4 Packet Analysis IP – Headers, Tools and notes

IPv4 has 4 classes of network (A,B,C,D)

An IPv4 address which starts with 0 (A), 10 (B), 110 (C), and 1110 (D).

  • Byte = 8 bits; octet = 8 bits

For CMSY164, we will examine the IP and TCP header

Please review the IP header diagram below:

IP header from nmap
ipv4 header

IP header are information in front of the IP packet.

  • Version will be value 4 – we are primary using IPv4
  • Header Length – header is at least 20 bytes, excluding the options.
  • Type of Service – it contains 3-bits precedence filed, but used. 4 service bits, and 1 unused bit.
  • Total Length – specified in bytes
  • Identification – uniquely identifies the datagram, the number is  usually increased by 1 each time the datagram is sent.
  • IP Flags offset – used for fragmentation
  • Time to Live – Usually set to 32 or 64. This value is decremented by each router that processes the datagram. Router discards the datagram when TTL reaches 0.
  • Protocol – Tells IP where to send the datagram up to, 6 being TCP.
  • Header Checksum – only covers the header, not the data.
  • Source Address – The sender
  • Destination Address – The destination

Ethernet packet maximum size is 1500 bytes,  if an Ethernet packet is larger than 1500 bytes, then it broken into multiple 1500 bytes packets. This is the fragmentation of an Ethernet packet. Based on RCF 791, it describes the IP fragmentation, and transmission and reassembly of IP packets.  The IP identification field along with the remote and local internet address and the IP identification, and fragment offset field are use for fragmentation and reassembly of IP packets.

4-Tupe and IP Header Value in HEX

4-tuple is from network socket programming.

From Wikipedia:

In practice, socket usually refers to a socket in an Internet Protocol (IP) network (where a socket may be called an Internet socket), in particular for the Transmission Control Protocol (TCP), which is a protocol for one-to-one connections. In this context, sockets are assumed to be associated with a specific socket address, namely the IP address and a port number for the local node, and there is a corresponding socket address at the foreign node (other node), which itself has an associated socket, used by the foreign process. Associating a socket with a socket address is called binding.

For CMSY-164, the 4-tuple or sometimes called 5-tuple is:

1- Source IP Address

2 – Source TCP Port

3 – Destination IP address

4 – Destination TCP Port

5 – Protocol

For CMSY164, we will examine IPv4 header in hex.

Byte offset represent the location starting at zero. Zero is the first location. For example, the location of the IP “version” is offset 0.

Given the following windump:

windump file
windump of ip datagram

Given the above hex dump, the following hex values based on the IPv4 header:

Version = 4
Header Length = 5
Type of Service = 00
Total Length = 0123
Identification = 506a
FragFlag = 0
Fragment Offset = 000
Time To Live = 40
Protocol = 11
Checksum =8d0f
Source Address = c0a80d01
Destination Address = c0a80dff


IP Fragmentation

IP frag   In most cases, the router will manage large packets and chunk the packets to 1500 bytes. IP identification is 16 bits and is value is assigned by the sender of the IPv4 datagram. The fragment Offset is 13 bits. The fragment flag is 3 bits, the first bit is reserved and always set to 0.

Example of IP fragmentation and Reassembly 4000 byte datagram with 1500 MTU

Original Packet:

*Recall that in our example, we set the maxium size (MTU) as 1500bytes.

Therefore, we take 1500 bytes – 20 bytes (header) / 8 bytes per datagram.

Original Packet
Length ID fragment flag offset ID
4000 345 000 0
Length ID fragment flag offset ID
1500 345 01 = MF 0
1500 345 01 = MF 185  = 1480/8
1040 345 00 = DF 370 = 2960/8

The first fragment which has a length of 1500 bytes and a offset of 0. The 1500 bytes includes the 20 bytes of IP header.

The second fragment has an offset of 185 (1480/8) = 185 or 185×8=1480

The third fragment has an offset of 370 (2960/80)  = 370 or 370×8 = 2960. The 2960 bytes is the addition of two fragment (1480+1480).

So, how if we add the fragments (2960+1040), we will get the final value of 4000 bytes. The offset is primary used to track how much data has received.

In our above example, the first datagram was set as MF=01 which states this datagram is part of a fragment and requires reassembly. The IP identification is same through three fragments. The offset is a location and bytes sent.


Icon for the Public Domain license

This work (Introduction to intrusion detection system by Sung Lee) is free of known copyright restrictions.

Share This Book