Packet Analysis Reference Guide V3.0x V30

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 46

DownloadPacket Analysis Reference Guide V3.0x V30
Open PDF In BrowserView PDF
Packet Analysis Reference Guide v3.0
Headers, Tables, Tools and Notes

Compiled & Written by
James Summers, CISSP - ISSAP, ISSMP, CISA
GCIA, GCIH, G7799, GAWN-C, GSEC, GFSP, GPCI
CCNA, CCDA, CS-CFWS, CS-CISecS, 4001 Rec, MCSE
james@vsnry.com
©2008

This page purposely left blank

Table of Contents
Page

Subnet Breakdown (Binary to decimal)
Subnet Breakdown (Binary to Hexadecimal)
Equations
Header Offset Shortcuts
OSI vs. TCP/IP
TCP vs. UDP
IPv4 Header (RFC 791)
Transmission Control Protocol - TCP Header (RFC 793)
User Datagram Protocol - UDP Header (RFC 768)
Internet Control Message Protocol - ICMP Header (RFC 792)
PING (Echo/Echo Reply) - ICMP Header (792)
Address Resolution Protocol - ARP (RFC 826)
Domain Name System - DNS (RFC 1035)
Dynamic Routing Protocols
OSPF v2 (RFC 1583)
Generic Routing Encapsulation - GRE (RFC 2784)
Authentication Header - AH (RFC 2402)
Encapsulating Security Payload - ESP (RFC 2406)
IPV6 Header (RFC 2460)
IEEE Framing
Ethernet II Frame Format (similar to IEEE 802.3)
Ethernet IEEE 802.2 Frame Format (802.3 with 802.2)
Ethernet IEEE 802.3 SNAP Frame Format
Ethernet Novell Netware 802.3 "Raw" Frame Format
802.11 (IEEE 1999 Reference Specification)
Kismet
TCPDUMP / WINDUMP
NGREP
Ethereal / Wireshark
Windows TCP / UDP Ports
OS Fingerprinting
Decimal to Hexadecimal to ASCII Chart
References

1
2
3
4
5
6
7
9
10
11
12
13
14
15
16
17
18
19
21
24
25
26
27
28
29
32
33
35
36
37
41
42
43

CIDR Octet Mask
/8

1

255

/9

2

128

/10

2

192

/11

2

224

/12

2

240

/13

2

248

/14

2

252

/15

2

254

/16

2

255

/17

3

128

/18

3

192

/19

3

224

/20

3

240

/21

3

248

/22

3

252

/23
/24

3
3

254
255

/25

4

128

/26

4

192

/27

4

224

/28

4

240

/29
/30

4
4

248
252

/32

4

255

Classes
A

0

B

10

C
D

110
1110

252
(6)

248 252
(5) (6)

252
(6)

248 252
(5) (6)

252
(6)

248 252
(5) (6)

252
(6)

224 240 248 252
(3) (4) (5) (6)

252
(6)

248 252
(5) (6)

252
(6)

240 248 252
(4) (5) (6)

252
(6)

248 252
(5) (6)

252
(6)

00000000
00000001
00000010
00000011
00000100
00000101
00000110
00000111
00001000
00001001
00001010
00001011
00001100
00001101
00001110
00001111
00010000
00010001
00010010
00010011
00010100
00010101
00010110
00010111
00011000
00011001
00011010
00011011
00011100
00011101
00011110
00011111
00100000
00100001
00100010
00100011
00100100
00100101
00100110
00100111
00101000
00101001
00101010
00101011
00101100
00101101
00101110
00101111
00110000
00110001
00110010
00110011
00110100
00110101
00110110
00110111
00111000
00111001
00111010
00111011
00111100
00111101
00111110
00111111

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

Subnet Breakdown (Binary to Decimal)
128 (1)
192 (2)
192 (2)
01000000
64
10000000
01000001
65
10000001
01000010
66
10000010
01000011
67
10000011
01000100
68
10000100
01000101
69
10000101
01000110
70
10000110
01000111
71
10000111
01001000
72
10001000
01001001
73
10001001
01001010
74
10001010
01001011
75
10001011
01001100
76
10001100
01001101
77
10001101
01001110
78
10001110
01001111
79
10001111
01010000
80
10010000
01010001
81
10010001
01010010
82
10010010
01010011
83
10010011
01010100
84
10010100
01010101
85
10010101
01010110
86
10010110
01010111
87
10010111
01011000
88
10011000
01011001
89
10011001
01011010
90
10011010
01011011
91
10011011
01011100
92
10011100
01011101
93
10011101
01011110
94
10011110
01011111
95
10011111
01100000
96
10100000
01100001
97
10100001
01100010
98
10100010
01100011
99
10100011
01100100
100
10100100
01100101
101
10100101
01100110
102
10100110
01100111
103
10100111
01101000
104
10101000
01101001
105
10101001
01101010
106
10101010
01101011
107
10101011
01101100
108
10101100
01101101
109
10101101
01101110
110
10101110
01101111
111
10101111
01110000
112
10110000
01110001
113
10110001
01110010
114
10110010
01110011
115
10110011
01110100
116
10110100
01110101
117
10110101
01110110
118
10110110
01110111
119
10110111
01111000
120
10111000
01111001
121
10111001
01111010
122
10111010
01111011
123
10111011
01111100
124
10111100
01111101
125
10111101
01111110
126
10111110
01111111
127
10111111

192 (2)
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

11000000
11000001
11000010
11000011
11000100
11000101
11000110
11000111
11001000
11001001
11001010
11001011
11001100
11001101
11001110
11001111
11010000
11010001
11010010
11010011
11010100
11010101
11010110
11010111
11011000
11011001
11011010
11011011
11011100
11011101
11011110
11011111
11100000
11100001
11100010
11100011
11100100
11100101
11100110
11100111
11101000
11101001
11101010
11101011
11101100
11101101
11101110
11101111
11110000
11110001
11110010
11110011
11110100
11110101
11110110
11110111
11111000
11111001
11111010
11111011
11111100
11111101
11111110
11111111

192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255

252
(6)

248 252
(5) (6)

252
(6)

240 248 252
(4) (5) (6)

252
(6)

248 252
(5) (6)

252
(6)

224 240 248 252
(3) (4) (5) (6)

252
(6)

248 252
(5) (6)

252
(6)

240 248 252
(4) (5) (6)

252
(6)

248 252
(5) (6)

252
(6)

00000000
00000001
00000010
00000011
00000100
00000101
00000110
00000111
00001000
00001001
00001010
00001011
00001100
00001101
00001110
00001111
00010000
00010001
00010010
00010011
00010100
00010101
00010110
00010111
00011000
00011001
00011010
00011011
00011100
00011101
00011110
00011111
00100000
00100001
00100010
00100011
00100100
00100101
00100110
00100111
00101000
00101001
00101010
00101011
00101100
00101101
00101110
00101111
00110000
00110001
00110010
00110011
00110100
00110101
00110110
00110111
00111000
00111001
00111010
00111011
00111100
00111101
00111110
00111111

00
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
10
11
12
13
14
15
16
17
18
19
1A
1B
1C
1D
1E
1F
20
21
22
23
24
25
26
27
28
29
2A
2B
2C
2D
2E
2F
30
31
32
33
34
35
36
37
38
39
3A
3B
3C
3D
3E
3F

Subnet Breakdown (Binary to Hexadecimal)
128 (1)
192 (2)
192 (2)
01000000
40
10000000
01000001
41
10000001
01000010
42
10000010
01000011
43
10000011
01000100
44
10000100
01000101
45
10000101
01000110
46
10000110
01000111
47
10000111
01001000
48
10001000
01001001
49
10001001
01001010
4A
10001010
01001011
4B
10001011
01001100
4C
10001100
01001101
4D
10001101
01001110
4E
10001110
01001111
4F
10001111
01010000
50
10010000
01010001
51
10010001
01010010
52
10010010
01010011
53
10010011
01010100
54
10010100
01010101
55
10010101
01010110
56
10010110
01010111
57
10010111
01011000
58
10011000
01011001
59
10011001
01011010
5A
10011010
01011011
5B
10011011
01011100
5C
10011100
01011101
5D
10011101
01011110
5E
10011110
01011111
5F
10011111
01100000
60
10100000
01100001
61
10100001
01100010
62
10100010
01100011
63
10100011
01100100
64
10100100
01100101
65
10100101
01100110
66
10100110
01100111
67
10100111
01101000
68
10101000
01101001
69
10101001
01101010
6A
10101010
01101011
6B
10101011
01101100
6C
10101100
01101101
6D
10101101
01101110
6E
10101110
01101111
6F
10101111
01110000
70
10110000
01110001
71
10110001
01110010
72
10110010
01110011
73
10110011
01110100
74
10110100
01110101
75
10110101
01110110
76
10110110
01110111
77
10110111
01111000
78
10111000
01111001
79
10111001
01111010
7A
10111010
01111011
7B
10111011
01111100
7C
10111100
01111101
7D
10111101
01111110
7E
10111110
01111111
7F
10111111

192 (2)
80
81
82
83
84
85
86
87
88
89
8A
8B
8C
8D
8E
8F
90
91
92
93
94
95
96
97
98
99
9A
9B
9C
9D
9E
9F
A0
A1
A2
A3
A4
A5
A6
A7
A8
A9
AA
AB
AC
AD
AE
AF
B0
B1
B2
B3
B4
B5
B6
B7
B8
B9
BA
BB
BC
BD
BE
BF

11000000
11000001
11000010
11000011
11000100
11000101
11000110
11000111
11001000
11001001
11001010
11001011
11001100
11001101
11001110
11001111
11010000
11010001
11010010
11010011
11010100
11010101
11010110
11010111
11011000
11011001
11011010
11011011
11011100
11011101
11011110
11011111
11100000
11100001
11100010
11100011
11100100
11100101
11100110
11100111
11101000
11101001
11101010
11101011
11101100
11101101
11101110
11101111
11110000
11110001
11110010
11110011
11110100
11110101
11110110
11110111
11111000
11111001
11111010
11111011
11111100
11111101
11111110
11111111

C0
C1
C2
C3
C4
C5
C6
C7
C8
C9
CA
CB
CC
CD
CE
CF
D0
D1
D2
D3
D4
D5
D6
D7
D8
D9
DA
DB
DC
DD
DE
DF
E0
E1
E2
E3
E4
E5
E6
E7
E8
E9
EA
EB
EC
ED
EE
EF
F0
F1
F2
F3
F4
F5
F6
F7
F8
F9
FA
FB
FC
FD
FE
FF

Equations
TCP & IP Equations
TCP Options Length =
(TCP Header Length * 4 byte multiplier) - (Minimum TCP Header Length * 4 byte multiplier)
(TCP Header Length * 4 byte multiplier) - 20 bytes
Length of IP Packet Payload =
IP total Length - ((IP Header Length * 4 byte multiplier) + (TCP Header Length * 4 byte multiplier))

Logic Equations
1 AND 1 is 1
1 AND 0 is 0
0 AND 1 is 0
0 AND 0 is 0

1 OR 1 is 1
1 OR 0 is 1
0 OR 1 is 1
0 OR 0 is 0

1 XOR 1 is 0
1 XOR 0 is 1
0 XOR 1 is 1
0 XOR 0 is 0

Subneting Equations
Number of hosts on a subnet =
2n-2

Where n is the number of bits in the ip address / subnet dedicated to the host
Remember the -2 is because host bits of all 0's is the network address and all 1's is the
broadcast address for that subnet

Number of subnets that can be created from n subnet bits =
n
2
Where n is the number of bits dedicated to the subnet
Note: This assume you have something like "ip subnet zero" on your network device.
Otherwise you have to - 2 from your total where all the subnet bits are 0's or 1's
Number of host bits needed for X hosts to be on the same subnet =
ln(X+2)
Where X is the number of hosts required on the subnet.
Note: ln is the nature log. Round up to the nearest whole number.
ln 2
Number of network and subnet bits needed for X hosts to be on the same subnet =
ln(X+2)
Where X is the number of hosts required on the subnet.
32 Note: ln is the nature log. Round up to the nearest whole number.
ln 2
Determining the network address from IP and subnet mask by doing a logical AND on the IP with the subnet mask
10.170.85.254 is the IP address
00000011 10101010 01010101 11111110
255.255.255.240
is the subnet mask
11111111 11111111 11111111 11110000
00000011 10101010 01010101 11110000
10.170.85.240 is the network address for the subnet

Converting Binary or Hexadecimal to Decimal
The equation:

p

(b

* np)

1

0

+ … + (b * n1) + (b * n0)

b is the base (b = 2 for binary and b = 16 for hexadecimal)
p is the position of the number (counting starts from the rightmost character as 0)
th
n is the number in the p position
Examples:

10101111
Convert from binary to decimal
7
6
5
4
3
2
1
0
(2 * 1) + (2 * 0) + (2 * 1) + (2 * 0) + (2 * 1) + (2 * 1) + (2 * 1) + (2 * 1)
128 + 0 + 32 + 0 + 8 + 4 + 2 + 1 = 175
AC89
Convert from hexadecimal to decimal
3
2
1
0
(16 * A) + (16 * C) + (16 * 8) + (16 * 9)
This is where you need to know hex A is decimal 10 and hex C is decimal 12
3
2
1
0
(16 * 10) + (16 * 12) + (16 * 8) + (16 * 9)
(4096 * 10) + (256 * 12) + (16 * 8) + (1 * 9)
40960 + 3072 + 128 + 9 = 44169

3

Equations

Header Offset Shortcuts

Field

Length
TCPDUMP Filter
(bits)

IP Header Length

4

IP Packet Length
IP TTL
IP Protocol

16
8
8
Dec
1
2
6
32
32
flag=3

ip[0] &0x0F

Notes
Remember to use a 4 byte multiplier to find header
length in bytes
There is no multipler for this length field

ip[2:2]
ip[8]
ip[9]
Hex
Proto
Dec
Hex
Proto
Dec
Hex
Proto
0x01
ICMP
9
0x09
IGRP
50
0x32
ESP
0x02
IGMP
17
0x11
UDP
51
0x33
AH
0x06
TCP
47
0x2F
GRE
88
0x58
EIGRP
IP Address - Src
ip[12:4]
IP Address - Dst
ip[16:4]
ip[6] &0x20 = 0x20
More Fragment bit is set.
IP Fragmentation
offset=13
ip[6:2] &0x1fff != 0x0000 Fragment offset in not 0
ICMP Type
icmp[0]
8
ICMP Code
icmp[1]
8
TCP Src Port
tcp[0:2]
16
TCP Dst Port
tcp[2:2]
16
Remember to use a 4 byte multiplier to find header
TCP Header Length
tcp[12] &0x0F
4
length in bytes
TCP Flags
tcp[13]
8
TCP Windows Size
tcp[14:2]
16
UDP Src Port
udp[0:2]
16
UDP Dst Port
udp[2:2]
16
UDP Header Length
16
upd[4:2]
There is no multipler for this length field

4

Hdr Offset

OSI vs. TCP/IP

OSI

Application
Presentation
Session
Transport
Network
Data Link
Physical

7
6
5
4
3
2
1

Application
Transport (TCP)
Internet (Network) (IP)
Network Access
(Data Link)

TCP/IP

Application Layer (Layer 7)
Determines the network services required.
Examples: DNS, FTP, LDP, Telent, TFTP, SMTP and WWW

Presentation Layer (Layer 6)
Presents data to the application layer. Essentially functions as a translator from computer to human readable form.
Examples: HTTP, TIFF, JPEG, MIDI and MPEG

Session Layer (Layer 5)
Establishes and maintains the connection between systems and formats the data for transfer between nodes.
Examples: NFS, SQL, RPC

Transport Layer (Layer 4)
Defines how to address physical locations, how to make connections between nodes, and how to handle the network
of messages. This layer is responsible for end-to end integrity and control of the session and handles the
sequencing of packets.
Examples: TCP, UDP, SPX

Network Layer (Layer 3)
Defines how packets of data are routed between end systems over interconnected networks. Routing error detection,
and control of node data traffic are managed at this layer.
Examples: IP, OSPF, ICMP, RIP

Data Link Layer (Layer 2)
Defines the protocols that computers use in order to access the network for transmitting and receiving messages.
Has two sub layers: Logical Link Control and Media Access Control .
Examples: ARP, SLIP, PPP

Physical Layer (Layer 1)
Defines the physical connection (RJ48, BNC, HSSI, etc…) between a host and a network and converts the bits into
voltages or light impulses for transmission.
Examples: HSSI, X.21, EIA/TIA-232 and EIA/TIA-449

Encapsulation (In reverse is demultiplexing.)
For outgoing packets, the data + header from an upper layer is packaged into the data of the layer below it. For
incomming packets, the layer header information is strip off and used to determine where the remaining data is to go.
Outgoing Packet
Application
Presentation
Session
Transport
Network
Data Link

Layer Header

Incoming Packet
Data
Data

PH
SH

Data

TH

Data

NA

Data

DH

Data

Ethernet Frame
8 bytes
14 bytes
46 to 1500 bytes
Preamble
Frame Header
Data
Manchester encoding - Preamble is 62 bits of alternating 1's and 0's. followed by 11.

5

4 bytes
Frame Trailer

OSI

TCP vs. UDP

6

TCPvsUDP

IPv4 Header (RFC 791)
0

1

2 3 4 5
Byte Offset 0

6

7

Version
IP Header
(4-bit)
length (4-bit)
Byte Offset 4

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Type of Service (8-bit)

Total Length (16-bit) (in Byte Offsets)

Byte Offset 5

IP Identification Number (16-bit)

Byte Offset 6

Fragment Offset (13-bit)

R DF MF

Byte Offset 9

Time to Live (8-bit)

Protocol (8-bit)

Byte Offset 12

Byte Offset 13

Byte Offset 10

Byte Offset 11

Header Checksum (16-bit)
Byte Offset 14

20 Bytes

Byte Offset 8

Byte Offset 7

Byte Offset 15

Source IP Address (32-bit)
Byte Offset 16

Byte Offset 17

Byte Offset 18

Byte Offset 19

Destination IP Address (32-bit)
Byte Offset 20

Byte Offset 21

Byte Offset 22

Byte Offset 23

IP Options (variable length…) (if any)
data (variable length…)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

IP Version Number
Valid values are:
4 for IP version 4
6 for IP version 6
IP Header Length
(4 byte multiplier)
Number of 32-bit words in IP header
minimum value 5 (5 x 4 = 20 bytes) maximum value 15 (15 x 4 = 60 bytes)
Type of Service
(Used by gateways as a QoS type field) (Most OS's default to 0)
If the first 3 high order bits are 1's, then possible it came from busy router that had to set tags to get through a backlog

Total Length
(No multiplier)
Number of bytes in packet
maximum length = 65,535
IP Identification Number
Uniquely identifies every datagram sent by host, value typically incremented by 1 (AKA Fragment ID)
Flags
R is reserved and must be set to 0
D is Don't Fragment Flag
1=Don't Fragment
0=Can Fragment
MF is More Fragments
1=More Fragments 0=No Fragment or no more Fragments
(frag x:y@z where x is the fragment ID, y is # of bytes (must be divisible by 8) and z is the fragment offset)

(In Ethernet the MTU 1500 should see middle fragments of size 1480 (1480 data + 20 ip header = 1500)
Fragment Offset
(8 byte multiplier)
(Measured in units of 64 bits)
(Max fragment offset 65528 (8191*8) )
Position of this fragment in the original datagram
value is multiplied by 8 to get bytes
Time To Live
IP Protocol
D Hex
D Hex
D Hex
D Hex
1 0x01 ICMP
9 0x09 IGRP
47 0x2F GRE
88 0x58 EIGRP
2 0x02 IGMP
17 0x11 UDP
50 0x32 ESP
89 0x59 OSPF
6 0x06 TCP
47 0x2F GRE
51 0x33 AH
Header Checksum
Covers IP header only
Validated along the path from source to destination
Options (0-40 bytes; 1st @ 20th byte offset; padded 4-byte boundary) (Processed by each router as packet passes)
D Hex
D
Hex
0 0x00 End of Option list
68
0x44 Timestamp
1 0x01 No operation (pad)
131 0x83 Loose source route (security risk)
7 0x07 Record Route (security risk)
137 0x89 Strict source route (security risk)

7

IPv4 Hdr

IPv4 Header (cont.)

Type of Service

(Used by gateways as a QoS type field)
D T

Precedence

0
Bit
Bit
Bit
Bit
Bit

1

2

0 3
4
5
6&

Precedence
1 1 1
1 1 0
1 0 1
1 0 0
0 1 1
0 1 0
0 0 1
0 0 0

3
2

7

4

R
5

0
6

(Most OS's default to 0)

0
7

Precedence
0 = Normal Delay
1 = Low Delay
0 = Normal Throughput
1 = High Throughput
0 = Normal Reliability
1 = High Reliability
Reserved for future use (Always set to 0)

Protocol
Telnet
FTP Control
FTP Data
TFTP
SMTP Command
SMTP Data
DNS UDP Query
DNS TCP Query
DNE Zone Transfer
NNTP
ICMP - Erros
ICMP - Requests
ICMP - Responces
Any IGP
EGP
SNMP
BOOTP

Network Control
Internetwork Control
CRITIC / ECP
Flash Override
Flash
Immediate
Priority
Routine

Telnet

8

TOS Value
1000
1000
0100
1000
1000
0100
1000
0000
0100
0000
0000
Same as request
0010
0000
0010
0000

IPv4 Hdr (2)

Transmission Control Protocol - TCP Header (RFC 793)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Source Port Number (16-bit)
Byte Offset 4

Destination Port Number (16-bit)

Byte Offset 5

Byte Offset 6

Byte Offset 7

Sequence Number (32-bit)
Byte Offset 9

Byte Offset 10

Byte Offset 11

Acknowledgement Number (32-bit)
Byte Offset 12

Byte Offset 14
FIN

SYN

RST

PSH

ACK

URG

ECN

CWR

Hdr Length
Reserved
(4-bit)
(4-bit)
Byte Offset 16

Byte Offset 13

Byte Offset 15

Window Size (16-bit)

Byte Offset 17

Byte Offset 18

Checksum (16-bit)
Byte Offset 20

20 Bytes

Byte Offset 8

Byte Offset 19

Urgent Pointer (16-bit)

Byte Offset 21

Byte Offset 22

Byte Offset 23

TCP Opitions (variable length…) (if any)
TCP Options Length = TCP Header Length in the current packet - 20 bytes (Minimum TCP Header Length)

0

1

2

data (variable length…)
Length of Packet Payload = IP Total Length - (IP Header Length + TCP Header Length)
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Common Port Numbers
D
Hex
7
0x07 echo
19
0x13 chargen
20
0x14 ftp-data
21
0x15 ftp-control
22
0x16 ssh

D
25
53
79
80
110

Hex
0x19
0x35
0x4F
0x50
0x6E

D
119
137
139
143
179

smtp
domain
finger
http
pop3

Hex
0x77
0x89
0x8B
0x8F
0xB3

nntp
netbios-ns
netbios-ssn
imap
bgp

D
Hex
389 0x185 ldap
443 0x1BB https (ssl)
445 0x1BD ms-ds

Sequence Number
32-bit number uniquely identifies initial byte of segment data.
Acknowledgement Number
Represents next byte of data receiving host expects: (last received sequence number + 1)
Header Length
(4 byte multiplier)
Number of 32-bit words in TCP header
minimum value 5 (5x4=20bytes)
maximum value 15 (5x15=60bytes)
Reserved
4 bits set to 0
Congestion Window Reduced (CWR)
Set to 0 unless ECN is used.
(1 = sender cuts congestion window in half)
Explicit Congestion Notification Echo (ECN)
Set to 0 unless ECN is used.
(1 = receiver cuts congestion window in half)
Flags
URG = Urgent
ACK = Acknowledgment
PSH = Push
RST = Reset
SYN = Syncronize
FIN = Finish
(Note: Push means don't buffer data but push it to be processes as soon as it comes in.)
Window Size
Acts as flow control. Window size dynamically changes as data is received. A 0 window size tells src host to wait.
Checksum
Covers psedo header (IP Header source and destinstation addresses, the protocol and the computed TCP length (the
TCP header length the and data length in octets)) and the TCP header
Urgent Pointer
Points to the sequence number of the octet following the urgent data.
Options
0 End of Options List
2 Maximum segment size
4 Selective ACK ok
1 No Operation (pad)
3 Window scale
8 Timestamp

9

TCP Hdr

User Datagram Protocol - UDP Header (RFC 768)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Source Port Number (16-bit)
Byte Offset 4

Destination Port Number (16-bit)

Byte Offset 5

Byte Offset 6

Length (16-bit)
Byte Offset 8

Byte Offset 7

Checksum (16-bit)
Byte Offset 9

Byte Offset 10

Byte Offset 11

data (variable length…)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Common Port Numbers
D
Hex Protocol
D
Hex Protocol
D
Hex Protocol
7
0x07 echo
69
0x45 tftp
500 0x1F4 isakmp
19
0x13 chargen
123 0x7B ntp
514 0x202 syslog
37
0x25 time
137 0x89 netbios-ns
520 0x208 rip
53
0x35 domain
138 0x8A netbios-dgm
33434 829A traceroute
67
0x43 bootps
161 0xA1 snmp
68
0x44 bootpc
162 0xA2 snmp-trap
Length
Number of bytes in the entire datagram including header
minimum value 8 bytes
(Which is the length of just the header with no data)
maximum value 65515 bytes (or 65507 bytes of UDP data)
(Max IP is 65535 bytes - 20 byte header = 65515 bytes for UDP packet - 8 bytes of UDP header = 65507)
Checksum
Covers psedo header (IP Header source and destinstation addresses, the protocol and UDP length) and entire UDP
datagram
(Note: By RFC, the crc is not required)

10

UDP Hdr

Internet Control Message Protocol - ICMP Header (RFC 792)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Message Type (8-bit)

Message Code (8-bit)

Byte Offset 4

Byte Offset 5

Checksum (16-bit)
Byte Offset 6

Byte Offset 7

(contents depends on type and code)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Common Types & Codes
Type
Type Description
0
Echo reply
3
Destination Unreachable

4
5

Source Quench
Redirect

8
9
10
11

Echo
Router Advertisement
Router Selection
Time Exceeded

12

Parameter Problem

13
14
15
16
17
18
30
31
37
38
40

Timestamp Request
Timestamp Reply
Information Request
Information Reply
Address Mask Request
Address Mask Reply
Traceroute
Datagram Conversion Error
Domain Name Request
Domain Name Reply
Photuris (RFC 2521)

Code
0
0
1
2
3
4
5
6
7
8
9
10
11
12
13
0
0
1
2
3
0
0
0
0
1
0
1
2
0
0
0
0
0
0
0
0
0
0
0

Message Code Description
Net Unreachable
Host Unreachable
Protocol Unreachable
Port Unreachable
Fragmentation Needed & Don't Fragment Flag Set
Source Route Failed
Destination Network Unknown
Destination Host Unknown
Source Route Isolated
Network Administratively Prohibited
Host Administratively Prohibited
Network Unreachable for TOS
Host Unreachable for TOS
Communication Administratively Prohibited
Redirect Datagram for the Network
Redirect Datagram for the Host
Redirect Datagram for the TOS & Network
Redirect Datagram for the TOS & Host

Time to Live exceeded in transit
Fragment Reassembly Time Exceeded
Pointer indicates the error
Missing a Required Option
Bad Length

(Note: Byte offset 4-5: identification #)
(Note: Byte offset 6-7: sequence #)

11

ICMP Hdr

PING (Echo/Echo Reply) - ICMP Header (792)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Message Type (8 or 0)

Message Code (0)

Byte Offset 4

Byte Offset 5

Checksum (16-bit)
Byte Offset 6

Byte Offset 7

data (variable length…)
0

1

2

Type
0
8

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Type Description
Echo reply
Echo

Code
0
0

Message Code Description

12

Ping

Address Resolution Protocol - ARP (RFC 826)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Hardware Address Type (16-bit)

Protocol Address Type (16-bit)

Byte Offset 4

Byte Offset 5

Byte Offset 6

Hardware Address Length
(8-bit)
Byte Offset 8

Protocol Address Length
(8-bit)
Byte Offset 9

Byte Offset 7

Operation (16-bit)
Byte Offset 10

Byte Offset 11

Source Hardware Address (48-bit)
Byte Offset 12

Byte Offset 13

Byte Offset 14

Source Hardware Address (cont.)
Byte Offset 16

Source Protocol Address (32-bit)

Byte Offset 17

Byte Offset 18

Source Protocol Address (cont.)
Byte Offset 20

Byte Offset 15

Byte Offset 19

Target Hardware Address (48-bit)

Byte Offset 21

Byte Offset 22

Byte Offset 23

Target Hardware Address (cont.)
Byte Offset 24

Byte Offset 25

Byte Offset 26

Byte Offset 27

Target Protocol Address (32-bit)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

ARP maps the logical address (IP) to the physical address (MAC)
Hardware Address Type
1
Ethernet
6
IEEE 802 Lan
Protocol Address Type
2048
IPv4 (0x0800)
Hardware Address Length
6
for Ethernet/IEEE 802
Protocol Address Length
4
for IPv4
Operation
1
2

Request
Reply

13

ARP

Domain Name System - DNS (RFC 1035)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Byte Offset 8

Byte Offset 10

Name Server Count (NSCOUNT) (16-bit)

Byte Offset 14

Question Section (16-bit)

1

2

3

4

5

Byte Offset 17

6

7

8

Byte Offset 15

Answer Section (16-bit)
Byte Offset 18

Authority Section (16-bit)
0

Byte Offset 11

Additional Records Count (ADCOUNT) (16-bit)

Byte Offset 13

Byte Offset 16

RCODE
(4-bit)
Byte Offset 7

Z (3-bit)

Answer Count (ANCOUNT) (16-bit)

Byte Offset 9

Byte Offset 12

RA

Question Count (QDCOUNT) (16-bit)

RD

Byte Offset 5

TC

Byte Offset 4

Opcode
(4-bit)
Byte Offset 6
AA

QR

DNS ID (16-bit)

Byte Offset 19

Additional Information Section (16-bit)

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

dig version.bind txt chaos @ server name
Query/Response
dig @ server name txt chaos version.bind
0
Query
1
Response
Opcode
0
Standard query (QUERY)
1
Inverse query (IQUERY)
2
Server status request (STATUS)
AA
1
Authoritative Answer
TC
1
Truncation
RD
1
Recursion Desired
RA
1
Recursion Available
Z
Reserved; set to 0
Response Code
0
No Error
1
Format Error
2
Server Failure
3
Non-existent Domain (NXDOMAIN)
4
Query Type Not Implemented
5
Query Refused
QDCOUNT
(Number of entries in Question section)
ANCOUNT
(Number of resource records in Answer section)
NSCOUNT
(Number of name server resource records in Authority section)
ARCOUNT
(Number of resource records in Additional Information section)

14

DNS

Dynamic Routing Protocols
RIPv1
Distance Vector
Default Administrative Distance 120
Maximum hop count 15
Classful
Broadcast based (255.255.255.255)
No support for VLSM networks
Auto-summarization
No authentication
No support for discontiguous networks
Broadcast all routes every 30 seconds
Uses lowest hop count for best route (Bellman-Ford)
Slow convergence

Ripv2
Distance Vector
Default Administrative Distance 120
Maximum hop count 15
Classless
Uses multicast (224.0.0.9)
Supports Variable Length Subnet Mask(VLSM) networks
Auto-summarization
Allows for MD5 authentication
Supports discontiguous networks
Broadcast all routes every 30 seconds
Uses lowest hop count for best route (Bellman-Ford)
Slow convergence

IGRP (Cisco Proprietary / No longer supported)
Distance Vector
Default Administrative Distance 100
Maximum hop count 255 (default 100)
Classful
Broadcast based (255.255.255.255)
No support for VLSM networks

EIGRP (Cisco Proprietary)
Hybrid
Default Administrative Distance 90 (External is 170)
Maximum hop count 255 (default 100)
Classless
Broadcast based (255.255.255.255)
Supports Variable Length Subnet Mask(VLSM) networks
Auto and manual summarization
Allows for authentication
Supports discontiguous networks & route summaries
No periodic route updates. Hello messages with neighbors
Best Path selection via Diffusing Update Alogorithm (DUAL)
Uses autonomous system numbers
Comunication via Reliable Transport Protocol (RTP)
Support for IPv4 and IPv6

No authentication
No support for discontiguous networks
Broadcast all routes every 90 seconds
Uses bandwidth and delay for best route
Uses autonomous system numbers

OSPF
Link State
Default Administrative Distance 110
Maximum hop count limit - none
Classful
Broadcast based (255.255.255.255)
Supports Variable Length Subnet Mask(VLSM) networks
Manual summarization
Allows for authentication
Supports discontiguous networks & route summaries
Multicast on change
Uses bandwidth and delay for best route (Dijkstra)
Uses autonomous system numbers
Fast convergence
Uses wildcard masks (inverse) in Cisco routers

15

routing protocols

OSPF v2 (RFC 1583)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Version Number (8-bit)

Type (8-bit)

Byte Offset 4

Byte Offset 5

Packet Length (16-bit)
Byte Offset 6

Byte Offset 7

Router ID (32-bit)
Byte Offset 8

Byte Offset 9

Byte Offset 10

Byte Offset 11

Byte Offset 12

Byte Offset 13

Byte Offset 14

Checksum (16-bit)
Byte Offset 16

Byte Offset 15

24 Bytes

Area ID (32-bit)

Authentication Type (16-bit)

Byte Offset 17

Byte Offset 18

Byte Offset 19

Authentication (64-bit)
Byte Offset 20

Byte Offset 21

Byte Offset 22

Byte Offset 23

Authentication (cont...)
data (variable length…)
0

1

2

3

4

5

Version Number
Valid values are:

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

12 forOSPF version 2

Type
Type
1
2
3
Packet Length

Description
Hello
Databse Description
Link State Update

Type Description
4
Link state Update
5
Link State Acknowledgment

(Used by gateways as a QoS type field)

(Most OS's default to 0)

The length of the protocol packet in bytes includinging the standard OSPF header

Router ID
The router ID of the packet's source.
maximum length = 65,535
Area ID
Identifies the are that this packet belongs to. Packets travelling over a virtual link are labelled with the backbone Area ID
og 0.0.0.0
Checksum
Standard IP checksum of the entire contents of the OSPF packet excluding the 64-bit authentication field.
Authentication Type
Identifies the authentication scheme to be used for the packet.
Type Description
0
No authentication
1
Simple password in the clear
rest Reserved for assignment by the IANA
Authentication
Used by the authentication scheme

16

OSPF

Generic Routing Encapsulation - GRE (RFC 2784)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Reserved-0 (12-bit)

C

Byte Offset 4

Version
(3-bit)
Byte Offset 5

Protocol Type (16-bit)
Byte Offset 6

Checksum (16-bit) (optional)

Byte Offset 7

Reserved-1 (16-bit) (optional)

data (encapsulated packet) (variable length…)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Checksum Present Bit
If the checksum bit is set to 1 then the Checksum and Reserved-1 fields are present.
Reserved-0
If bits 1 through 5 are non-zero then the packet should be discarded unless receiver implements RFC 1701.
Bits 6 through 12 are reserved for future use. The bits must be set to 0 and ignored on receipt.
Version Number
The version number fields must be 0.

Protocol Type
Contains the protocol type of the payload packet. Values are listed in the "ETHER TYPES" section of RFC 1700
Type
XNS
IP version 4
ARP
IP (VINES)
DRP
LAT
DRP

Value (Hex)
0600, 0807
0800
806
0BAD, 80C4
6003
6004
6003

Type
LAVC
IPX
AppleTalk
ARP (Atalk)
NetWare
IP version 6

Value
6007
8037
809B
80F3
8137
86DD

Checksum
Standard IP checksum of the all the 16 bit words in the GRE header and payload packet.
Reserved - 1
Reserved for future use. Only present if checksum bit is set and if present must be 0.
Authentication
Used by the authentication scheme

17

GRE

Authentication Header - AH (RFC 2402)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Next Header (8-bit)

Payload Length (8-bit)

Byte Offset 4

Byte Offset 5

Reserved (16-bit)
Byte Offset 6

Byte Offset 7

Security Parameter Index (32-bit)
Byte Offset 8

Byte Offset 9

Byte Offset 10

Byte Offset 11

Sequence Number (32-bit)
Byte Offset 12

Byte Offset 13

Byte Offset 14

Byte Offset 15

Authentication Data (variable length…)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Next Header
Equivalent to the IP Protocol Identifier field in IPv4
D
Hex
D Hex
D Hex
D Hex
1 0x01 ICMP
9 0x09 IGRP
47 0x2F GRE
88 0x58 EIGRP
2 0x02 IGMP
17 0x11 UDP
50 0x32 ESP
89 0x59 OSPF
6 0x06 TCP
47 0x2F GRE
51 0x33 AH
Payload Length
Specifies the length of the Authentication Header (number of 32-bit words - 2 for IPv6 compatibility)
Reserved
Zero filled field
Security Parameter Index (SPI)
Random 32-bit value used with destination IP address and IP Sec protocol to uniquely identify the SA.
The SPI is generally selected by the destination IP Sec node.
Sequence Number
A 32-bit sequence number starting at zero and incremented by one for each packet.
This monotonically increasing sequence number is the AH anti-replay mechanism.
Authentication Data
A variable-length field that contains the Integrity Check Value (ICV) for the packet.
The length of the IVC must be an integral multiple of 32 bits (IPv4) or 64 bits (IPv6); will need to be padded or
truncated to meet the requirement.
Original Packet

<---------------------- Payload ---------------------->
Original IP Header Upper Layer Header

Upper Layer Data

AH Transport Mode Packet
Authentication
Upper Layer Header Upper Layer Data
Header
<----------------------------------------------- Authenticated ----------------------------------------------->
Original IP Header

AH Tunnel Mode Packet
<------------------ Encapsulation ------------------>
Authentication
Original IP Header Upper Layer Header Upper Layer Data
Header
<--------------------------------------------------------------- Authenticated --------------------------------------------------------------->
New IP Header

16

AH

Encapsulating Security Payload - ESP (RFC 2406)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
ESP Header

Security Parameter Index (32-bit)
Byte Offset 4

Byte Offset 5

Byte Offset 6

Byte Offset 7

Sequence Number (32-bit)

ESP
Payload

Payload Data (variable length…)

Padding (0-255 bytes)

Padding (0-255 bytes)

Pad Length (8-bit)

Next Header (8-bit)

ESP
Authentication

Authentication Data (variable length…)
0

1

2

3

4

5

6

7

8

ESP Trailer

Payload Data (cont.)

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

ESP Header
Security Parameter Index (SPI)
Random 32-bit value used with destination IP address and IP Sec protocol to uniquely identify the SA.
The SPI is generally selected by the destination IP Sec node.
Sequence Number
A 32-bit sequence number starting at zero and incremented by one for each packet.
This monotonically increasing sequence number is the AH anti-replay mechanism.
ESP Payload
Payload Data
A variable-length field containing the data to be protected by the ESP protocol; i.e., the original IP packet
ESP Trailer
Padding
A 0-255 byte field used for variety of purposes. It is primarily used to ensure that the Payload, Pad Length, & Next
Header align on a 32-bit boundary. It can also be used if the ESP encryption algorithm requires a certain minimum
number of bytes. Finally, it may be used to hide the real size of the payload (protect against traffic flow analysis)
Pad Length
8-bit value indicating the number of Pad bytes that were inserted.
Next Header
Equivalent to the IP Protocol Identifier field in IPv4
D Hex
D Hex
D Hex
D Hex
1 0x01 ICMP
9 0x09 IGRP
47 0x2F GRE
88 0x58 EIGRP
2 0x02 IGMP
17 0x11 UDP
50 0x32 ESP
89 0x59 OSPF
6 0x06 TCP
47 0x2F GRE
51 0x33 AH
ESP Authentication
Authentication Data
A variable-length field that contains the Integrity Check Value (ICV) for ESP the packet. The length of the this field is
dependent upon the authentication function used. This field is present only if an authentication service is being
employed in the SA.

19

ESP

Encapsulating Security Payload - ESP (cont.)

Original Packet

<---------------------- Payload ---------------------->
Original IP Header Upper Layer Header

Upper Layer Data

ESP Transport Mode Packet
Original IP Header

ESP Header Upper Layer Header

Upper Layer Data

ESP Trailer

ESP Auth

<------------------------------ Encrypted ------------------------------>
<------------------------------------- Authenticated ------------------------------------->

ESP Tunnel Mode Packet
<-------- Encapsulation -------->
New IP Header

ESP
Header

ESP
Trailer
<---------------------------------------- Encrypted ---------------------------------------->
<---------------------------------------------- Authenticated ---------------------------------------------->
Original IP Header Upper Layer Header

20

Upper Layer Data

ESP Auth

ESP (2)

IPv6 Header (RFC 2460)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Version
Traffic Class (8-bit)
(4-bit)
Byte Offset 4
Byte Offset 5

Flow Label (20-bit)

Payload Length (16-bit)
Byte Offset 8

Byte Offset 9

Byte Offset 6

Byte Offset 7

Next Header (8-bit)

Hop Limit (8-bit)

Byte Offset 10

Byte Offset 11

Source IP Address (128-bit)
Byte Offset 12

Byte Offset 13

Byte Offset 14

Byte Offset 15

Source IP Address (cont.)
Byte Offset 16

Byte Offset 17

Byte Offset 18

Byte Offset 19

Byte Offset 20

Byte Offset 21

Byte Offset 22

Byte Offset 23

40 Bytes

Source IP Address (cont.)

Source IP Address (cont.)
Byte Offset 24

Byte Offset 25

Byte Offset 26

Byte Offset 27

Destination IP Address (128-bit)
Byte Offset 28

Byte Offset 29

Byte Offset 30

Byte Offset 31

Destination IP Address (cont.)
Byte Offset 32

Byte Offset 33

Byte Offset 34

Byte Offset 35

Destination IP Address (cont.)
Byte Offset 36

Byte Offset 37

Byte Offset 38

Byte Offset 39

Destination IP Address (cont.)
Byte Offset 40

Byte Offset 41

Byte Offset 43
Variable Length

Next Header (8-bit)

Byte Offset 42

Extension Header Information (variable length…)
Extension Header Information (variable length…)
data (variable length…)

0

1

2

3

4

5

IP Version Number
Traffic Class
Flow Label
Payload Length
Next Header
Hop Limit:
Source Address
Destination Address

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

6 for IP version 6
4 for IP version 4
8-bit field similar to IPv4 type of service field
To tag packets of a specific flow to differentiate the packets at the network layer. (QoS)
The total length of the data portion of the packet
Similar to the protocol field of IPv4 packet header
Similar to Time to Live field in IPv4 packet header
128-bit source address field
128-bit destination address field

21

IPv6 Hdr

IPv6 (cont.)
A IPv6 Address is 16 bytes (128 bits) this give us 3.4 X 10^38

Samble IPv6 Address:
2001: 0db8: abdc: 1234: 0000: 0000: 9865: 4321
Global Prefix
Subnet
Interface ID

Special IPv6 Addresses
Address
0:0:0:0:0:0:0:0

Description
Equal ::. This is the equivalent to IPv4's 0.0.0.0.

0:0:0:0:0:0:0:1

Equals ::1. This is equivalent to IPv4's local host of 127.0.0.1.

0:0:0:0:0:0:0:192.168.100.1

IPv4 address written in a mixed IPv6 / IPv4 network environment.

2000::/3

The global unicast address range.
The unique local unicast range. Same Idea as the IPv4 RFC 1918 private addresses.

FC00::/7

FE80::/10

The link-local unicast range. Same Idea as the IPv4 RFC 1918 private addresses.
But for on a single LAN. Non routeable.

FF00::/8

The multicast range.

3FFF:FFF::/32

Reserved for examples and documentation.

2001:0DB8::/32

Reserved for examples and documentation.

2002::/16

Used with 6to4, which is the strucuture that allows IPv6 packets to be transmitted
over an IPv4 network without the need to configure explicit tunnels.

22

IPv6 Hdr (2)

This page purposely left blank

802.2 Logical Link Control (LLC)
802.1 Management

802 Overview & Architecture

802.10 Security

IEEE Framing

Data
Link
Layer

802.1 Bridging
802.3
Medium
Access

802.4
Medium
Access

802.5
Medium
Access

802.11
Medium
Access

802.3
Physical

802.4
Physical

802.5
Physical

802.11
Physical

Physical
Layer

Ethernet II
A physical layer standard that defines the CSMA/CD access method on a bus topology. This is the most common
frame type for Ethernet IP traffic.
IEEE 802.1
Flavors of 802.1 (common)
802.1P
Provides a mechanism for implementing Quality of Service (QoS)
802.1Q
VLAN Tagging
802.1X
Port based network access control
IEEE 802.2
A data link layer standard used with 802.3, 802.4, and 802.5 & 802.11
IEEE 802.3
A physical layer standard that defines the CSMA/CD access method on a bus topology.
Flavors of 802.3
802.3 "RAW"
802.3 with 802.2
802.3 with 802.2 SNAP

This framing does not use 802.2 LLC. Novell used this framing.
This framing does use the 802.2 LLC.
This framing does have the LLC and SNAP. Used in conjunction with Wireless traffic
on the wired side.

IEEE 802.4
This is Token Passing Bus Access Method and Physical Layer Specifications.
IEEE 802.5
Token Ring Access Method and Physical Layer Specifications.
IEEE 802.11
Wireless LAN Medium Access Control (MAC) and Physical Layer Specifications.
Flavors of 802.11 (common)
802.11a
54 Mbit/s using the 5 GHz band with up to 23 non overlapping channels. (~15 users per AP)
802.11b
11 Mbit/s using the 2.4 GHz band with 3 non-overlapping channels. (~25 users/AP)(Marketed - WiFi)
802.11g
54 Mbit/s using the 2.4 GHz band with 3 non-overlapping channels. (~20 users/AP)(Marketed - WiFi)
802.11n
Allows for greater Mbit/s using multiple-input multiple-output (MIMO), channel bonding and frame
aggregation. This standard can be used in the 2.4 with 3 non overlapping channels and 5.0 GHz band
with up to 23 non overlapping channels. (~15 users per AP)
Organizationally Unique Identifier (OUI)
This is the first 3 bites of the Media Access Control (MAC) Address)
http://standards.ieee.org/regauth/oui/oui.txt

24

IEEE Framing

Ethernet II Frame Format (similar to IEEE 802.3)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)

Byte Offset 4

Byte Offset 5

Byte Offset 6

Destination Address (cont...)
Byte Offset 8

Byte Offset 7

Source Address (48-bit)

Byte Offset 9

Byte Offset 10

Byte Offset 11

Source Address (cont.)
Byte Offset 12

Byte Offset 13

Byte Offset 14

Type (16-bit)
Byte Offset 16

Byte Offset 15

data (46 to 1500 bytes)
Byte Offset 17

Byte Offset 18

Byte Offset 19

data (variable length…)
Frame Check Sequence (32-bit)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Most common format of Ethernet packets today.

Preamble:

8 bytes (64 bit) At the head of each frame is a preamble used for synchronization
1010…10101011 this is know as Manchester encoding.

Destination Address:

6 byte (48 bit) destination media access control (MAC) address

Source Address:

6 byte (48 bit) source media access control (MAC) address

Type:

2 byte (16 bit) field that specifies the upper-layer protocol
Note: The difference between Ethernet II and IEEE 802.3 is that this field in the IEEE
standard is called the length field.
Type
XNS
IP version 4
ARP
IP (VINES)
DRP
LAT
DRP

Value (Hex)
0600, 0807
0800
0806
0BAD, 80C4
6003
6004
6003

Type
LAVC
IPX
AppleTalk
ARP (Atalk)
NetWare
IP version 6

Value
6007
8037
809B
80F3
8137
86DD

Data:

46 to 1500 bytes of upper-layer protocol information

Frame Check Sequence:

The cyclic redundancy check (CRC) or checksum for the Ethernet Frame

Min Ethernet Frame:
14 byte frame header + 46 bytes of encapsulated data + 4 byte frame trailer = 64 bytes
Max Ethernet Frame:
14 byte frame header + 1500 bytes of encapsulated data + 4 byte frame trailer = 1518 bytes

25

Ethernet II Hdr

Ethernet IEEE 802.2 Frame Format (802.3 with 802.2)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)

Byte Offset 4

Byte Offset 5

Byte Offset 6

Destination Address (cont...)
Byte Offset 8

Byte Offset 7

Source Address (48-bit)

Byte Offset 9

Byte Offset 10

Byte Offset 11

Source Address (cont.)
Byte Offset 12

Byte Offset 13

Length (16-bit)
Byte Offset 16

Byte Offset 17

Control (1 or 2 bytes)

Byte Offset 14

Byte Offset 15

DSAP (8-bit)

SSAP (8-bit)

Byte Offset 18

Byte Offset 19

data + pad (variable length…) (43 to 1497 bytes)
data + pad (cont.)
Frame Check Sequence (32-bit)

0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Preamble:

8 bytes (64 bite) At the head of each frame is a preamble used for synchronization
1010…10101011

Destination Address:

6 byte (48 bit) destination media access control (MAC) address (Part of 802.3 Header)

Source Address:

6 byte (48 bit) source media access control (MAC) address (Part of 802.3 Header)

Length:

2 byte (16 bit) field that specifies the number of bytes (3-1500) in the LLC and data fields
(Part of 802.3 Header)

Logical Link control

The logical link control (LLC) is made up of the DSAP, SSAP and Control fields. This is a
method for telling the 802.3 IEEE and Netware (RAW) formats. The IEEE 802.3 format has
the LLS and the NetWare 802.3 "Raw" format does not. (This is the 802.2 Header)

DSAP:

1 byte destination service access point; receiving process at destination

SSAP:

1 byte source service access point; sending process at source

Control:

1 byte is various control information (Connection less)
2 bytes are for connection-oriented LLC

Pad:

Pads the frame to minimum of 46 bytes of data and LLC (so collisions can be detected)

Data:

46 to 1500 bytes of upper-layer protocol information

Frame Check Sequence:

The cyclic redundancy check (CRC) or checksum for the Ethernet Frame

26

Ether 802.3 Hdr

Ethernet IEEE 802.2 SNAP Frame Format (802.3 with 802.2 SNAP)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)

Byte Offset 4

Byte Offset 5

Byte Offset 6

Destination Address (cont...)
Byte Offset 8

Byte Offset 7

Source Address (48-bit)

Byte Offset 9

Byte Offset 10

Byte Offset 11

Source Address (cont.)
Byte Offset 12

Byte Offset 13

Length (16-bit)
Byte Offset 16

Byte Offset 17

Control (8-bit)

Byte Offset 14

Byte Offset 15

DSAP (8-bit)

SSAP (8-bit)

Byte Offset 18

Byte Offset 19

Vendor code (24-bit)
Type (16-bit)

data + pad (variable length…) (43 to 1497 bytes)
Frame Check Sequence (32-bit)

0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

This is the Framing formate used on the Ethernet (wired) side with 802.11 with 802.2 SNAP for the wireless.
Preamble:
Destination Address:
Source Address:
Length:

Logical Link control
DSAP:
SSAP:
Control:

8 bytes (64 bite) At the head of each frame is a preamble used for synchronization
1010…10101011
6 byte (48 bit) destination media access control (MAC) address (Part of 802.3 Header)
6 byte (48 bit) source media access control (MAC) address (Part of 802.3 Header)
2 byte (16 bit) field that specifies the number of bytes (3-1500) in the LLC and data fields
The logical link control (LLC) is made up of the DSAP, SSAP and Control fields. This is a
method for telling the 802.3 IEEE and Netware (RAW) formats. The IEEE 802.3 format has
the LLS and the NetWare 802.3 "Raw" format does not. (Part of the 802.2 SNAP Header)
1 byte destination service access point; receiving process at destination (Always AA)
1 byte source service access point; sending process at source (Always AA)
1 byte is various control information (Connection less)
2 bytes are for connection-oriented LLC

SNAP Header
Vendor Code:
Type:

The Subnet Access Protocol Header consists of the Vendor Code and Type fields
3 byte (24 bit) field to identify the vendor
2 byte (16 bit) field that specifies the upper-layer protocol
Type
Value
Type
Value
NetWare
8137
RARP
8035
XNS
0600, 0807
DRP
6003
IP
800
LAT
6004
IP (VINES)
0BAD, 80C4
LAVC
6007
ARP
806
ARP (Atalk)
80F3

Pad:
Data:
Frame Check Sequence:

Pads the frame to minimum of 46 bytes of data and LLC (so collisions can be detected)
46 to 1500 bytes of upper-layer protocol information
The cyclic redundancy check (CRC) or checksum for the Ethernet Frame

27

Ether 802.3 SNAP Hdr

Ethernet Novell Netware 802.3 "Raw" Frame Format (802.3 without 802.2)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)

Byte Offset 4

Byte Offset 5

Byte Offset 6

Destination Address (cont...)
Byte Offset 8

Byte Offset 7

Source Address (48-bit)

Byte Offset 9

Byte Offset 10

Byte Offset 11

Source Address (cont…)
Byte Offset 12

Byte Offset 13

Byte Offset 14

Type (16-bit)
Byte Offset 16

Byte Offset 15

data (variable length…) (46 to 1500 bytes)
Byte Offset 17

Byte Offset 18

Byte Offset 19

data (cont.)
Frame Check Sequence (32-bit)
0

1

2

3

4

5

6

IP Version Number
Preamble:

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

8 bytes (64 bite) At the head of each frame is a preamble used for synchronization
1010…10101011

Destination Address:

6 byte (48 bit) destination media access control (MAC) address

Source Address:

6 byte (48 bit) source media access control (MAC) address

Length:

2 byte (16 bit) field that specifies the number of bytes (46-1500) in the LLC and data fields
Note the lack of the LLC fields, this is how you tell Netware 802.3 from IEEE 802.3

Data:

46 to 1500 bytes of upper-layer protocol information. IPX header starting with 2 byte
checksum (usually FFF) followed by NetWare higher layers ('data')

Frame Check Sequence:

The cyclic redundancy check (CRC) or checksum for the Ethernet Frame

28

Ether 802.3 RAW Hdr

802.11 (IEEE 1999 Reference Specification)
0

1

2 3 4 5
Byte Offset 0

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3

Frame Control (16-bit)
Byte Offset 4

Total Duration/ID (16-bit)

Byte Offset 5

Byte Offset 6

Byte Offset 7

Address 1 (48-bit)
Byte Offset 9

Byte Offset 10

Address 1 (cont.)
Byte Offset 12

Byte Offset 11

Address 2 (48-bit)

Byte Offset 13

Byte Offset 14

Byte Offset 15

Address 2 (cont.)
Byte Offset 16

Byte Offset 17

Byte Offset 18

Byte Offset 19

Address 3 (48-bit)
Byte Offset 20

Byte Offset 21

Byte Offset 22

Address 3 (cont.)
Byte Offset 24

Byte Offset 23

Sequence Control (16-bit)

Byte Offset 25

Byte Offset 26

Byte Offset 27

30 Byte - MAC Header (Offset 0 to 29)

Byte Offset 8

Address 4 (48-bit)
Byte Offset 28

Byte Offset 29

Byte Offset 30

Address 4 (cont.)

Byte Offset 31

0 to 2312 bit Frame Body (variable length)

0 to 2312 bit Frame Body (variable length)
FCS (32-bit)
0

1

2

3

4

5

6

7

8

9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Frame Control

Consists of the following subfields: Protocol Version (bits 0-1), Type (bits 2-3), Subtype (bits 4-7),
To DS (bit 8), From DS (bit 9), More Fragment (bit 10), Retry (bit 11), Power management (bit
12), More Data (bit 13), WEP (bit 14) and Order (bit 15)
Duration / ID
Duration/ID field encoding
15 14
bit 13 - 0
Usage
0
0 - 32767
Duration
1 0
0
Fixed value within frames transmitted during the CFP
1 0
1-16383
Reserved
1 1
0
Reserved
1 1
1-2007
Association Identificatier (AID) in PS-Poll frames (Max association per AP is 2007)
1 1 2008 - 16383 Reserved
Address Fields
There are 4 address fields in the MAC frame format. These fields are used to indicate the
BSSID, source address (SA), destination address (DA), transmitting station address (TA), and
the receiving station address (RA).
Consists of the following subfields: Fragment Number (bits 0-3) and Sequence Number (bits 4Sequence Control
15). Frames that have a payload larger than 2312 bytes will be fragmented.
Frame Body
Variable length field that contains information specific to individual frame types and subtypes.
FCS
32-bit check sum field calculated over all the fields of the MAC header and Frame body

29

802.11

802.11 (cont.)
Frame Control

0

1

2 3 4 5
Byte Offset 0

8

9 10 11 12 13 14 15
Byte Offset 1
Order

WEP

MD

PM

Retry

MF

FDS

Protocol Version
Type / Subtype
Type
b3 b2
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 1
0 1
0 1
0 1
0 1
0 1
0 1
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 1

Subtype
(4-bit)

7

TDS

PV Type
(2-bit) (2-bit)

6

Currently the value should always be 0
The type and subtype field together identify the function of the frame
Type
Subtype
Description b7 b6 b5 b4 Subtype Description
Management 0 0 0 0 Association Request
Management 0 0 0 1 Association Response
Management 0 0 1 0 Reassociation Request
Management 0 0 1 1 Reassociation Response
Management 0 1 0 0 Probe Request
Management 0 1 0 1 Probe Response
Management 0110-0111 Reserved
Management 1 0 0 0 Beacon
Management 1 0 0 1 Announcement traffic indication message (ATIM)
Management 1 0 1 0 Disassociation
Management 1 0 1 1 Authentication
Management 1 1 0 0 Deauthentication
Management 1101-1111 Reserved
Control
0000-1001 Reserved
Control
1 0 1 0 Power Save (PS)-Poll
Control
1 0 1 1 Request To Send (RTS)
Control
1 1 0 0 Clear To Send (CTS)
Control
1 1 0 1 Acknowledgment (ACK)
Control
1 1 1 0 Contention-Free (CF)-End
Control
1 1 1 1 CF-End + CF-Ack
Data
0 0 0 0 Data
Data
0 0 0 1 Data + CF-Ack
Data
0 0 1 0 Data + CF-Poll
Data
0 0 1 1 Data + CF-Ack + CF-Poll
Data
0 1 0 0 Null function (no data)
Data
0 1 0 1 CF-Ack (no data)
Data
0 1 1 0 CF-Poll (no data)
Data
0 1 1 1 CF-Ack + CF-Poll (no data)
Data
1000-1111 Reserved
Reserved
0000-1111 Reserved

Miscellaneous Info
802.11a
54 Mbit/s using the 5 GHz band
802.11b
11 Mbit/s using the 2.4 GHz band (Marketed under the name WiFi)
802.11g
54 Mbit/s using the 2.4 GHz band (Marketed under the name WiFi)
802.11n
Allows for greater Mbit/s using multiple-input multiple-output (MIMO), channel bonding and frame
aggregation. This standard can be used in the 2.4 and 5.0 GHz band.
802.11 header information was compiled from the 802.11 1999 reference specification available at
http://standards.ieee.org/getieee802/download/802.11-1999.pdf

30

802.11 (2)

802.11 (cont.)
Frame Control

0

1

2 3 4 5
Byte Offset 0

9 10 11 12 13 14 15
Byte Offset 1
Order

WEP

MD

PM

Retry

MF

Set to 1 in data type frames destined for the DS. This includes all data type frames sent by
wireless stations associated with an AP. The To DS field is set to 0 in all other frames.
Set to 1 in data type frames exiting the DS. It is set to 0 in all other frames.

From DS

To

Subtype
(4-bit)

8

FDS

To DS

7

TDS

PV Type
(2-bit) (2-bit)

6

DS
From

0

0

0

1

1

0

1

1

TO/From DS Values
Meaning
A data frame direct from one wireless station to another wireless within the same IBSS, as well
as all management and control type frames. (AD HOC)
Address 1 is Destination, Address 2 is Source, Address 3 is BSSID*
Data frame destined for the DS (to a wired network) from a wireless station (Infrastructure)
Address 1 is Destination, Address 2 is BSSID, Address 3 is Source
Data frame exiting the DS (from a wired network) to a wireless station (Infrastructure)
Address 1 is BSSID, Address 2 is Source, Address 3 is Destination
Wireless distribution system (WDS) frame being distributed from one AP to another AP
Address 1 is Receiver, Address 2 is Transmitter
Address 3 is Destination, Address 4 is Source

* Note: The BSSID in an IBSS network is a randomly-selected value with the first 2 bits consistenly
set to 01. The value is in the range of 40:00:00:00:00:00 to 7f:ff:ff:ff:ff:ff.
More Fragments

Set to 1 in all data management type frames that have another fragment of the current MSDU or
current MMPDU to follow. It is set to 0 in all other frames.

Retry

Set to 1 in any data or management type frame that is a retransmission of an earlier frame. It is
set to 0 in all other frames. A receiving station uses this indication to aid in the process of
eliminating duplicate frames.

Power Management

More Data

WEP

Order

Sequence Control

Set to 1 indicates that the STA will be in power-save mode. A value of 0 indicates that the STA
will be in active mode. This field is always set to 0 in frames transmitted by an AP.
Set to 1 in directed data type frames transmitted by a contention-free (CF)-Pollable STA to the
point coordinator (PC) in response to a CF-Poll to indicate that the STA has at least one
additional buffered MSDU available for transmission in response to a subsequent CF-Poll. Set to
0 in all other directed frames.
Set to 1 if the Frame Body field contains information that has been processed by the WEP
algorithm. The WEP field is set to 0 in all other frames. When the WEP bit is set to 1, the Frame
Body field is expanded.
Set to 1 if any data type frame that contains an MSDU, or fragment thereof, which is being
transferred using the Strictly Ordered service class. Set to 0 in all other frames.
0

1

2 3 4 5 6
Byte Offset 22

Fragment #
(4-bit)
Fragment field

7

8

9 10 11 12 13 14 15
Byte Offset 23

Sequence Number (12-bit)

Field value can be 0 to 4096. Normally 0 because packets are not normally fragmented. Each
fragment is assigned a unique fragment number with the entirety of the packet identified with a
single sequence number. Note: Frames that have a payload larger than 2312 bytes will be
fragmented.

31

802.11 (3)

Kismet
Commands
Key
QUICK REFERENCE
e
z
m
t
g
u
c
L
H
+
^L

Description
List Kismet servers
Toggle fullscreen zoom of network view
Toggle muting of sound and speech
Tag (or untag) selected network
Group tagged networks
Ungroup current group
Show clients in current network
Lock channel hopping to the current network channel
Return to normal channel hopping
Expand groups
Collapse groups
Force a screen redraw

POPUP WINDOWS
h
n
i
s
l (lower case L)
d
r
a
p
f
w
x
Q

Help
Name current network
detailed information about selected network
Sort network list
Show wireless card power levels
Dump printable strings
Packet rate graph
Statistics
Dump packet type
Follow network center
Track alerts
Cloase popup window
Quit

Definitions of Symbols
Network/Group Types:
Symbol
Name
P
Probe Request
A
Access Point
H
ad-hoc
T
Turbocell
G
Group
D
Data

Symbol
F
T#
U#
A#
D
W

Description
No associated connection yet
Standard wireless network
Point-to-point wireless network (IBSS)
Turbocell (aka Karlnet or Lucent Outdoor Router) network
Group of wireless networks
data only network with no control packets

Status Flags
Description
Vulnerable factory configuration.
Address range of # octets found via TCP traffic
Address range of # octets found via UDP traffic
Address range of # octets found via ARP traffic
Address range found via observed DHCP traffic
WEPed network decrypted with user-supplied key
Information obtained from the Kismet help screen

32

Kismet

TCPDUMP / WINDUMP
windump -i  -nX
windump -i  -nX -s0
windump -r  -nXp

capture from interface (-i ) do not convert names(-n) and print out hex
and ascii (-X)
capture from interface (-i ) do not convert names(-n), print out hex and
ascii (-X) and capture all the packet
capture from file (-r ), do not convert names (-n), print out hex and ascii (-X),
not in promiscuous mode (-p)

Keywords
host (host)
src host (host)
dst host (host)
gateway (host)
net (net/len)
src net (net)
dst net (net)
port (port)
src port (port)
dst port (port)
less (length)
greater (length)
Bit Masking
And unwanted bits with 0
And wanted bits with 1
0 AND 0 = 0
0 AND 1 = 0
1 AND 0 = 0
1 AND 1 = 1

ip
ip6
arp
icmp
icmp6
tcp
udp
ah
esp
igmp
igrp
rarp

vrrp
ip broadcast
ip proto (protocol)
ip protochan (protocol)
ip6 proto (protocol)
ip6 protochain (protocol)
ip multicast
ip6 multicast
ether host (MAC)
ether src (MAC)
ether dst (MAC)
ether proto (protocol)

ether multicast
vlan (vlan_id)
atalk
decnet
decnet src
decnet host
iso
stp
ipx
netbeui

tcpflags
icmptype icmp-echoreply
icmp-echo icmp-paramprob
tcp-fin
icmp-unreachable icmp-ireq icmp-tstamp
tcp-syn
icmp-sourcequench
icmp-tstampreply
tcp-rst
icmp-redirect
icmp-ireq
tcp-push
icmp-routeradvert
icmp-ireqreply
tcp-ack
icmp-routersolicit
icmp-maskreq
tcp-urg
icmp-timxceed
icmp-maskreply

! or not
Expressions:
>, <, >=, <=, =, !=, +, -, *, /, &, |
filter format [offset:length]
tcpdump [command line options] ['filter']
windump [command line options] ["filter"]

&& or and

|| or or

Examples
host A and B

Connections between host A and host B
ip[9] = 1 icmp
ip[9] = 6 tcp
ip[9] = 17 udp
ip[9] = 0x11
tcp[2:2] < 20
The TCP dst port is greater than 20
udp[6:2] != 0
Non-zero UDP checksum
tcp[tcpflags]=tcp-syn
Only Syn tcp[13] &0x02 != 0 At minimum the SYN bit set
tcp[tcpflags]=tcp-ack
Only Ack tcp[13] &0x10 != 0 At minimum the ACK bit set
tcp[tcpflags]=tcp-fin
or
tcp[13] &0xff=0x01 Only the FIN bit is set
tcp[13] &0xff = 1
tcp[13] &0xff =16
or
tcp[13] &0xff = 0x10
Only the ACK bit is set
icmp type 3 is destination unreachable category and a code of 2 specifies that this is
icmp[0]=3 and icmp[1]=2
an ICMP protocol unreachable (Good filter for detecting protocol scans)
(tcp and (tcp[13] &0x0f != 0) and A tcp packet where any combination of PSH, RST, SYN, FIN are set and the packet
not port 25 and not port 20)
is not port 25 or 20
udp[21:4]=0x56455253
Looks for “VERS” in udp payload for VERSION.BIND
tcp[20:4] = 0x5353482d
Looks for “SSH-” in TCP payload
ip[6:2] & 0x3fff != 0
Look for ALL fragmented ip packets
Look for more fragment bit set or fragment offset greater than 0 (Look for ALL
ip[6] &0x20 = 0x20 or ip[6:2]
&0x1fff != 0
fragmented ip packets)
ip[6] &0x20 = 0 and ip[6:2] &0x1fff Look for more fragment bit not set and fragment offset greater than 0 (Last
!= 0
fragment packets)

33

TCPDUMP

TCPDUMP / WINDUMP (cont.)
Command Line Options
Options
-a
-A
-B 
-c 
-C 
-d
-dd
-ddd
-D
-e
-E 
-f
-F 
-i 
-l
-L
-m 
-n

Description
Attempt to convert network and broadcast addresses to names
Set driver's buffer size to size in KiloBytes. The default buffer size is 1 megabyte (i.e 1000).
Exit after receiving  of packets
Before writing a raw packet to a savefile, check whether the file is currently larger than
file_size and, if so, close the current savefile and open a new one.
Dump the compiled packet-matching code in a human readable form to standard output and
stop
Dump packet-matching code as a C program fragment
ddd Dump packet-matching code as decimal numbers (preceded with a count)
Print the list of the interface cards available on the system. WINDUMP ONLY
Print the link-level header on each dump line
Use algo:secret for decrypting IPsec ESP packets where algorithms may be des-cbc, 3des-cbc,
blowfish-cbc, rc3-cbc, cast128-cbc, or none.
Print ‘foreign’ internet addresses numerically rather than symbolically
Use file as input for the filter expression
Listen on interface (defaults to lowest numbered interface)
Make stdout line buffered. ``tcpdump -l | tee dat'' or ``tcpdump -l > dat & tail -f dat''

Load SMI MIB module definitions from file module
Don’t convert addresses to names
Don’t convert addresses or port numbers (port numbers are resolved based on information the
-nn
the linux /etc/service file or the windows %windir%\system32\drivers\etc\services file.)
-N
Don’t print domain name qualification of host names
-O
Do not run the packet-matching code optimizer
-p
Don’t put the interface into promiscuous mode
-q
Quick output – print less protocol information
-r 
Read packets from file (created with the –w option)
-R
Assume ESP/AH packets to be based on old specs
-s 
Snarf snaplen bytes of data from each packet (default is 68)
1518 Max Ethernet Frame (14 byte Ethernet header + 1500 byte IP + 4 byte Ethernet trailer)
64 Min Ethernet Frame (14 byte Ethernet header + 64 byte IP + 4 byte Ethernet trailer)
Note: -s0 mean full ethernet packet
-S
Print absolute, rather than relative TCP sequence numbers
-t
Don’t print a timestamp on each dump line
Force packets selected by “expressions” to be interpreted the specified type (cnfp, rpc, rtp,
-T 
snmp, wb)
-tt
Print an unformatted timestamp on each dump line
-ttt
Print a delta (in micro-seconds) between current and previous line on each dump line
-tttt
Print a timestamp in default format proceeded by date on each dump line
-u
Print undecoded NFS handles
-U
-v
Verbose output (TOS, TTL, IP ID, Fragment Offset, IP Flags, length)
V
-w 
Write the raw packet to file rather than parsing and printing to stdout
-x
Print each packet (minus link level header) in hex
-X
Print each packet in hex and ascii
-y 
http://www.tcpdump.org/tcpdump_man.html
http://windump.polito.it/docs/manual.htm#Wdump

34

TCPDUMP (2)

WIND

NGREP
ngrep
<-hXViwqpevxlDtT> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen>



Command Line Options
-A (num)
-D
-d (device)
-e
-h
-i
-I (file)
-l
-n (num)
-O (file)
-p
-q
-S (limitlen)
-s (snaplen)
-t
-T
-V
-v
-w
-X
-x

is dump num packets after a match
is replay pcap_dumps with their recorded time intervals
is use a device different from the default (pcap)
is show empty packets
is help/usage
is ignore case
is read packet stream from pcap format file pcap_dump (Capitol i)
is make stdout line buffered
is look at only num packets
is dump matched packets in pcap format to pcap_dump
is don't go into promiscuous mode
is be quiet
is set the limitlen on matched packets
is set the bpf caplen
is print timestamp every time a packet is matched
is print delta timestamp every time a packet is matched
is version information
is invert match
is word-regex (expression must match as a word)
is interpret match expression as hexadecimal
is print in alternate hexdump format




is either an extended regular expression or a hexadecimal string. see the man page for
more information.
is any bpf filter statement.

Examples:
ngrep '' icmp
print all UDP packets
ngrep '' tcp
print all TCP packets
ngrep '' udp
print all UDP packets
ngrep '' port 53
print all packets to or from TCP or TDP port 53
ngrep '' tcp port 53
print all packets to or from only TCP port 53
ngrep - v '' tcp port 53
print all packets but those to or from TCP port 53
ngrep 'USER|PASS' tcp port 21
print all packets to or from TCP port 21 where USER or PASS
ngrep 'SSH-' port tcp 22
print all packets to or from TCP port 22 where SSHngrep 'LILWORD' port 138
print Microsoft browsing traffic for NT domain LILWORLD
ngrep -iq 'rcpt to|mail from' tcp port 25
monitor current delivery and print sender and recipients
ngrep 'user' port 110
monitor POP3
ngrep -q 'abcd' icmp
"pinging" host running a Microsoft operating system?
ngep -i -I  "Yahoo"
read from input file and search for case insensitive "Yahoo"
Note:
You can use "frame contains " in ethereal to do similar searches.
http://www.packetfactory.net/projects/ngrep/usage.html

35

NGREP

Ethereal / Wireshark

Wireless Filters
wlan.fc.wep = 1
wlan.fc.wep != 1
eapol and eap.type == 17
eap.type == 17 and eap.code == 2
wlan_mgt.tag.number == 221
wlan.bssid == 
wlan.fc.type_subtype eq 32
wlan.fc.type_subtype eq 11 or
wlan.fc.type_subtype < 6
wlan.fc.type_subtype != 8

Displays all the frames that do have the WEP bit (or privacy bit) set
Displays all the frames that do NOT have the WEP bit (or privacy bit) set
Will display Cisco Leap packets
Will display only Cisco Leap packets that are EAP responses
Displays TKIP or AES packets
Displays only packets that have the specified BSSID
Displays only data frames
Display all probe request and response packets

Will exclude all the beacon frames from a wireless packet capture
Displays packets where the 1st byte in the destination MAC address is 0x01, a
multicast address.
wlan.da[0:1] == 1
http://www.iana.org/assignments/multicast-addresses
http://www.cavebear.com/Cavebear/ethernet/multicast.html
(wlan.fc.wep != 1) and (wlan.fc.type_subtype eq 32) and !(STP or http or nbus or arp or dns or browser or rip)

General IP Filters
ip.proto == 0x??
tcp.flags.syn == 0
tcp.flags.reset == 0

IPSec Filters
ip.proto == 0x??
isakmp or udp.port eq 500 or
udp.port eq 10000 or udp.port eq
5150
isakmp[18] eq 4

Display ICMP if ??=01, TCP if ??= 06 and UDP if ??=11
tcp.flags.ack == 0
tcp.flags.fin == 0
tcp.flags.push == 0

Display IPSec AH if ??=51 and ESP if ??=50
Displays ISAKMP traffic (Note 500/CheckPoint, 10000/Cisco, 5150/agere)
Display IPSec ISAKMP packets using aggressive IKE mode

OS Finger Printing
browser.os_major < 5

Display pre-Windows 2000 Clients (Note: eq 5 WK2000 System)

Finds Data In A Packet
data contains "HTTP/1.1 240"
http.cookie contains "x"

Displays a packets with HTTP error code 240 in the header
Displays data "x" list in the cookie

Organizationally Unique Identifiers

1st 24 bits of MAC. OUI to Org. http://standards.ieee.org/regauth/oui/oui.txt

36

Ethereal

Windows TCP / UDP Ports
Port
n/a
n/a
n/a
7
7
9
9
13
13
17
17
19
19
20
21
21
23
25
25
25
25
42
42
53
53
53
53
67
67
69
80
80
80
88
88
102
110
110
119
123
123
135
135
135
135
135
135
135
135
135
135
135

Protocol Application protocol
System service name
GRE
GRE (IP protocol 47)
Routing and Remote Access
ESP
IPsec ESP (IP protocol 50)
Routing and Remote Access
AH
IPsec AH (IP protocol 51)
Routing and Remote Access
TCP
Echo
Simple TCP/IP Services
UDP
Echo
Simple TCP/IP Services
TCP
Discard
Simple TCP/IP Services
UDP
Discard
Simple TCP/IP Services
TCP
Daytime
Simple TCP/IP Services
UDP
Daytime
Simple TCP/IP Services
TCP
Quotd
Simple TCP/IP Services
UDP
Quotd
Simple TCP/IP Services
TCP
Chargen
Simple TCP/IP Services
UDP
Chargen
Simple TCP/IP Services
TCP
FTP default data
FTP Publishing Service
TCP
FTP control
FTP Publishing Service
TCP
FTP control
Application Layer Gateway Service
TCP
Telnet
Telnet
TCP
SMTP
Simple Mail Transfer Protocol
UDP
SMTP
Simple Mail Transfer Protocol
TCP
SMTP
Exchange Server
UDP
SMTP
Exchange Server
TCP
WINS Replication
Windows Internet Name Service
UDP
WINS Replication
Windows Internet Name Service
TCP
DNS
DNS Server
UDP
DNS
DNS Server
TCP
DNS
Internet Connection Firewall/Internet Connection Sharing
UDP
DNS
Internet Connection Firewall/Internet Connection Sharing
UDP
DHCP Server
DHCP Server
UDP
DHCP Server
Internet Connection Firewall/Internet Connection Sharing
UDP
TFTP
Trivial FTP Daemon Service
TCP
HTTP
Windows Media Services
TCP
HTTP
World Wide Web Publishing Service
TCP
HTTP
SharePoint Portal Server
TCP
Kerberos
Kerberos Key Distribution Center
UDP
Kerberos
Kerberos Key Distribution Center
TCP
X.400
Microsoft Exchange MTA Stacks
TCP
POP3
Microsoft POP3 Service
TCP
POP3
Exchange Server
TCP
NNTP
Network News Transfer Protocol
UDP
NTP
Windows Time
UDP
SNTP
Windows Time
TCP
RPC
Message Queuing
TCP
RPC
Remote Procedure Call
TCP
RPC
Exchange Server
TCP
RPC
Certificate Services
TCP
RPC
Cluster Service
TCP
RPC
Distributed File System
TCP
RPC
Distributed Link Tracking
TCP
RPC
Distributed Transaction Coordinator
TCP
RPC
Event Log
TCP
RPC
Fax Service
TCP
RPC
File Replication
The page is from the text provided at http://support.microsoft.com/kb/832017

37

MS PORTS

Windows TCP / UDP Ports
Port
135
135
135
135
135
135
135
137
137
137
137
137
138
138
138
138
138
138
138
139
139
139
139
139
139
139
139
139
139
143
161
162
389
389
389
389
443
443
443
443
445
445
445
445
445
445
445
464
500
515
548
554

Protocol Application protocol
System service name
TCP
RPC
Group Policy
TCP
RPC
Local Security Authority
TCP
RPC
Remote Storage Notification
TCP
RPC
Remote Storage Server
TCP
RPC
Systems Management Server 2.0
TCP
RPC
Terminal Services Licensing
TCP
RPC
Terminal Services Session Directory
UDP
NetBIOS Name Resolution
Computer Browser
UDP
NetBIOS Name Resolution
Server
UDP
NetBIOS Name Resolution
Windows Internet Name Service
UDP
NetBIOS Name Resolution
Net Logon
UDP
NetBIOS Name Resolution
Systems Management Server 2.0
UDP
NetBIOS Datagram Service
Computer Browser
UDP
NetBIOS Datagram Service
Messenger
UDP
NetBIOS Datagram Service
Server
UDP
NetBIOS Datagram Service
Net Logon
UDP
NetBIOS Datagram Service
Distributed File System
UDP
NetBIOS Datagram Service
Systems Management Server 2.0
UDP
NetBIOS Datagram Service
License Logging Service
TCP
NetBIOS Session Service
Computer Browser
TCP
NetBIOS Session Service
Fax Service
TCP
NetBIOS Session Service
Performance Logs and Alerts
TCP
NetBIOS Session Service
Print Spooler
TCP
NetBIOS Session Service
Server
TCP
NetBIOS Session Service
Net Logon
TCP
NetBIOS Session Service
Remote Procedure Call Locator
TCP
NetBIOS Session Service
Distributed File System
TCP
NetBIOS Session Service
Systems Management Server 2.0
TCP
NetBIOS Session Service
License Logging Service
TCP
IMAP
Exchange Server
UDP
SNMP
SNMP Service
UDP
SNMP Traps Outbound
SNMP Trap Service
TCP
LDAP Server
Local Security Authority
UDP
LDAP Server
Local Security Authority
TCP
LDAP Server
Distributed File System
UDP
LDAP Server
Distributed File System
TCP
HTTPS
HTTP SSL
TCP
HTTPS
World Wide Web Publishing Service
TCP
HTTPS
SharePoint Portal Server
TCP
RPC over HTTPS
Exchange Server 2003
TCP
SMB
Fax Service
TCP
SMB
Print Spooler
TCP
SMB
Server
TCP
SMB
Remote Procedure Call Locator
TCP
SMB
Distributed File System
TCP
SMB
License Logging Service
TCP
SMB
Net Logon
TCP
Kerberos Password V5
Net Logon
UDP
IPsec ISAKMP
Local Security Authority
TCP
LPD
TCP/IP Print Server
TCP
File Server for Macintosh
File Server for Macintosh
TCP
RTSP
Windows Media Services
The page is from the text provided at http://support.microsoft.com/kb/832017

38

MS PORTS (2)

Windows TCP / UDP Ports
Port
563
593
593
636
636
993
995
1067
1068
1270
1433
1433
1434
1434
1512
1512
1645
1646
1701
1723
1755
1755
1801
1801
1812
1813
1863
1863
1900
2101
2103
2105
2107
2383
2393
2394
2460
2535
2701
2701
2702
2702
2703
2703
2704
2704
2725
2869
2869
3268
3269
3343

Protocol Application protocol
System service name
TCP
NNTP over SSL
Network News Transfer Protocol
TCP
RPC over HTTPS endpoint mapper Remote Procedure Call
TCP
RPC over HTTPS
Exchange Server
TCP
LDAP SSL
Local Security Authority
UDP
LDAP SSL
Local Security Authority
TCP
IMAP over SSL
Exchange Server
TCP
POP3 over SSL
Exchange Server
TCP
Installation Bootstrap Service
Installation Bootstrap protocol server
TCP
Installation Bootstrap Service
Installation Bootstrap protocol client
TCP
MOM-Encrypted
Microsoft Operations Manager 2000
TCP
SQL over TCP
Microsoft SQL Server
TCP
SQL over TCP
MSSQL$UDDI
UDP
SQL Probe
Microsoft SQL Server
UDP
SQL Probe
MSSQL$UDDI
TCP
WINS
Windows Internet Name Service
UDP
WINS
Windows Internet Name Service
UDP
Legacy RADIUS
Internet Authentication Service
UDP
Legacy RADIUS
Internet Authentication Service
UDP
L2TP
Routing and Remote Access
TCP
PPTP
Routing and Remote Access
TCP
MMS
Windows Media Services
UDP
MMS
Windows Media Services
TCP
MSMQ
Message Queuing
UDP
MSMQ
Message Queuing
UDP
RADIUS Authentication
Internet Authentication Service
UDP
RADIUS Accounting
Internet Authentication Service
TCP
Microsoft Messenger Protocol
MSN Messenger
UDP
Microsoft Messenger Protocol
MSN Messenger
UDP
SSDP
SSDP Discovery Service
TCP
MSMQ-DCs
Message Queuing
TCP
MSMQ-RPC
Message Queuing
TCP
MSMQ-RPC
Message Queuing
TCP
MSMQ-Mgmt
Message Queuing
TCP
OLAP Services 9.0
SQL Server: Downlevel OLAP Client Support (SQL 2005)
TCP
OLAP Services 7.0 / 8.0
SQL Server: Downlevel OLAP Client Support
TCP
OLAP Services 7.0 / 8.0
SQL Server: Downlevel OLAP Client Support
UDP
MS Theater
Windows Media Services
UDP
MADCAP
DHCP Server
TCP
SMS Remote Control (control)
SMS Remote Control Agent
UDP
SMS Remote Control (control)
SMS Remote Control Agent
TCP
SMS Remote Control (data)
SMS Remote Control Agent
UDP
SMS Remote Control (data)
SMS Remote Control Agent
TCP
SMS Remote Chat
SMS Remote Control Agent
UPD
SMS Remote Chat
SMS Remote Control Agent
TCP
SMS Remote File Transfer
SMS Remote Control Agent
UDP
SMS Remote File Transfer
SMS Remote Control Agent
TCP
SQL Analysis Services
SQL Analysis Server
TCP
UPNP
Universal Plug and Play Device Host
TCP
SSDP event notification
SSDP Discovery Service
TCP
Global Catalog Server
Local Security Authority
TCP
Global Catalog Server over SSL
Local Security Authority over SSL
UDP
Cluster Services
Cluster Service
The page is from the text provided at http://support.microsoft.com/kb/832017

39

MS PORTS (3)

Windows TCP / UDP Ports
Port
3389
3389
3478
3527
4011
4500
5000
5004
5005
5061
5062
6001
6002
6004
8057
42424
50000-59999
51515
1024-65534

Protocol
TCP
TCP
UDP
UDP
UDP
UDP
TCP
UDP
UDP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP

Application protocol
Terminal Services
Terminal Services
STUN
MSMQ-Ping
BINL
NAT-T
SSDP legacy event notification
RTP
RTCP
SIP/MTLS
SIP/MTLS
Information Store
Directory Referral
DSProxy/NSPI
PSOM/MTLS
ASP.Net Session State
OCS A/V Edge Server
MOM-Clear
RPC (DCOM)

System service name
NetMeeting Remote Desktop Sharing
Terminal Services
OCS A/V Edge Server for STUN Communications
Message Queuing
Remote Installation
Local Security Authority
SSDP Discovery Service
Windows Media Services
Windows Media Services
OCS Access Edge Server Communication
OCS Access Edge Server Authentication
Exchange Server 2003
Exchange Server 2003
Exchange Server 2003
OCS Web Conferencing Edge Server
ASP.NET State Service
Used for inbound and outbound media transfer
Microsoft Operations Manager 2000
Randomly allocated high TCP ports
Used with RPC endpoint Mapper listening on TCP 135
The page is from the text provided at http://support.microsoft.com/kb/832017

Kerberos
1
Authentication service (AS) Exchange
2
Ticket-Granting Service (TGS) Exchange
3
Client/Server (CS) Excahnge
The AS Excahnge is where the Kerberos key distribution (KDC)

IPC$

Inter-Process Communication

40

MS PORTS (4)

OS Fingerprinting
OS
DC-Osx
Windows
NetApp
HPJetDirect
AIX
AIX
Cisco
DigitalUnix
IRIX
OS390
Reliant
FreeBSD
JetDirect
Linux
Linux
OpenBSD
0s/400
SCO
Solaris
FTX(Unix)
Unisys
Netware
Windows
Windows
Windows
Cisco
Solaris

Version
1.1-95
9x/NT
OnTap
?
4.3.X
4.2.X
11.2
4
6.x
2.6
5.43
3.x
G.07.x
2.2.x
2.4
2.x
r4.4
R5
8
3.3
x
4.11
9x/NT
2000
XP Pro
12
2.x

Platform
Pyramid/NILE
Intel
5.1.2-5.2.2
HP_Printer
IBM/RS6000
IBM/RS6000
7507
Alpha
SGI
IBM/S390
Pyramid/RM1000
Intel
J311A
Intel
Intel
Intel
AS/400
Compaq
Intel/Sparc
STRATUS
Mainframe
Intel
Intel
Intel
Intel
2514
Intel/Sparc

TTL
30
32
54
59
60
60
60
60
60
60
60
64
64
64
64
64
64
64
64
64
64
128
128
128
128
255
255

Window
8192
5000-9000
8760
2100-2150
16000-16100
16000-16100

32120
5840

32678
32768
32000-32768
5000-9000
17000-18000
???
3800-5000
8760

DF TOS TCP Options
n
0
y
0
y
0
n
0
y
0 MSS
n
0
y
0
y
16
y
16
n
0
n
0
y
16
n
0
y
0 MSS, SackOK, wscale, Timestamp, one NOP
MSS, SackOK, wscale, Timestamp, one NOP
n
16 MSS, Timestamp, wscale, sacks OK, 5 nops
y
0
n
0
y
0
n
0
n
0
y
0
y
0
y
0 MSS, SackOK, 2 NOPs
??
0 MSS, nop, nop, SackOk
n
192
y
0

## ADDITIONAL NOTES
#
# Cisco IOS 12.0 normally starts all IP sessions with IP ID of 0
# Solaris 8 uses a smaller TTL (64) then Solaris 7 and below (255).
# Windows 2000 uses a much larger Window Size then NT.
The page is from the text provided at http://project.honeynet.org/papers/finger/traces.txt

41

OS Fingerprinting

Decimal to Hexadecimal to ASCII Chart

Dec Hex
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
10
A
11
B
12
C
13
D
14
E
15
F
16 10
17 11
18 12
19 13
20 14
21 15
22 16
23 17
24 18
25 19
26 1A
27 1B
28 1C
29 1D
30 1E
31 1F

ASCII
NUL
SOH
STX
ETX
EOT
ENQ
ACK
BEL
BS
HT
LF
VT
FF
CR
SO
SI
DLE
DC1
DC2
DC3
DC4
NAK
SYN
ETB
CAN
EM
SUB
ESC
FS
GS
RS
US

Dec Hex
32 20
33 21
34 22
35 23
36 24
37 25
38 26
39 27
40 28
41 29
42 2A
43 2B
44 2C
45 2D
46 2E
47 2F
48 30
49 31
50 32
51 33
52 34
53 35
54 36
55 37
56 38
57 39
58 3A
59 3B
60 3C
61 3D
62 3E
63 3F

ASCII
SP
!
"
#
$
%
&
'
(
)
*
+
,
.
/
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?

Dec Hex
64 40
65 41
66 42
67 43
68 44
69 45
70 46
71 47
72 48
73 49
74 4A
75 4B
76 4C
77 4D
78 4E
79 4F
80 50
81 51
82 52
83 53
84 54
85 55
86 56
87 57
88 58
89 59
90 5A
91 5B
92 5C
93 5D
94 5E
95 5F

ASCII
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_

Dec Hex
96 60
97 61
98 62
99 63
100 64
101 65
102 66
103 67
104 68
105 69
106 6A
107 6B
108 6C
109 6D
110 6E
111 6F
112 70
113 71
114 72
115 73
116 74
117 75
118 76
119 77
120 78
121 79
122 7A
123 7B
124 7C
125 7D
126 7E
127 7F

ASCII
'
a
b
c
DEL
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~
DEL

Dec Hex
128 80
129 81
130 82
131 83
132 84
133 85
134 86
135 87
136 88
137 89
138 8A
139 8B
140 8C
141 8D
142 8E
143 8F
144 90
145 91
146 92
147 93
148 94
149 95
150 96
151 97
152 98
153 99
154 9A
155 9B
156 9C
157 9D
158 9E
159 9F

42

ASCII
Ç
ü
é
â
ä
à
å
ç
ê
ë
è
ï
î
ì
Ä
Å
É
æ
Æ
ô
ö
ò
û
ù
ÿ
Ö
Ü
¢
£
¥
₧
ƒ

Dec
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

Hex
A0
A1
A2
A3
A4
A5
A6
A7
A8
A9
AA
AB
AC
AD
AE
AF
B0
B1
B2
B3
B4
B5
B6
B7
B8
B9
BA
BB
BC
BD
BE
BF

ASCII
á
í
ó
ú
ñ
Ñ
ª
º
¿
⌐
¬
½
¼
¡
«
»
░
▒
▓
│
┤
╡
╢
╖
╕
╣
║
╗
╝
╜
╛
┐

Dec
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

Hex
C0
C1
C2
C3
C4
C5
C6
C7
C8
C9
CA
CB
CC
CD
CE
CF
D0
D1
D2
D3
D4
D5
D6
D7
D8
D9
DA
DB
DC
DD
DE
DF

ASCII
└
┴
┬
├
─
┼
╞
╟
╚
╔
╩
╦
╠
═
╬
╧
╨
╤
╥
╙
╘
╒
╓
╫
╪
┘
┌
█
▄
▌
▐
▀

Dec Hex ASCII
224 E0
α
225 E1
ß
226 E2
Γ
227 E3
π
228 E4
Σ
229 E5
σ
230 E6
µ
231 E7
τ
232 E8
Φ
233 E9
Θ
234 EA
Ω
235 EB
δ
236 EC
∞
237 ED
φ
238 EE
ε
239 EF
∩
240 F0
≡
241 F1
±
242 F2
≥
243 F3
≤
244 F4
⌠
245 F5
⌡
246 F6
÷
247 F7
≈
248 F8
°
249 F9
∙
250 FA
·
251 FB
√
252 FC
ⁿ
253 FD
²
254 FE
■
255 FF Hardspace

ASCII

References
1.

Cisco, "The ABCs of IP Version 6", 2002
URL: http://www.cisco.com/application/pdf/en/us/guest/products/iosswrel/c1127/cdccont_0900aecd8018e369.pdf

2.

Honeynet Project, "Lists of fingerprints for passive fingerprint monitoring" May 23, 2000
URL: http://project.honeynet.org/papers/finger/traces.txt

3.

IANA, "ICMP TYPE NUMBERS", January 27, 2005
URL: http://www.iana.org/assignments/icmp-parameters

4.

IANA, "IP OPTION NUMBERS", June 06, 2001
URL: http://www.iana.org/assignments/ip-parameters

5.

IANA, "PROTOCOL NUMBERS", October 18, 2004
URL: http://www.iana.org/assignments/protocol-numbers

6.

IEEE, "Get IEEE 802" March, 9 2005
URL: http://standards.ieee.org/getieee802/

7.

IEEE, "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", June 12, 2003
URL: http://standards.ieee.org/getieee802/download/802.11-1999.pdf

8.

Kismet, "KISMET PANELS INTERFAC",
URL: http://www.kismetwireless.net/

9.

Packetfactory, "ngrep - network grep",
URL: http://www.packetfactory.net/projects/ngrep/usage.html

10. POLITECNICO DI TORINO, "WinDump: tcpdump for Windows", March 14, 2002
URL: http://windump.polito.it/docs/manual.htm#Wdump.
11. RFC Editor, "RFC Editor Homepage", August 12, 2002
URL: http://www.rfc-editor.org/

12. SANS Institute's, "Audit 511: Auditing Wireless Networks, Part 1", 2005
13. SANS Institute's, "TCP/IP and tcpdump Pocket Reference Guide", June 2002
URL: http://www.sans.org/resources/tcpip.pdf

14. tcpdump.org, "tcpdump man pages"
URL: http://www.tcpdump.org/tcpdump_man.html
15. Todd Lammle, "CCNA: Cisco Certified Network Associate Study Guide"
Wiley Publishing, Inc., Copyright 2007

43

References



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Creator                         : Packet Analysis Reference Guide v3.0.xlsx
Producer                        : ScanSoft PDF Create! 4
Create Date                     : 2008:12:05 18:46:39-08:00
Modify Date                     : 2008:12:05 18:46:39-08:00
Author                          : james.summers
Title                           : Packet Analysis Reference Guide v3.0.xlsx
Page Count                      : 46
Page Mode                       : UseNone
EXIF Metadata provided by EXIF.tools

Navigation menu