network protocol analysis

NETWORK PROTOCOL ANALYSIS

AMAK A-> ANKITA (1MS07IS133)

M-> MAYANK (1MS07IS047)

A-> ANSHUJ (1MS07IS011)

K-> KRISH (1MS07IS038)

TABLE OF CONTENTS

• Introduction to Network Protocol Analysis.

• IP Packet structure.• TCP Segment• Difference between different

Network Protocol Analyzers.• FIDDLER tool demo.

INTRODUCTION

What is a protocol??A set of rules used by computers to

communicate in a network.

What is network protocol Analysis??Process of decoding network protocol

headers and trailers.

What is a network analyzer?Intercepts and logs traffic passing

over a digital network.

A protocol analyzer is used to decode the protocols at each layer.

What is packet sniffing?Illegal reading packets of data

travelling through a network.

Packet Sniffing is difficult to detect.

METHODS OF PACKET SNIFFING

IP SPOOFINGIntercepts traffic in a network

by taking on the IP address of another computer.

RAW TRANSMITAbnormal traffic generation

such as TCP SYN floods.

NETWORK LAYER

Data known as Packets. Header has logical address of

source and destination. Checking routing table for routing

information.

IPv4

Connectionless, unreliable. Can be Paired with TCP to enhance

reliability. IP packet = Header + Data Max length= 216-1.

IP PACKET STRUCTURE

Header

Data

VERSION: 4 bit HEADER LENGTH: • 4 bits determine total number of 4

byte words in.• Length between 20 to 60 Bytes.

SERVICES:

PRECEDENCE BIT

TYPE OF SERVICE

NEVER USED

3 bit 4bit 1bit

Precedence bit:• Ranges from 000-111.• Some datagrams are more important

than others. TYPES OF SERVICES(TOS):

TOS Bits DESCRIPTION

0000 Normal( default)

0001 Minimize cost

0010 Maximize reliability

0100 Maximize throughput

1000 Minimize delay

TOTAL LENGTH:• 16 bit.• Size of data = total length- header

length. IDENTIIFICATION: • 16bit.• Packet does’nt fit into frame.• Assigned by the sender that helps in

assembling the fragments.

FLAGS:• 3 bit.

FRAGMENT OFFSET:• 13 bit, determines the position of

the fragment in the datagram.• First fragment has an offset zero.

0 DF MF

Don’t MoreFragment Fragment

TIME TO LIVE:• 8 bit.• Prevents packets from staying in

the network after their use has expired.

• Used to destroy undelivered datagrams.

PROTOCOL:• 8 bit.• Defines the protocol used like TCP

and UDP for the data portions.

HEADER CHECKSUM:• 16 bit. • Value of the field is compared with

the header checksum. SOURCE & DESTINATION

ADDRESS:• 32 bit IP address.• Remains unchanged when packet

travels from source to destination.

TCP SEGMENT STRUCTURE

TCP is a core protocol in the TCP/IP suite.Transport layer protocol.Reliable transmission of data between processes.

TCP segment contains header and data sections.

Header contains various fields which are:-

16-bit source and destination port address.

32-bit sequence number identifies the logical sequence of segment.

32-bit Acknowledgement number holds the sequence number of the next expected segment if ACK flag is set.

4-bit Data Offset indicates the header size.

6-bit reserved for future use.

6-bit flags for control.

16-bit window specifies the size of the receive window.

16-bit check sum to detect errors in header and data.

16-bit urgent pointer indicates the offset of last urgent data if URG flag is set.

Variable size option field.

Padding is a variable size field used to pack 0’s so the data starts from a bit position which is a multiple of 32.

3-WAY HANDSHAKE

CONNECTION ESTABLISHMENT IN TCP

3-way handshake.

Passive opening of port by server to allow service.

Client sends SYN(synchronize) request to server.

Server acknowledges by sending ACK-SYN.

Client again responds with ACK

Connection is now established.

WIRESHARK ETHER APE FIDDLER2 CAPSA

Operating System

Linux, Mac, Windows,Unix.

Linux, Mac. Windows. Windows

GUI YES YES YES YES

Command Line Interface

Yes Yes No No

Protocols Analysis

All protocols. Almost all protocols.

HTTP. Commonly used protocols.

Proxy server??

No. No. Yes. No.

SSL Support. Yes Yes. Yes Yes

Sniffing Capabilities

Yes Only wired media

Yes Pro edition does

Price(availability)

Freely available Free Freely available?

Not freely available(start at $549)

Filters Yes yes yes Yes

Meddling with requests & responses

No No Yes No