So this evening’s class was a continuation of last week’s: starting to dig into manually inspecting packet headers- TCP, UDP, ICMP, etc. Tonight was mainly on TCP. As an example, we’re looking at things like:
4500 003c 1c46 4000 4006 b1e6 ac10 0a63 ac10 0a0c
And figuring out what all the parts mean and if the traffic is ‘normal’ or malicious. (This header example, by the way, was pulled from thegeekstuff.com foundĀ here.)
I’ll admit I was hung up on bits, bytes, and how one character is a nibble. I guess my mind wasn’t in hex mode. As an above example, the first character in the sequence- a 4- represents the IP version. However, look at any IP header cheat sheets (this one, for example) and the IP Version field is 4 bits long. But it’s one character. One character = 1 bit!!! Oh… but it’s hex. So yes, actually one character does equal 4 bits in terms of hex.
Now that my first hangup is settled, I need to work on the speed of which I map characters to their respective header fields. I found lots of cheat sheets but I’m actually making my own, a paper ‘form’ I can fill out when the professor hands us a 20 byte header and wants answers quick. I know this method isn’t practical when dealing with streams of data but at least it’ll help during lectures when we’re only given one or two headers at a time to deconstruct.
So Andrew, what have I learned today?
- Apparently my mind is stuck in binary mode
- When talking hex, one hex character equals 4 bits- also known as a nibble
- TCP headers must be a minimum of 20 bytes. Otherwise something is terribly wrong
- I need to review how to manually calculate the checksum
- With ICMP packets I only need to worry about the set and code
- Set and code? are converted into binary to determine?