Professional Documents
Culture Documents
192 (2)
192 (2)
252
(6)
248 252
(5) (6)
252
(6)
252
(6)
248 252
(5) (6)
252
(6)
252
(6)
248 252
(5) (6)
252
(6)
252
(6)
248 252
(5) (6)
252
(6)
00000000
00000001
00000010
00000011
00000100
00000101
00000110
00000111
00001000
00001001
00001010
00001011
00001100
00001101
00001110
00001111
00010000
00010001
00010010
00010011
00010100
00010101
00010110
00010111
00011000
00011001
00011010
00011011
00011100
00011101
00011110
00011111
00100000
00100001
00100010
00100011
00100100
00100101
00100110
00100111
00101000
00101001
00101010
00101011
00101100
00101101
00101110
00101111
00110000
00110001
00110010
00110011
00110100
00110101
00110110
00110111
00111000
00111001
00111010
00111011
00111100
00111101
00111110
00111111
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
01000000
01000001
01000010
01000011
01000100
01000101
01000110
01000111
01001000
01001001
01001010
01001011
01001100
01001101
01001110
01001111
01010000
01010001
01010010
01010011
01010100
01010101
01010110
01010111
01011000
01011001
01011010
01011011
01011100
01011101
01011110
01011111
01100000
01100001
01100010
01100011
01100100
01100101
01100110
01100111
01101000
01101001
01101010
01101011
01101100
01101101
01101110
01101111
01110000
01110001
01110010
01110011
01110100
01110101
01110110
01110111
01111000
01111001
01111010
01111011
01111100
01111101
01111110
01111111
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
192 (2)
10000000
10000001
10000010
10000011
10000100
10000101
10000110
10000111
10001000
10001001
10001010
10001011
10001100
10001101
10001110
10001111
10010000
10010001
10010010
10010011
10010100
10010101
10010110
10010111
10011000
10011001
10011010
10011011
10011100
10011101
10011110
10011111
10100000
10100001
10100010
10100011
10100100
10100101
10100110
10100111
10101000
10101001
10101010
10101011
10101100
10101101
10101110
10101111
10110000
10110001
10110010
10110011
10110100
10110101
10110110
10110111
10111000
10111001
10111010
10111011
10111100
10111101
10111110
10111111
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
11000000
11000001
11000010
11000011
11000100
11000101
11000110
11000111
11001000
11001001
11001010
11001011
11001100
11001101
11001110
11001111
11010000
11010001
11010010
11010011
11010100
11010101
11010110
11010111
11011000
11011001
11011010
11011011
11011100
11011101
11011110
11011111
11100000
11100001
11100010
11100011
11100100
11100101
11100110
11100111
11101000
11101001
11101010
11101011
11101100
11101101
11101110
11101111
11110000
11110001
11110010
11110011
11110100
11110101
11110110
11110111
11111000
11111001
11111010
11111011
11111100
11111101
11111110
11111111
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
Field
Length
(bits) TCPDUMP Filter
IP Header Length
IP Packet Length
IP TTL
IP Protocol
D
1
2
6
IP Address - Src
IP Address - Dst
16
8
8
Hex
0x01
0x02
0x06
32
32
flag=3
IP Fragmentation
ip[0] &0x0F
ip[2:2]
ip[8]
ip[9]
Proto
ICMP
IGMP
TCP
ip[12:4]
ip[16:4]
D
9
17
47
Notes
Remember to use a 4 byte multiplier to find
header length in bytes
The is no multiple for this length field
Hex
0x09
0x11
0x2F
Proto
IGRP
UDP
GRE
D
47
50
51
Hex
0x2F
0x32
0x33
Proto
GRE
ESP
AH
offset=13
ICMP Type
ICMP Code
TCP Src Port
TCP Dst Port
8
8
16
16
icmp[0]
icmp[1]
tcp[0:2]
tcp[2:2]
tcp[12] &0xF0
TCP Flags
TCP Windows Size
UDP Src Port
UDP Dst Port
UDP Header Length
8
16
16
16
16
tcp[13]
tcp[14:2]
udp[0:2]
udp[2:2]
upd[4:2]
Hdr Offset
2 3 4 5
Byte Offset 0
Version
bit)
(4-
IP hdr length
(4-bit)
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Type of Service (8-bit)
Byte Offset 4
Byte Offset 5
Byte Offset 9
Protocol (8-bit)
Byte Offset 12
Byte Offset 13
Byte Offset 10
Byte Offset 11
20 Bytes
Byte Offset 8
Byte Offset 7
Byte Offset 15
Byte Offset 17
Byte Offset 18
Byte Offset 19
Byte Offset 21
Byte Offset 22
Byte Offset 23
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
IP Version Number
Valid values are:
4 for IP version 4
6 for IP version 6
IP Header Length
(4 byte multiplier)
Number of 32-bit words in IP header
minimum value 5 (5 x 4 = 20 bytes) maximum value 15 (15 x 4 = 60 bytes)
Type of Service
(Used by gateways as a QoS type field) (Most OS's default to 0)
(Over)
Total Length
(No multiplier)
Number of bytes in packet
maximum length = 65,535
IP Identification Number
Uniquely identifies every datagram sent by host, value typically incremented by 1 (AKA Fragment ID)
Flags
R is reserved and must be set to 0
D is Don't Fragment Flag
1=Don't Fragment
0=Can Fragment
MF is More Fragments
1=More Fragments
0=No Fragment or no more Fragments
(frag x:y@z where x is the fragment ID, y is # of bytes (must be divisible by 8) and z is the fragment offset)
(In Ethernet the MTU 1500 should see middle fragments of size 1480 (1480 data + 20 ip header = 1500)
Fragment Offset
(8 byte multiplier)
(Max fragment offest 65528)
Position of this fragment in the original datagram
value is multipled by 8 to get bytes
Time To Live
IP Protocol D
Hex
D Hex
D Hex
D Hex
1 0x01 ICMP
9 0x09 IGRP
47 0x2F GRE
88 0x58 EIGRP
2 0x02 IGMP
17 0x11 UDP
50 0x32 ESP
89 0x59 OSPF
6 0x06 TCP
47 0x2F GRE
51 0x33 AH
Header Checksum
Covers IP header only
Validated along the path from source to destination
Options (0-40 bytes; 1st @ 20th byte offset; padded 4-byte boundary) (Processed by each router as packet passes)
D
Hex
D
Hex
0 0x00 End of Option list
68
0x44 Timestamp
1 0x01 No operation (pad)
131 0x83 Loose source route (security risk)
IPv4 Hdr
Type of Service
Prededence
0
Bit
Bit
Bit
Bit
Bit
137
0 3
4
5
6 &
Precedence
1 1 1
1 1 0
1 0 1
1 0 0
0 1 1
0 1 0
0 0 1
0 0 0
3
2
R
5
0
6
0
7
Precedence
0 = Normal Delay
1 = Low Delay
0 = Normal Throughput
1 = High Throughput
0 = Normal Relibility
1 = High Relibility
Reserved for future use (Always set to 0)
Network Control
Internetwork Control
CRITIC / ECP
Flash Override
Flash Override
Immediate
Priority
Routine
IPv4 Hdr
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 5
Byte Offset 6
Byte Offset 7
Byte Offset 10
Byte Offset 11
Byte Offset 13
E
C
W
E
R
U
R
G
A
C
K
P R
S S
H T
Byte Offset 17
F
S
Y
N
Byte Offset 14
Byte Offset 18
Checksum (16-bit)
Byte Offset 20
Byte Offset 15
I
N
20 Bytes
Byte Offset 8
Byte Offset 19
Byte Offset 21
Byte Offset 22
Byte Offset 23
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
TCP Hdr
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 5
Byte Offset 6
Length (16-bit)
Byte Offset 8
Byte Offset 7
Checksum (16-bit)
Byte Offset 9
Byte Offset 10
Byte Offset 11
data (variable.)
0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
UDP Hdr
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 4
Byte Offset 5
Checksum (16-bit)
Byte Offset 6
Byte Offset 7
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
ICMP Hdr
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 5
Byte Offset 7
Operation (16-bit)
Byte Offset 10
Byte Offset 11
Byte Offset 13
Byte Offset 17
Byte Offset 21
Byte Offset 14
Byte Offset 15
Byte Offset 19
Byte Offset 23
Byte Offset 25
Byte Offset 26
Byte Offset 27
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
ARP maps the logical address (IP) to the physical address (MAC)
Hardware Address Type
1
Ethernet
6
IEEE 802 Lan
Protocol Address Type
2048
IPv4 (0x0800)
Hardware Address Length
6
for Ethernet/IEEE 802
Protocol Address Length
4
for IPv4
Operation
1
2
Request
Reply
ARP
DNS
0
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 8
Byte Offset 9
Byte Offset 13
Byte Offset 17
RA
RD
Byte Offset 5
TC
Byte Offset 4
Opcode
(4-bit)
Byte Offset 6
AA
QR
DNS ID (16-bit)
RCODE
(4-bit)
Byte Offset 7
Z (3-bit)
Byte Offset 11
Byte Offset 15
Byte Offset 19
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
DNS
AH (RFC 2402)
0
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 4
Byte Offset 5
Reserved (16-bit)
Byte Offset 6
Byte Offset 7
Byte Offset 9
Byte Offset 10
Byte Offset 11
Byte Offset 13
Byte Offset 14
Byte Offset 15
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Next Header
Equivalent to the IP Protocol Identifier field in IPv4
D
Hex
D Hex
D Hex
D Hex
1 0x01 ICMP
9 0x09 IGRP
47 0x2F GRE
88 0x58 EIGRP
2 0x02 IGMP
17 0x11 UDP
50 0x32 ESP
89 0x59 OSPF
6 0x06 TCP
47 0x2F GRE
51 0x33 AH
Payload Length
Specifies the length of the Authentication Header (number of 32-bit words - 2 for IPv6 compatibility)
Reserved
Zero filled field
Security Parameter Index (SPI)
Random 32-bit value used with dst IP address and IP Sec protocol to uniquely identify the SA.
The SPI is generally selected by the dst IP Sec node.
Sequence Number
A 32-bit sequence number starting at zero and incremented by one for each packet.
This monotonically increasesing sequence number is the AH anti-replay mechanism.
Authentication Data
A variable-length field that contains the Integrity Check Value (ICV) for the packet.
The length of the IVC must be an integral multiple of 32 bits; will ne padded or truncated to meet the requirement.
Original Packet
Authentication
Header
Authentication
Header
AH
AH
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Security Paramaeter Index (32-bit)
Byte Offset 4
Byte Offset 5
Byte Offset 6
Byte Offset 7
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
ESP Header
Security Parameter Index (SPI)
Random 32-bit value used with dst IP address and IP Sec protocol to uniquely identify the SA.
The SPI is generally selected by the dst IP Sec node.
Sequence Number
A 32-bit sequence number starting at zero and incremented by one for each packet.
This monotonically increasesing sequence number is the AH anti-replay mechanism.
ESP Payload
Payload Data
A variable-length field containing the data to be protected by the ESP protocol; i.e., the original IP packet
ESP Trailer
Padding
A 0-255 byte field used for varity of purposes. It is primarily used to ensure that the Payload, Pad Length, & Next
Header align on a 32-bit boundary. It can also be used if the ESP encryption algorithm requires a certain minimum
number of bytes. Finally, it may be used to hide the real size of the payload (protect againts traffic flow analysis)
Pad Length
8-bit value indicating the number of Pad bytes that were inserted.
Next Header
Equivalent to the IP Protocol Identifier field in IPv4
D Hex
D Hex
D Hex
D Hex
1 0x01 ICMP
9 0x09 IGRP
47 0x2F GRE
88 0x58 EIGRP
2 0x02 IGMP
17 0x11 UDP
50 0x32 ESP
89 0x59 OSPF
6 0x06 TCP
47 0x2F GRE
51 0x33 AH
ESP Authentication
Authentication Data
A variable-length field that contains the Integrity Check Value (ICV) for ESP the packet. The length of the this field is
dependent upon the authentication function used. This field is peresent only if an authenication service is being
employed in the SA.
ESP
Original Packet
ESP Trailer
ESP Auth
ESP
Header
ESP
Trailer
<---------------------------------------- Encrypted ---------------------------------------->
ESP Auth
ESP
ESP Header
ESP
Payload
ESP Trailer
ESP
Authentic
ation
h, & Next
minimum
analysis)
e this field is
s being
ESP
ESP Auth
ESP Auth
ESP
2 3 4 5
Byte Offset 0
4-bit version
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 4
Byte Offset 5
Byte Offset 9
Byte Offset 6
Byte Offset 7
Byte Offset 10
Byte Offset 11
Byte Offset 13
Byte Offset 14
Byte Offset 15
Byte Offset 17
Byte Offset 18
Byte Offset 19
Byte Offset 20
Byte Offset 21
Byte Offset 22
40 Bytes
Byte Offset 25
Byte Offset 26
Byte Offset 27
Byte Offset 29
Byte Offset 30
Byte Offset 31
Byte Offset 33
Byte Offset 34
Byte Offset 35
Byte Offset 37
Byte Offset 38
Byte Offset 39
Byte Offset 41
Byte Offset 43
Variable Length
Byte Offset 42
IP Version Number
Traffic Class
Flow Label
Payload Length
Next Header
Hop Limit:
Source Address
Destination Address
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
6 for IP version 6
4 for IP version 4
8-bit field similar to IPv4 type of service field
To tag packets of a specific flow to differentiate the packets at the network layer.
The total length of the data portion of the packet
Similar to the protocol field of IPv4 packet header
Similar to Time to Live field in IPv4 packet header
128-bit source address field
128-bit destination address field
QoS
IPv6 Hdr
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)
Byte Offset 4
Byte Offset 5
Byte Offset 6
Byte Offset 7
Byte Offset 9
Byte Offset 10
Byte Offset 11
Byte Offset 13
Byte Offset 14
Type (16-bit)
Byte Offset 16
Byte Offset 15
Byte Offset 18
Byte Offset 19
data (variable.)
Frame Check Sequence (32-bit)
0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Preamble:
8 bytes (64 bite) At the head of each frame is a preamble used for sychronization
101010101011
Destinnation Address:
Soutce Address:
Type:
Value
8137
0600, 0807
800
0BAD, 80C4
806
8035
6003
6004
6007
80F3
Data:
The cyclic redundancy check (CRC) or checksum for the Ethernet Frame
Ether v2 Hdr
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)
Byte Offset 4
Byte Offset 5
Byte Offset 6
Byte Offset 7
Byte Offset 9
Byte Offset 10
Byte Offset 11
Byte Offset 13
Length (16-bit)
Byte Offset 16
Byte Offset 17
Control (1 or 2 bytes)
Byte Offset 14
Byte Offset 15
DSAP (8-bit)
SSAP (8-bit)
Byte Offset 18
Byte Offset 19
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Preamble:
8 bytes (64 bite) At the head of each frame is a preamble used for sychronization
101010101011
Destinnation Address:
Soutce Address:
Length:
2 byte (16 bit) field that specifies the number of bytes (3-1500) in the LLC and data fields
The logical link control (LLC) is made up of the DSAP, SSAP and Control fields. This is a
mothed for telling the 802.3 IEEE and Netware (RAW) formats. The IEEE 802.3 format has
the LLS and the NetWare 802.3 "Raw" for mate does not.
DSAP:
SSAP:
Control:
Pad:
Pads the frame to minimum of 46 bytes of data and LLC (so collisions can be detected)
Data:
The cyclic redundancy check (CRC) or checksum for the Ethernet Frame
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)
Byte Offset 4
Byte Offset 5
Byte Offset 6
Byte Offset 7
Byte Offset 9
Byte Offset 10
Byte Offset 11
Byte Offset 13
Length (16-bit)
Byte Offset 16
Byte Offset 17
Control (8-bit)
Byte Offset 14
Byte Offset 15
DSAP (8-bit)
SSAP (8-bit)
Byte Offset 18
Byte Offset 19
Preamble:
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Destinnation Address:
Soutce Address:
8 bytes (64 bite) At the head of each frame is a preamble used for sychronization
101010101011
6 byte (48 bit) desination media access control (MAC) address
6 byte (48 bit) source media access control (MAC) address
Length:
2 byte (16 bit) field that specifies the number of bytes (3-1500) in the LLC and data fields
The logical link control (LLC) is made up of the DSAP, SSAP and Control fields. This is a
mothed for telling the 802.3 IEEE and Netware (RAW) formats. The IEEE 802.3 format has
the LLS and the NetWare 802.3 "Raw" for mate does not.
1 byte destination service access point; receiving process at destination (Always AA)
1 byte source service access point; sending process at source (Always AA)
1 byte is various control information (Connection less)
2 bytes are for connection-oriented LLC
SNAP Header
Vendor Code:
Type:
The Subnet Access Protocal Header consists of the Vendor Code and Type fields
3 byte (24 bit) field to identify the vendor
2 byte (16 bit) field that specifies the upper-layer protocol
Type
Value
Type
Value
NetWare
8137
RARP
8035
XNS
0600, 0807
DRP
6003
IP
800
LAT
6004
IP (VINES)
0BAD, 80C4
LAVC
6007
ARP
806
ARP (Atalk)
80F3
Pad:
Data:
Frame Check Sequence:
Pads the frame to minimum of 46 bytes of data and LLC (so collisions can be detected)
46 to 1500 bytes of upper-layer protocol information
The cyclic redundancy check (CRC) or checksum for the Ethernet Frame
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Destination Address (48-bit)
Byte Offset 4
Byte Offset 5
Byte Offset 6
Byte Offset 7
Byte Offset 9
Byte Offset 10
Byte Offset 11
Byte Offset 13
Byte Offset 14
Type (16-bit)
Byte Offset 16
Byte Offset 15
Byte Offset 18
Byte Offset 19
data (variable.)
Frame Check Sequence (32-bit)
0
IP Version Number
Preamble:
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
8 bytes (64 bite) At the head of each frame is a preamble used for sychronization
101010101011
Destinnation Address:
Soutce Address:
Length:
2 byte (16 bit) field that specifies the number of bytes (46-1500) in the LLC and data fields
Note the lack of the LLC fields, this is who you tell Netware 802.3 from IEEE 802.3
Data:
46 to 1500 bytes of upper-layer protocol information. IPX header starting with 2 byte
checksum (usually FFF) followed by NetWare higher layers ('data')
The cyclic redundancy check (CRC) or checksum for the Ethernet Frame
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Byte Offset 1
Byte Offset 2
Byte Offset 3
Byte Offset 5
Byte Offset 6
Byte Offset 7
Address 1 (48-bit)
Byte Offset 9
Byte Offset 10
Address 1 (cont.)
Byte Offset 12
Byte Offset 11
Address 2 (48-bit)
Byte Offset 13
Byte Offset 14
Byte Offset 15
Address 2 (cont.)
Byte Offset 16
Byte Offset 17
Byte Offset 18
Byte Offset 19
Address 3 (48-bit)
Byte Offset 20
Byte Offset 21
Byte Offset 22
Address 3 (cont.)
Byte Offset 24
Byte Offset 23
Byte Offset 25
Byte Offset 26
Byte Offset 27
Byte Offset 8
Address 4 (48-bit)
Byte Offset 28
Byte Offset 29
Byte Offset 30
Address 4 (cont.)
Byte Offset 31
Frame Control
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Consists of the following subfields: Protocol Version (bits 0-1), Type (bits 2-3), Subtyoe (bits 4-7),
To DS (bit 8), From DS (bit 9), More Fragment (bit 10), Retry (bit 11), Power management (bit
12), More Data (bit 13), WEP (bit 14) and Order (bit 15)
Duration / ID
15 14
bit 13 - 0
0
0 - 32767
1 0
0
1 0
1-16383
1 1
0
1 1
1-2007
1 1 2008 - 16383
Address Fields
Sequence Control
Frame Body
There are 4 address fields in the MAC frame format. These fields are used to indicate the
BSSID, source address (SA), destination address (DA), transmitting station address (TA), and
the receiving station address (RA).
Consists of the following subfields: Fragment Number (bits 0-3) and Sequence Number (bits 415).
Variable length field that contains information specific to individual frame types and subtypes.
802.11
FCS
32-bit check sum field calculated over all the fields of the MAC header and Frame body
802.11
Frame Control
2 3 4 5
Byte Offset 0
9 10 11 12 13 14 15
Byte Offset 1
Order
WEP
MD
PM
Retry
MF
FDS
Subtype
(4-bit)
TDS
PV
Type
(2-bit) (2-bit)
Protocol Version
Type / Subtype
Type
b3 b2
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 1
0 1
0 1
0 1
0 1
0 1
0 1
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 1
To DS (a)
Set to 1 in data type frames destined for the DS. This includes all data type frames sent by STAs
associated with an AP. The To DS field is set to 0 in all other frames.
Set to 1 in data type frames exiting the DS. It is set to 0 in all other frames.
TO/From DS Values
Meaning
A data frame direct from one STA to another STA within the same IBSS, as well as all
management and control type frames.
Data frame destined for the DS
Data frame exiting the DS
Wireless distribution system (WDS) frame being distributed from one AP to another AP
From DS (b)
a
b
0
1
0
1
0
0
1
1
More Fragments
Set to 1 in all data management type frames that have another fragment of the current MSDU or
current MMPDU to follow. It is set to 0 in all other frames.
Retry
Set to 1 in any data or management type frame that is a retransmission of an earlier frame. It is
set to 0 in all other frames. Areceiving station uses this indication to aid in the process of
eliminating duplicate frames.
802.11 (2)
Set to 1 in any data or management type frame that is a retransmission of an earlier frame. It is
set to 0 in all other frames. Areceiving station uses this indication to aid in the process of
eliminating duplicate frames.
Power Management
Set to 1 indicates that the STA will be in power-save mode. A value of 0 indicates that the STA
will bein active mode. This field is always set to 0 in frames transmitted by an AP.
More Data
Set to 1 in directed data type frames transmitted by a contention-free (CF)-Pollable STA to the
point coordinator (PC) in response to a CF-Poll to indicate that the STA has at least one
additional buffered MSDU available for transmission in response to a subsequent CF-Poll. Set to
0 in all other directed frames.
WEP
Set to 1 if the Frame Body field contains information that has been processed by the WEP
algorithm. The WEP field is set to 0 in all other frames. When the WEP bit is set to 1, the Frame
Body field is expanded.
Order
Set to 1 if any data type frame that contains an MSDU, or fragment thereof, which is being
trasferred using the StrictlyOrdered service class. Set to 0 in all other frames.
Sequence Control
2 3 4 5 6
Byte Offset 22
Fragment #
(4-bit)
9 10 11 12 13 14 15
Byte Offset 23
802.11 (2)
TCPDUMP / WINDUMP
windump -i <interface> -nx
windump -i <interface> -nx -s0
windump -r <file> -nxp
capture from interface (-i <interface>) do not convert names(-n) and print on hex and
ascii (-x)
capture from interface (-i <interface>) do not convert names(-n), print on hex and
ascii (-x) and capture all the packet
capture from file (-r <file>), do not convert names (-n), print out hex and ascii (-x),
not in permiscous mode (-p)
Keywords
host (host)
src host (host)
dst host (host)
gateway (host)
net (net/len)
src net (net)
dst net (net)
port (port)
src port (port)
dst port (port)
less (length)
greater (length)
ip
ip6
arp
icmp
icmp6
tcp
udp
ah
esp
igmp
igrp
rarp
Bit Masking
And unwanted bits with 0
And wanted bits with 1
0 AND 0 = 0
0 AND 1 = 0
1 AND 0 = 0
1 AND 1 = 1
Expressions:
vrrp
ip broadcast
ip proto (protocol)
ip protochan (protocol)
ip6 proto (protocol)
ip6 protochain (protocol)
ip multicast
ip6 multicast
ether host (MAC)
ether src (MAC)
ether dst (MAC)
ether proto (protocol)
ether multicast
vlan (vlan_id)
atalk
decnet
decnet src
decnet host
iso
stp
ipx
netbeui
tcpflags
icmptype icmp-echoreply
icmp-echo icmp-paramprob
tcp-fin
icmp-unreachable icmp-ireq icmp-tstamp
tcp-syn
icmp-sourcequench
icmp-tstampreply
tcp-rst
icmp-redirect
icmp-ireq
tcp-push
icmp-routeradvert
icmp-ireqreply
tcp-ack
icmp-routersolicit
icmp-maskreq
tcp-urg
icmp-timxceed
icmp-maskreply
! or not
&& or and
|| or or
Examples
host A and B
TCPDUMP
ip[6] &0x20 = 0 and ip[6:2] &0x1fff Look for more fragment bit not set and fragment offset greater than 0 (Last
!= 0
fragment packets)
Description
Attempt to convert network and broadcast addresses to names
Set driver's buffer size to size in KiloBytes. The default buffer size is 1 megabyte (i.e 1000).
Exit after receiving <count> of packets
Before writing a raw packet to a savefile, check whether the file is currently larger than
file_size and, if so, close the current savefile and open a new one.
Dump the compiled packet-matching code in a human readable form to standard output and
stop
Dump packet-matching code as a C program fragment
ddd Dump packet-matching code as decimal numbers (preceded with a count)
Print the list of the interface cards available on the system. WINDUMP ONLY
Print the link-level header on each dump line
Use algo:secret for decrypting IPsec ESP packets where algorithms may be des-cbc, 3des-cbc,
blowfish-cbc, rc3-cbc, cast128-cbc, or none.
Print foreign internet addresses numerically rather than symbolically
Use file as input for the filter expression
Listen on interface (defaults to lowest numbered interface)
Make stdout line buffered. ``tcpdump -l | tee dat'' or ``tcpdump -l > dat & tail -f dat''
-f
-F <file>
-i <interface>
-l
-L
-m <module>
Load SMI MIB module definitions from file module
-n
Dont convert addresses to names
-N
Dont print domain name qualification of host names
-O
Do not run the packet-matching code optimizer
-p
Dont put the interface into promiscuous mode
-q
Quick output print less protocol information
-r <file>
Read packets from file (created with the w option)
-R
Assume ESP/AH packets to be based on old specs
-s <snaplen>
Snarf snaplen bytes of data from each packet (default is 68)
1518 Max Ethernet Frame (14 byte Ethernet header + 1500 byte IP + 4 byte Ethernet trailer)
64 Min Ethernet Frame (14 byte Ethernet header + 64 byte IP + 4 byte Ethernet trailer)
Note: -s0 mean full ethernet packet
-S
Print absolute, rather than relative TCP sequence numbers
-t
Dont print a timestamp on each dump line
Force packets selected by expressions to be interpreted the specified type (cnfp, rpc, rtp,
-T <type>
snmp, wb)
-tt
Print an unformatted timestamp on each dump line
-ttt
Print a delta (in micro-seconds) between current and previous line on each dump line
-tttt
Print a timestamp in default format proceeded by date on each dump line
-u
Print undecoded NFS handles
-U
-v
Verbose output (TOS, TTL, IP ID, Fragment Offset, IP Flags, length)
V
-w <file>
Write the raw packet to file rather than parsing and printing to stdout
-x
Print each packet (minus link level header) in hex
-X
Print each packet in hex and ascii
-y <datalinktype>
http://www.tcpdump.org/tcpdump_man.html
http://windump.polito.it/docs/manual.htm#Wdump
TCPDUMP
TCPDUMP
TCPDUMP
NGREP
ngrep
<-hXViwqpevxlDtT> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen>
<match expression>
<bpf filter>
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
is
<match expression> is either an extended regular expression or a hexadecimal string. see the
man page for more information.
<bpf filter>
is any bpf filter statement.
Examples:
ngrep '' icmp
ngrep '' tcp
ngrep '' udp
ngrep '' port 53
ngrep '' tcp port 53
ngrep - v '' tcp port 53
ngrep 'USER|PASS' tcp port 21
ngrep 'SSH-' port tcp 22
ngrep 'LILWORD' port 138
ngrep -iq 'rcpt to|mail from' tcp port 25
ngrep 'user' port 110
NGREP
NGREP
NGREP
NGREP
OS Fingerprinting
OS
DC-Osx
Windows
NetApp
HPJetDirect
AIX
AIX
Cisco
DigitalUnix
IRIX
OS390
Version
1.1-95
9x/NT
OnTap
?
4.3.X
4.2.X
11.2
4
6.x
Platform
Pyramid/NILE
Intel
5.1.2-5.2.2
HP_Printer
IBM/RS6000
IBM/RS6000
7507
Alpha
SGI
Reliant
FreeBSD
2.6
5.43
3.x
IBM/S390
Pyramid/RM1000
Intel
60
60
64
n
n
y
JetDirect
Linux
G.07.x
2.2.x
J311A
Intel
64
64
Linux
OpenBSD
2.4
2.x
Intel
Intel
64
64
n
32120 y
5840
0s/400
SCO
Solaris
r4.4
R5
AS/400
Compaq
64
64
y
n
0
0
8
3.3
Intel/Sparc
STRATUS
64
64
y
32678 n
0
0
Netware
Windows
x
4.11
9x/NT
Mainframe
Intel
Intel
64
32768 n
126 32000-32768 y
128 5000-9000
y
0
0
0
Windows
Cisco
2000
12
Intel
2514
128 17000-18000 y
255 3800-5000
n
Solaris
2.x
Intel/Sparc
255
FTX(Unix)
Unisys
TTL
30
32
54
59
60
60
60
60
60
Window
8192
5000-9000
8760
2100-2150
16000-16100
16000-16100
DF
n
y
y
n
y
n
y
y
y
8760 y
## ADDITIONAL NOTES
#
# Cisco IOS 12.0 normally starts all IP sessions with IP ID of 0
# Solaris 8 uses a smaller TTL (64) then Solaris 7 and below (255).
# Windows 2000 uses a much larger Window Size then NT.
OS Fingerprinting
ASCII
NUL
SOH
STX
ETX
EOT
ENQ
ACK
BEL
BS
HT
LF
VT
FF
CR
SO
SI
DLE
DC1
DC2
DC3
DC4
NAK
SYN
ETB
CAN
EM
SUB
ESC
FS
GS
RS
US
Dec Hex
32
20
33
21
34
22
35
23
36
24
37
25
38
26
39
27
40
28
41
29
42 2A
43 2B
44 2C
45 2D
46 2E
47 2F
48
30
49
31
50
32
51
33
52
34
53
35
54
36
55
37
56
38
57
39
58 3A
59 3B
60 3C
61 3D
62 3E
63 3F
ASCII
SP
!
"
#
$
%
&
'
(
)
*
+
,
.
/
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
Dec Hex
64
40
65
41
66
42
67
43
68
44
69
45
70
46
71
47
72
48
73
49
74 4A
75 4B
76 4C
77 4D
78 4E
79 4F
80
50
81
51
82
52
83
53
84
54
85
55
86
56
87
57
88
58
89
59
90 5A
91 5B
92 5C
93 5D
94 5E
95 5F
ASCII
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_
Dec Hex
96
60
97
61
98
62
99
63
100 64
101 65
102 66
103 67
104 68
105 69
106 6A
107 6B
108 6C
109 6D
110 6E
111 6F
112 70
113 71
114 72
115 73
116 74
117 75
118 76
119 77
120 78
121 79
122 7A
123 7B
124 7C
125 7D
126 7E
127 7F
ASCII
'
a
b
c
DEL
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~
DEL
Dec Hex
128 80
129 81
130 82
131 83
132 84
133 85
134 86
135 87
136 88
137 89
138 8A
139 8B
140 8C
141 8D
142 8E
143 8F
144 90
145 91
146 92
147 93
148 94
149 95
150 96
151 97
152 98
153 99
154 9A
155 9B
156 9C
157 9D
158 9E
159 9F
ASCII
Dec Hex
160 A0
161 A1
162 A2
163 A3
164 A4
165 A5
166 A6
167 A7
168 A8
169 A9
170 AA
171 AB
172 AC
173 AD
174 AE
175 AF
176 B0
177 B1
178 B2
179 B3
180 B4
181 B5
182 B6
183 B7
184 B8
185 B9
186 BA
187 BB
188 BC
189 BD
190 BE
191 BF
ASCII
Dec
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
Hex
C0
C1
C2
C3
C4
C5
C6
C7
C8
C9
CA
CB
CC
CD
CE
CF
D0
D1
D2
D3
D4
D5
D6
D7
D8
D9
DA
DB
DC
DD
DE
DF
ASCII
225 E1
226 E2
227 E3
228 E4
229 E5
230 E6
231 E7
232 E8
233 E9
234 EA
235 EB
236 EC
237 ED
238 EE
239 EF
240 F0
241 F1
242 F2
243 F3
244 F4
245 F5
246 F6
247 F7
248 F8
249 F9
250 FA
251 FB
252 FC
253 FD
254 FE
255 FF Hardspace
ASCII