How it works...

Layer 4 protocols, mostly TCP and UDP, are the protocols that connect between end applications. The end node on one side (for example, a web client) sends a message to the other side (for example, a web server), requesting to connect to it. The codes of the processes that send the request and the processes that receive the request are called port numbers. Further discussion on this issue is provided in Chapter 11, Transport Layer Protocol Analysis.

For both TCP and UDP, the port numbers indicate the application codes. The difference between them is that TCP is a connection-oriented, reliable protocol, while UDP is a connectionless, unreliable protocol. There is an additional layer 4 protocol called Stream Control Transmission Protocol (SCTP), that can be referred to as an advanced version of TCP, which also uses port numbers.

TCP flags are sent in packets in order to establish, maintain, and close connections. A signal is set when a specific bit in the packet is set to 1. The most common flags that are in use are:

  • syn: A signal sent in order to open a connection
  • fin: A signal sent in order to close a connection
  • ack: A signal sent to acknowledge received data
  • rst: A signal sent for immediate close of a connection
  • psh: A signal sent for pushing data for processing by the end process (application)

Using capture filters, you can filter packets to/from specific applications, along with filtering packets with specific flags turned on.

We talked about the filter tcp[tcpflags] & (tcp-syn|tcp-fin) != 0, and we saw that we use & and not the more common operator &&. The difference is that when we write & or |, these are bitwise operators, that is, the result is calculated bit by bit and not on the entire field.

There's a funny thing here. If you try, for example, the filter tcp[tcpflags] & (tcp-rst) == 1, it will come up with no results. This is because the preceding Wireshark filter is instructing to perform a Boolean AND operation of tcpflags with 11111111 and check if the result is 1. TCP packet with rst flag set to 1 will be 00000010. So 00000010 AND 11111111 will result in 00000010 which is not equivalent to 1.

On the other hand, when we write tcp[tcpflags] & (tcp-rst) != 0, we perform a bitwise AND between 00000010 and 11111111, and the result is again 00000010, which is not equal to 0, as configured.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.185.180