestion Notification set to 0.(DS)

                         

                        0064: [0000 0000 0110 0100] or 100 bits long datagram supposed to come after(Total length).

                         

                        0000: 0 (Identification)

                         

                        0000: [(000)0 0000 0000 0000] or no flags set(000 ie. no 'Don't fragment but no 'More Fragment') = this is the only     

                                 fragment(Flags,3bits)+(Fragment Offset).

                         

                        02: [0000 0010] or (2) 2 hops(TTL).

                         

                        58: [0101 1000] or 88 or EIGRP encapsulated next(Protocol).

                         

                        cd76: (Header Checksum).

                         

                        0a000002: [0000 1010 0000 0000 0000 0000 0000 0010] or 10.0.0.2(Source IP)

                         

                        e000000a: [1110 0000 0000 0000 0000 0000 0000 1010] or 224.0.0.10(Destination IP)

                        • 11. Re: Describe the IP Packet Header and each field in a Traffic Capture
                          Joshua Johnson - CCNP R&S

                          Thanks mett, looks good so far, i'll look at the rest later and offer a response.

                           

                          jheindricks - mett gave you the answer to the question I gave you.

                          • 13. Re: Describe the IP Packet Header and each field in a Traffic Capture
                            Joshua Johnson - CCNP R&S

                            mett wrote:

                             

                            Did a better version, but would need more time to dig some parts of it. Anyway, the answer didn't change much.

                             

                            So, First the IP_header

                            IP_Header.png

                             

                            Vers: Version(4bits) [0000 - 1111] [0 - 15] with 4 for IPv4 or 6 for IPv6 or SIP.  SIP is deprecated, for those who don't know.

                             

                            IHL: Internet Header Length(4 bits as well). Specifies the IP packet header length in 32 bits words.

                                   Minimum value is 5 ie. an IP header is at its minimum 5x32bits words but it can be more.

                                   It can be at its maximum 15x32bits words(theorically).

                            Can you think of why the maximum header length would be reached?

                             

                            DS: Differentiated Services(8 bits). But the last 2 unused. Quite deep at this level, I would need more

                                   time to come up with a clear explanation.

                                   When only the first 3 bits are used and the last 3 are set to 0, it is called

                                   Class Selector with 000 being Best Effort(BE) and 111 being highest precedence.

                                   Class Selector is used for backward compatibility with IP precedence

                                   (Originally, those 8 bits were used for TOS).

                                   When the last 3 bits are used in conjunction with the first 3 bits, it is called Assured Forwarding

                                   and is used to shape traffic.

                                   Basically, this field is used for QoS shaping by a router or network device.

                            Good description.  The difference between class selector and ip precedence is little.  Class selectors were created for backwards compatibility from DSCP to IP Precedence, and it's basically the same thing other than the terminology.

                             

                            Total length: 16 bits [0000 0000 0000 0000 - 1111 1111 1111 1111] [0 - 65536] The length of the

                                                 datagram (Max length 65536). 0 to 65535 but yes The Total length maximum (which includes the header length) is 65535 bytes... if you subtract the Header length you can figure out how big the ip packet payload is (which includes the transport layer header and application data.)

                             

                            Identification: 16 bits This is used to identify fragments of one datagram from those of another.  Good, and each fragment of the orignal ip packet has the same ID

                             

                            Flags and Offset: 16 bits Flags(3 bits)(Reserved[100]/Don't Fragment[010]/More Fragment[001])

                                                        and 13 bits offset[0 - 8192]. This is used to identify fragments places in a datagram

                                                        (if we have fragments).  Good.  So if the DF bit is set, and when the packet runs into a datalink with a smaller MTU than the size of the packet, the packet will simply be dropped.  If the DF bit is not set, then the packet will be fragmented with all framgents haveing the same ID field.  All fragments will have the MF bit set until the very last fragment which will have the MF bit set to 0, indicating that the fragment was the last one.

                             

                            TTL: Time To Live(8bits) [0 - 256] Max 256 hops.  0 to 255, but yes, having a total of 256 combinations.  Interestingly enough, TTL was first created as seconds instead of hops.  If a packet was daleyd more than a second it was decremented.  However, i've read this is very hard to implement and wasn't usually used.  Routers just decrement the TTL at each hop and then dropped if decremented to 0 with an error message sent back to the origin.

                             

                            Protocol: Specifies the next protocol encapsulated(8 bits) 256 possible protocols. TCP is 6, UDP is 17. Good

                             

                            Source IP: 32 bits (4,294,967,296 possibilities minus all network IDs and broadcast addresses and the reserved ones).

                             

                            Destination IP: Same as above Good good

                             

                            Options: 32bits Variable length(8 bits) With the Copy flag(1bit), the Class(2bits) and the Option(5bits)

                                          + padding, used as a filler to guarantee that the data starts on a 32 bit boundary.

                            Options allows routers to enter information for testing purposes, such as:

                            Loose source routing

                            Strict source routing

                            Record route

                            Timestamp

                            Use extended ping to invoke this, for example...

                             

                             

                            Then, the sample_packet_header

                             

                            Sample_Packet_Header.png

                             

                            4: [0100] IPv4(version)

                             

                            5: [0101] Header is 5x32bits words(IHL)

                             

                            c0: [1100 00(00)] CS6, ClassSelector6(IP precedence 6)+(because)Explicit Congestion Notification set to 0.(DS)

                             

                            0064: [0000 0000 0110 0100] or 100 bits long datagram supposed to come after(Total length).

                             

                            0000: 0 (Identification)

                             

                            0000: [(000)0 0000 0000 0000] or no flags set(000 ie. no 'Don't fragment but no 'More Fragment') = this is the only     

                                     fragment(Flags,3bits)+(Fragment Offset).

                             

                            02: [0000 0010] or (2) 2 hops(TTL).

                             

                            58: [0101 1000] or 88 or EIGRP encapsulated next(Protocol).

                             

                            cd76: (Header Checksum).

                             

                            0a000002: [0000 1010 0000 0000 0000 0000 0000 0010] or 10.0.0.2(Source IP)

                             

                            e000000a: [1110 0000 0000 0000 0000 0000 0000 1010] or 224.0.0.10(Destination IP)

                             

                            The reason I asked for the Hex numbers is because the HEX of any particular packet is shown below in wireshark when selected.  If you select a particular field or header in wireshark, it will highlight the Hex showing you the position of the data within the packet.  Good stuff.

                            • 14. Re: Describe the IP Packet Header and each field in a Traffic Capture
                              mett

                              Vers: [snip].  SIP is deprecated, for those who don't know.

                              --> Was wondering what is this protocol I never heard about.

                              It seems it was the supposed next protocol to IPv4 but finally SIPPlus(better known under IPv6) has been chosen.

                               

                               

                              IHL: [snip]. Can you think of why the maximum header length would be reached?

                              --> You gave me a hint with the option stuff at the end. I just extended ping with Loose Option and Record Option and got a 60 bytes IHL.

                              Maximum header length is reached when using Options.

                               

                              Total length: [snip].

                              0 to 65535 but yes   The Total length maximum (which includes the header length) is 65535 bytes... if you subtract the Header length you can figure out how big the ip packet payload is (which includes the transport layer header and application data.)

                              --> Actually got confused, 65536 possibilities means 0 to 65535 (did the same with the TTL thing, thought 256 is strange).

                              So for the TTL we have 256 possibilities for a maximum of 255 hops.

                              --> Also, I thought the IP header is not included in this number, I just checked and understood, it is included.

                              Total Length - IHL = IP Datagram Payload = L4PDU.

                              --> Finally, you re writing 65535 bytes, that was troubling as well as I thought "how come we are counting a 16-bits thing and coming with a result in bytes?". I found the answer on another forum: "The counter is in bits but what it is counting is bytes".

                              Or, it is showing a number of bytes under a bit notation.

                               

                              Flags and Offset: [snip]. So if the DF bit is set, and when the packet runs into a datalink with a smaller MTU than the size of the packet, the packet will simply be dropped.  If the DF bit is not set, then the packet will be fragmented with all framgents haveing the same ID field.  All fragments will have the MF bit set until the very last fragment which will have the MF bit set to 0, indicating that the fragment was the last one.

                              --> This I tried to check but couldn't tcpdump while looking at a huge page on the net, all I could get are packets with the DF bit set.

                              I'm telling that because I read somewhere that the Total Length is in fact not 65535 but 65528 to be able to link it with the MF and Fragment Offset.

                              The explanation was smtg like fragments are specified in units of 8 bytes to correlate with a Total length of 65528.

                              So, 13bits ie. [0 to 8191] multiplied by 8 = 65528. The fragment offset would be the L4PDU length(I mean no IP header, only the IP datagram Payload) divided by 8. Can you confim that?

                               

                              PS: To be able to visualize field and header is really interesting and thanks for this nice thread.

                              1 2 3 Previous Next