IS 432 Lecture Review: More TCP Packet Hell

So this evening’s class was a continuation of last week’s: starting to dig into manually inspecting packet headers- TCP, UDP, ICMP, etc. Tonight was mainly on TCP. As an example, we’re looking at things like:

4500 003c 1c46 4000 4006 b1e6 ac10 0a63 ac10 0a0c

And figuring out what all the parts mean and if the traffic is ‘normal’ or malicious. (This header example, by the way, was pulled from foundĀ here.)

I’ll admit I was hung up on bits, bytes, and how one character is a nibble. I guess my mind wasn’t in hex mode. As an above example, the first character in the sequence- a 4- represents the IP version. However, look at any IP header cheat sheets (this one, for example) and the IP Version field is 4 bits long. But it’s one character. One character = 1 bit!!! Oh… but it’s hex. So yes, actually one character does equal 4 bits in terms of hex.

Now that my first hangup is settled, I need to work on the speed of which I map characters to their respective header fields. I found lots of cheat sheets but I’m actually making my own, a paper ‘form’ I can fill out when the professor hands us a 20 byte header and wants answers quick. I know this method isn’t practical when dealing with streams of data but at least it’ll help during lectures when we’re only given one or two headers at a time to deconstruct.

So Andrew, what have I learned today?

  1. Apparently my mind is stuck in binary mode
  2. When talking hex, one hex character equals 4 bits- also known as a nibble
  3. TCP headers must be a minimum of 20 bytes. Otherwise something is terribly wrong
  4. I need to review how to manually calculate the checksum
  5. With ICMP packets I only need to worry about the set and code
  6. Set and code? are converted into binary to determine?

Lecture Review: TCP, UDP, and ICMP

Hello people! One of the uses I have for my site is to post a recap of my school lectures here. I’m playing around with different study methods and wanted to see how well this works out. At the very least, it’ll serve as a good personal reference.

That being said, the information contained in these posts may or may not represent knowledge I already know. I.e., if we went over something basic (like OSI model), I’m still going to include it despite my familiarity with it.

Further, because I’m writing these posts from memory (as a practice to reinforce it), I am less concerned with grammar, punctuation, and formatting than with other posts.


TCP is

  • Connection-oriented
  • Unicast
  • Higher overhead
  • Corrective

It’s connection-oriented by way of the three-way handshake (SYN, SYN ACK, ACK). A connection is established first, then the data is exchanged. Delivery is ensured thanks to that connection and being able to keep track of what and how many packets were sent, and to resend what wasn’t acknowledged. All of which requires higher overhead.

You can close TCP connections with FIN or RESET (rude!).

TCP will always be in a certain state as defined in… RFC (forgot which number- doing these notes from memory).


Pretty much the exact opposite of TCP. Very little overhead. Is multicast. Used for video streaming (among others!). Fire-and-forget.

tcpdump, Datagrams, Fragmenting

The flow of data in tcpdump is denoted with > and <.

There are 0-1023 common ports. These are usually used by servers for common services. Clients can open any port, typically 1024 or above, when requesting services. The ports can be re-used and change after each connection. I.e., client-1 might open ephemeral port 31XXX when connecting to server-1:25. After that connection closes, that same 31XXX port could be opened again for a connection on server-3:22.

When viewing connections on tcpdump, especially TCP and its three-way handshake, you’ll actually see two connections in the output: client-to-server and server-to-client.

If the datagram being sent is larger than the recipient’s network’s MTU size (max is 1500 for Ethernet), datagrams have to be fragmented. In this case, each fragment gets a fragment ID so the recipient can keep everything in order. To ensure the order of the fragments, an offset counter is used after the fragment ID. Only the first fragment will have the protocol header, whereas all fragments will have the ~20byte IP header.

Teardrop attack uses mismatching offsets.


ICMP can be helpful in troubleshooting things as well as reconnaissance.

Firewalls should be blocking incoming ICMP requests from the outside. And probably from internally, too.

Depending on what type of ICMP response you receive, that can indicate what’s going on at the target. For example, if a request comes back with host unreachable, time to move on. However if you get admin denied (thanks to ACL) or port unreachable, then that does tell you something’ sthere.

You can also use TTL to find how many hops you’re dealing with.