Effective packet analysis requires familiarity with the primary protocols in use in modern networks. In this chapter, we will review the most common protocols in their respective layers:
We'll cover the significant purpose and relevant fields to support network connectivity and/or application functionality in each protocol, as well a sampling of Wireshark capture and display filters for each protocol.
We reviewed the purpose of the OSI and DARPA reference models in Chapter 2, Networking for Packet Analysts. The visual depiction of their layers is repeated in the following diagram as a reference and summary of some of the primary protocols and where they fit into their respective layers:
Network layer protocols, also known as Internet layer protocols in the DARPA reference model, provide basic network connectivity and internetwork communications services. In this layer, you will predominantly find the IP protocol being used to get packets transported across the network, along with ARP, IGMP, and ICMP.
We covered the IP and ARP protocol packet header structures and fields in Chapter 2, Networking for Packet Analysts, so this information won't be repeated. However, basic Wireshark capture and display filters are provided here and also for the remaining protocols in the following sections:
Display filter(s): ip ip.addr==192.168.1.1 ip.src== ip.dst== ip.id > 2000
The Internet Group Management Protocol (IGMP) is used by hosts to notify adjacent routers of established multicast (one-to-any) group memberships. In other words, IGMP enables a computer that provides content (video feeds), for example, to provide such content to a distributed group of users using one set of the multicast address ranges (in the 224.0.0.0
to 239.255.255.255
class D multicast range). This multicast capability depends on routers that are capable and configured to support this service; clients must join the multicast group. When a host wants to start a multicast, it sends an IGMP Membership Report
message to the 224.0.0.2
(all multicast routers) address that specifies the multicast IP address for this particular group. Clients who wish to join or leave this group (so they can receive the multicast content) send an IGMP join or leave message to the router. The following table shows the various ranges for addresses:
Starting address range |
Ending address range |
Description |
---|---|---|
|
|
These are reserved for special well-known multicast addresses |
|
|
These are globally-scoped (Internet-wide) multicast addresses |
|
|
These are locally-scoped and administered multicast addresses |
The following screenshot shows the significant fields in the IGMP protocol header:
The preceding significant fields in the IGMP protocol header include:
You should also note the following interesting fields in the previous protocol layers:
01:00:5e:00:00:00 – 01:00:5e:7f:ff:ff
)224.0.0.22
, which is a reserved IGMPv3 multicast IP addressThe IGMP protocol has multiple versions and is rather complex. Refer to the protocol references provided at the beginning of this chapter for more information.
The Internet Control Message Protocol (ICMP) is used by network devices such as routers to send error messages indicating that a requested service is not available, or a host or network router could not be reached. ICMP is a control protocol. This means that although it is transported as IP datagrams, it does not carry the application data—instead, it carries the information about the status of the network itself.
One of the most well-known uses of ICMP is to ping, wherein a device sends an ICMP echo request (Type 8, Code 0) packet to a distant host (via that host's IP address), which will (if the ICMP service isn't disabled or blocked by an intermediate firewall) respond with an ICMP echo reply (Type 0, Code 0) packet. Pings are used to determine whether the target host is available and can be reached over the network. By measuring the time that expires between ping requests and replies, we know the round trip time (RTT) delay time over the network path.
A variation of ping functionality is used to perform a traceroute (also known as traceroute), which is a list of the IP addresses of the router interfaces that packets traverse to get from a sending device to a target host or device. The traceroutes are used to determine or confirm the network path taken from a sending device to a target host or device.
A traceroute is accomplished by sending the ICMP echo request packets to a distant host just as in a normal ping, but with modifications to the Time-to-Live (TTL) field in the IP header of each packet. The traceroute function takes advantage of the fact that each router in a network path decrements the TTL value in a packet by 1, so as the packet traverses, the routers in a path and the TTL value will decrease accordingly along the way. If a router receives a packet with a TTL value of 1, it will send an ICMP TTL exceeded in transit (Type 11, Code 0) error message back to the sender (along with a copy of the request packet it received) and otherwise discard (not forward) the packet.
The traceroute works by sequentially setting the TTL in multiple ICMP request packets to 1, then to 2, then 3, and so on, which results in each router in the network path sending TTL exceeded error messages back to the sender. Since these returned messages are sent by the in-path router using the IP address of the interface where the ICMP packet was received, the traceroute utility can build and display a progressive list of router interface IP addresses in the path and the RTT delay to each router.
A sampling of the most commonly seen types of ICMP control messages, including their type and code (subtype) numbers, are provided in the following table:
Type |
Code |
Description |
---|---|---|
0 |
0 |
This indicates echo reply (ping) |
3 |
0 |
This indicates destination network unreachable |
3 |
1 |
This indicates destination host unreachable |
3 |
4 |
This indicates fragmentation required and do not fragment bit set |
3 |
6 |
This indicates destination network unknown |
3 |
7 |
This indicates destination host unknown |
5 |
0 |
This indicates redirect datagram for the network |
5 |
1 |
This indicates redirect datagram for the host |
8 |
0 |
This indicates echo request (ping) |
11 |
0 |
This indicates TTL expired in transit (seen in traceroutes) |
The Wireshark packet details fields for the ICMP packet illustrated in the following screenshot depict a Time-to-live exceeded message as seen in a typical traceroute capture:
The following points are significant to analyze this packet:
The second set of IPv4 and ICMP headers that follow the first IPv4 and ICMP headers are copies of the original packet transmitted by the sender. This copy is returned to allow determination of the packet that caused the ICMP message. The significant points in the packet details of this ICMP message copy include:
205.251.242.51
.10.192.128.1
router interface. This packet cannot be forwarded, resulting in the TTL exceeded message being sent back to the sender.Another common use of ICMP is to redirect a client to use a different default gateway (router) to reach a host or network than the gateway it originally tried to use. In the ICMP Redirect packet depicted in the following screenshot, a number of packet fields should be noted:
192.168.1.1
, which was the client's default gateway; this is the router sending the redirect packet back to the client192.168.1.1
is telling the client to use to reach the desired target host is 192.168.1.2
10.1.1.125
The following screenshot shows the ICMP Redirect packets:
The Internet Protocol Version 6 (IPv6) is the latest version of Internet protocol, and although it is in its earliest stages of adoption, it is intended to eventually replace IPv4—mostly to alleviate the shortage of IP addresses that can be assigned to network devices. IPv4, with its 32-bit address space, provides approximately 4.3 billion addresses, nearly all of which have been assigned to companies and private interests worldwide.
IPv6 utilizes a 128-bit address space, which allows 2128 or approximately 3.4 x 1038 addresses; that number is 340,282,366,920,463,463,374,607,431,768,211,456 unique addresses.
The 128 bits of an IPv6 address are represented in eight groups of 16 bits each, written as four hexadecimal digits separated by colons (:). An example of an IPv6 address is 2001:0db8:0000:0000:0000:ff00:0042:8329
.
For convenience, an IPv6 address may be abbreviated to shorter notations by application of the following rules, wherever possible:
An example of applying these rules to IPv6 addresses is as follows:
2001:0db8:0000:0000:0000:ff00:0042:8329
2001:db8:0:0:0:ff00:42:8329
2001:db8::ff00:42:8329
The 128 bits of an IPv6 address are logically divided into a network prefix and a host identifier. The Class Inter-Domain Routing (CIDR) notation is used to represent IPv6 network prefixes, for example, 2001:DB8:0:CD30::/64
represents network 2001:DB8:0000:CD30::
.
There are three basic types of IPv6 addresses:
2xxx
(such as 2000::/3
).FE80
(FE80::/10
). They are automatically assigned to an interface when it is initialized using an algorithm that uses a rearranged version of the NIC's 48-bit MAC address in the IPv6 address and are used to communicate on the local link. These addresses are not routable. IPv6 uses link-local addresses for neighbor discovery functions.FC00
(FC00::/7
). This block of addresses is reserved for use in private IPv6 networks.FFxx
. An example of a multicast address is FF01:0:0:0:0:0:0:101
, which can be shortened to FF01::101
. There is no broadcast address in IPv6; multicasts are used as a replacement. Some well-known multicast addresses are shown in the following table:
Address |
Description |
Scope |
---|---|---|
|
All nodes address |
Interface-local (spans only a single interface on a node useful only for loopback transmission of multicast packets) |
|
All nodes address |
Link-local (all nodes on the local network segment) |
|
All routers address |
Interface-local |
|
All routers address |
Link-local |
|
All routers address |
Site-local (spans a single site) |
|
DHCPv6 servers/agents |
Link-local |
|
DHCPv6 servers/agents |
Site-local |
Further discussion of IPv6 addressing would cover quite a number of additional features, which are beyond the scope of this book. The reader is encouraged to research IPv6 addressing further online and/or by reading Request For Comments (RFC) 4291 (IP Version 6 Addressing Architecture).
An example of an IPv6 protocol header is illustrated in the following screenshot:
The IPv6 header fields are similar to many IPv4 headers and the fields include:
IPv6 supports extension headers that provide additional information fields and that also extend the length of the IPv6 header. There is specific Next Header code that indicates the presence of this added functionality.
As part of the transition to IPv6, the current TCP/IP devices support dual stacks (IPv4 and IPv6 simultaneously) and the ability to encapsulate and tunnel IPv6 packets inside IPv4 packets so that they can be routed by IPv4 networks. The three of the most popular encapsulation methods are:
41
(IPv6), and the source IPv6 address in the IPv6 header will start with 2002
.3544
.24.6.173.220
becomes ::0:5EFE:1806:addc
. ISATAP encapsulates IPv6 headers within IPv4 as in 6to4 tunneling.Internet Control Message Protocol Version 6 (ICMPv6) is an integral part of IPv6, and the base protocol must be fully implemented by every IPv6 node. ICMPv6 provides services for an IPv6 environment that are provided by other distinct protocols in an IPv4 environment, such as Neighbor Solicitation to replace ARP.
The following table contains some of the common ICMPv6 packet types:
An example of a Neighbor Solicitation ICMPv6 packet is shown in the following screenshot:
The significant fields in this packet include:
3.144.143.31