The analysis of a captured frame
A sniffer captures the data coming in and going out of the Network Interface card or modem and displays that information in a table.
This tutorial looks at a captured frame that is actually an HTTP GET request issued from my PC to another host. This frame was captured using the Windows NT Server (4.0) Network Monitor.
| 3C | 2E | AC | 00 | 01 | 01 | 00 | 01 | D0 | E1 | 66 | 80 | 08 | 00 | 45 | 00 |
| 01 | F7 | E8 | 80 | 40 | 00 | 80 | 06 | 39 | 40 | C2 | 7E | 57 | A5 | D1 | 01 |
| EC | 1A |
Each box represents a byte of the frame. The number in each box is actually a hexadecimal number. If you don't know what hexadecimal means click here before continuing.
This frame can be broken down into different parts :
The Ethernet header - Bytes 1 to 14
The IP header - Bytes 15 to 35
The TCP header - Bytes 36 to 56
The actual data ie the HTTP GET request.
| 3C | 2E | AC | 00 | 01 | 01 | 00 | 01 | D0 | E1 | 66 | 80 | 08 | 00 |
The Ethernet header is 14 bytes long. Ethernet operates at the Network Access layer and is a type of datalink protocol. Other datalink protocols include Token Ring, ATM, Frame Relay. Each of these have a standard set of rules to which they must comply defining such things a media access control, the maximum transmission unit size and what we are looking at here : the header length and makeup.
Every network interface card has a unique address known as a MAC (Media Access Control) address. This is a physical address and not a logical one such as IP addresses.
The first 6 bytes actually represent the source MAC address and the next 6 bytes denote the destination MAC address. Communication between hosts at the datalink level of communication use this AC address. When a message is propagated throughout a network segment each receiving NIC will look at the destination hardware address in the frame and either A) ignore it or B) pick it up. It will only do B in these circumstances : If the destination address is the address of the receiving computer or if the broadcast MAC address (FFFFFF) is set as the destination address.
This leads to the question what happens if you don't know the MAC address of the machine you trying to communicate with? A protocol call the Address Resolution Protocol (ARP) does this for you. ARP will send out a message using the broadcast MAC address requesting that the machine using IP address xxx.xxx.xxx.xxx respond with its MAC address. Every machine on the network segment will receive this message and check its IP address. If it finds it does have that IP address it will respond accordingly. If not then it will go on about its business.
The next two bytes represent which protocol the Ethernet header is framing. Hre we can see the value is 08 00. Hex 08 00 represents IPv4. Below are some other common protocols
08 06 - ARP
08 08 - Frame Relay ARp
86 DD - IP Next Generation (IPv6)
08 05 - X.25 level 3
| 45 | 00 | 01 | F7 | E8 | 80 | 40 | 00 | 80 | 06 |
| 39 | 40 | C2 | 7E | 57 | A5 | D1 | 01 | EC | 1A |
Above is a table it may take some explaining : Each box represents
an 8-bit byte (commonly known as an octet). The figure in each box is a
hexadecimal number. A normal IP header breaks down like this :
Byte number 1
The first byte (45) is divided into two 4 bit halves. The leading 4 bits
(the number 4) denotes what version of IP the datagram is using. As we can
see it using IPv4. In an IPv6 (IPng) header this 4 would become a 6. However
the IPv6 header is somewhat different to the IPv4 header. But as this tutorial
is about v4 we won't go into that now.
The remaing 4 bits of the first byte show how long the IP header
is. Each bit is worth 4 bytes so we know that the IP header is 20 bytes long
(5 bits x the 4 bytes each bit represents = 20).
In binary format the first byte is represented as this :
Byte number 2
The second byte provides information to the gateways (or routers) as it travels along the network path from the source to the destination host. This byte is commonly known as the Type of Service TOS) byte and is also divided like the first byte but not so equally.
The first 3 bits denote how important this IP datagram is ie. its Precedence. Usually all the bits are set to 0 (000). This is the standard and marks the IP datagram as being "Routine". The more important the data is (let's say warning of a nuclear attack { hey, lets face it...the NET was designed with that in mind}) these three bits will be set accordingly. (001) for Priority (010) for Immediate (011) for Flash and so on... A router will drop everything else to pass through a flash datagram. Note - how close this information is to the beginning of the header....this way a router learns almost immediately the priority of a datagram and can base its following actions on that.
The next 4 bits represent the delay, throughput, reliablity and cost.
Delay
If this bit is set to 1 it is requesting of the router that it be sent via a path that offers least amount of delay time (aka propagation delay).
Throughput
If this bit is set to 1 it is asking that the router send the datagram through a path that has the most bandwidth ie the amount of data that can be stuffed through a pipe in a given moment.
Reliability
While data is travelling over the lines if there is too much noise (whether this be cross talk or electromagnetic interference (EMI)) it can become corrupt or lost. If this bit is set to 1 it is requesting to be sent through a path with the least chance of data loss.
Cost
Some network paths can be more expensive to use than others eg the using microwave technology is more expensive than using a frame relay route. This bit allows you to request a path whether that be the more expensive one or not.
The last bit of the second byte is reserved, as per the RFC, for future use.
Bytes 3 and 4
The next two bytes (01 F7) represent the total IP datagram length. In this case it's 503 bytes (01 F7 hex > dec = 503). Because the total length field is limited to two bytes this means the maximum possible size for an IP datagram is 65535 bytes (FF FF hex). Remember though that the datalink protocol being used may have a maximum transmission unit (MTU) that is smaller than 65535 bytes. In this case the datalink protocol being used is Ethernet and this has an MTU of 1500 bytes.
Bytes 5 and 6
When an IP datagram is fragment ie it is chopped up into more managable chunks there has to be a way of the receving host to reassemble the fragmented IP datagram. The next two bytes (E8 80) denote the datagram ID number. Each fragment of the IP datagram will have the same ID number. The next two bytes are linked to this :-
Bytes 7 and 8
These bytes represent the fragment area.... When IP has a datagram to send it contacts the protocol operating at the datalink level to ascertain how much data it can handle at anyone time ie the MTU. IP will then divide its data into chunks that the datalink protocol can handle. If fragmentation is necessary IP uses these two bytes to keep a track of each fragment..
Byte number 9
This byte (80) represents the Time To Live (TTL). The TTL is a timing method used by routers to kill off any datagrams that are not delivered for whatever reason. The TTL byte here is set to hex 80 (128 dec). So this datagram has 128 "seconds" to live. If it doesn't reach the destination by then it'll be discarded :- When the datagram comes to the first router in its journey the router will reduce this number. Every router along the way will reduce this number. When it reaches the host at the receving end this number would have a lower value. eg 10. Now let say the datagram never reaches it destination...when this byte's value becomes 0 the router will discard it and send back an ICMP message to the source host telling it that the destination host is unreachable.
Byte number 10
This byte denotes what higher level protocol the IP datagram is carrying. In this case it's (06) ..ie the Transmission Control Protocol (TCP). Others are:
(01) ICMP (Internet Control Message Protocol)
(08) EGP
(11) UDP (User Datagram Protocol)
(59) OSPF (Open Shortest Path First)
(58) IGRP.
Bytes 11 and 12
Starting on the next line down, tese two bytes (39 40) make up the header checksum. This is as much as IP will do for data integrity...it is a connectionless protocol after all . IP assumes that most of the error checking will be done by the higher level protocols such as TCP.
Bytes 14 to 20
The first four make up the source IP address and the last 4 bytes make up the destination IP address :
C2 7E 57 A5 > 194.126.87.165
D1 01 EC 1A > 209.1.236.26