Scribd
Upload
80 views

Tcpipheadres PDF

Uploaded by

lucio
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
80 views

Tcpipheadres PDF

Uploaded by

lucio
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

UDP Header

DNS

Bit Number
1111111111222222222233
01234567890123456789012345678901

Bit Number
0

Source Port

Destination Port

LENGTH (TCP ONLY)

Length

Checksum

ID.
QR

Opcode

AA TC RD RA

UDP Header Information

ARP

Hardware Address Type


H/w Addr Len

Protocol Address Type

Prot. Addr Len

Operation

1
2

1
3

1
4

TCP/IP and
tcpdump

1
5

POCKET REFERENCE GUIDE


Z

SANS Institute

RCODE

[email protected]
+1 317.580.9756
http://www.sans.org
http://www.incidents.org

ANCOUNT
NSCOUNT
ARCOUNT

tcpdump Usage

Question Section

tcpdump [-aenStvx] [-F file]


[-i int] [-r file] [-s snaplen]
[-w file] ['filter_expression']

Answer Section
Authority Section

Length
(Number of bytes in entire datagram including header;
minimum value = 8)

Bit Number
1111111111222222222233
01234567890123456789012345678901

1
1

QDCOUNT

Common UDP Well-Known Server Ports


7 echo
138 netbios-dgm
19 chargen
161 snmp
37 time
162 snmp-trap
53 domain
500 isakmp
67 bootps (DHCP)
514 syslog
68 bootpc (DHCP)
520 rip
69 tftp
33434 traceroute
137 netbios-ns

Checksum
(Covers pseudo-header and entire UDP datagram)

1
0

Additional Information Section


-e
-F
-i
-n
-r
-s
-S
-t
-v
-w
-x
-X

DNS Parameters
Query/Response
0 Query
1 Response
Opcode
0 Standard query (QUERY)
1 Inverse query (IQUERY)
2 Server status request (STATUS)
AA
(1 = Authoritative Answer)
TC
(1 = TrunCation)

Source Hardware Address

Acronyms

RD

Source Hardware Addr (cont.)

Source Protocol Address

Source Protocol Addr (cont.)

Target Hardware Address

(1 = Recursion Desired)
RA
(1 = Recursion Available)

Target Hardware Address (cont.)


Target Protocol Address

ARP Parameters (for Ethernet and IPv4)


Hardware Address Type
1 Ethernet
6 IEEE 802 LAN
Protocol Address Type
2048 IPv4 (0x0800)
Hardware Address Length
6 for Ethernet/IEEE 802
Protocol Address Length
4 for IPv4
Operation
1 Request
2 Reply

Display data link header.


Filter expression in file.
Listen on int interface.
Don't resolve IP addresses.
Read packets from file.
Get snaplen bytes from each packet.
Use absolute TCP sequence numbers.
Don't print timestamp.
Verbose mode.
Write packets to file.
Display in hex.
Display in hex and ASCII.

Z
(Reserved; set to 0)
Response code
0 No error
1 Format error
2 Server failure
3 Non-existant domain (NXDOMAIN)
4 Query type not implemented
5 Query refused
QDCOUNT
(No. of entries in Question section)
ANCOUNT
(No. of resource records in Answer section)
NSCOUNT
(No. of name server resource records in Authority section)
ARCOUNT
(No. of resource records in Additional Information section.

AH
ARP
BGP
CWR
DF
DHCP
DNS
ECN
EIGRP
ESP
FTP
GRE
HTTP
ICMP
IGMP
IGRP
IMAP
IP

Authentication Header (RFC 2402)


Address Resolution Protocol (RFC 826)
Border Gateway Protocol (RFC 1771)
Congestion Window Reduced (RFC 2481)
Don't Fragment bit (IP)
Dynamic Host Configuration Protocol (RFC 2131)
Domain Name System (RFC 1035)
Explicit Congestion Notification (RFC 3168)
Extended IGRP (Cisco)
Encapsulating Security Payload (RFC 2406)
File Transfer Protocol (RFC 959)
Generic Routing Encapsulation (RFC 2784)
Hypertext Transfer Protocol (RFC 1945)
Internet Control Message Protocol (RFC 792)
Internet Group Management Protocol (RFC 2236)
Interior Gateway Routing Protocol (Cisco)
Internet Message Access Protocol (RFC 2060)
Internet Protocol (RFC 791)

ISAKMP Internet Security Association & Key Management


Protocol (RFC 2408)
L2TP Layer 2 Tunneling Protocol (RFC 2661)
NNTP Network News Transfer Protocol (RFC 977)
OSPF Open Shortest Path First (RFC 1583)
POP3 Post Office Protocol v3 (RFC 1460)
RFC
Request for Comments
RIP
Routing Information Protocol (RFC 2453)
LDAP Lightweight Directory Access Protocol (RFC 2251)
SKIP Simple Key-Management for Internet Protocols
SMTP Simple Mail Transfer Protocol (RFC 821)
SNMP Simple Network Management Protocol (RFC 1157)
SSH Secure Shell
SSL
Secure Sockets Layer (Netscape)
Transmission Control Protocol (RFC 793)
TCP
TFTP Trivial File Transfer Protocol (RFC 1350)
TOS
Type of Service field (IP)
UDP User Datagram Protocol (RFC 768)

All RFCs can be found at http://www.rfc-editor.org


SANS Institute May 2006

ICMP

IP Header

TCP Header

Bit Number
1111111111222222222233
01234567890123456789012345678901

Bit Number
1111111111222222222233
01234567890123456789012345678901

Bit Number
1111111111222222222233
01234567890123456789012345678901

Type

Code

Checksum

Version

Other message-specific information...

Type Name/Codes (Code=0 unless otherwise specified)


0
3

4
5

8
9
10
11

12

13
14
15
16
17
18
30

Echo Reply
Destination Unreachable
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed & DF Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Network Administratively Prohibited
10 Host Administratively Prohibited
11 Network Unreachable for TOS
12 Host Unreachable for TOS
13 Communication Administratively Prohibited
Source Quench
Redirect
0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & Network
3 Redirect Datagram for the TOS & Host
Echo
Router Advertisement
Router Selection
Time Exceeded
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
Parameter Problem
0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
Timestamp
Timestamp Reply
Information Request
Information Reply
Address Mask Request
Address Mask Reply
Traceroute

PING (Echo/Echo Reply)


Bit Number
1111111111222222222233
01234567890123456789012345678901
Type (8 or 0)

Code (0)

Checksum
Sequence Number

Identifier
Data...

IHL

Type of Service

Identification
Time to Live

Total Length
Flags

Protocol

Source Port

Fragment Offset

Sequence Number

Header Checksum

Acknowledgment Number
Offset Reserved

Source Address

Flags

(Header Length)

Destination Address

IP Header Contents

Internet Header Length


Number of 32-bit words in IP header; minimum
value = 5 (20 bytes) & maximum value = 15 (60 bytes)
Differentiated Services
000
0
0
0
1 = ECN capable
1 = congestion experienced

Total Length
Number of bytes in packet; maximum length = 65,535
Flags (xDM)
x (reserved and set to 0)
D (1 = Don't Fragment)
M (1 = More Fragments)

UDP
GRE
ESP
AH

57
88
89
115

SKIP
EIGRP
OSPF
L2TP

Header Checksum
Covers IP header only
Addressing
NET_ID
0-127
128-191
192-223
224-239
240-255
HOST_ID
0
255

Class
Class
Class
Class
Class

TCP Header Contents


Common TCP Well-Known Server Ports
7 echo
110
19 chargen
111
20 ftp-data
119
21 ftp-control
139
22 ssh
143
23 telnet
179
25 smtp
389
53 domain
443
79 finger
445
80 http
1080

pop3
sunrpc
nntp
netbios-ssn
imap
bgp
ldap
https (ssl)
microsoft-ds
socks

Offset
Number of 32-bit words in TCP header; minimum value = 5
Reserved
4 bits; set to 0
Flags (CEUAPRSF)

Fragment Offset
Position of this fragment in the original datagram,
in units of 8 bytes
17
47
50
51

Urgent Pointer
Options (optional)

Version
4
IP version 4

Protocol
1 ICMP
2 IGMP
6 TCP
9 IGRP

Window

Checksum

Options (optional)

Type of Service (PreDTRCx)


-->
Precedence (000-111)
D
(1 = minimize delay)
T
(1 = maximize throughout)
R
(1 = maximize reliability)
C
(1 = minimize cost)
x
(reserved and set to 0)

Destination Port

RFC 1918 PRIVATE ADDRESSES


A
10.0.0.0-10.255.255.255
B
172.16.0.0-172.31.255.255
C
192.168.0.0-192.168.255.255
D (multicast)
E (experimental)

Network value; broadcast (old)


Broadcast

Options (0-40 bytes; padded to 4-byte boundary)


68 Timestamp
0 End of Options list
1 No operation (pad)
131 Loose source route
137 Strict source route
7 Record route

ECN bits (used when ECN employed; else 00)


CWR (1 = sender has cut congestion window in half)
ECN-Echo (1 = receiver cuts congestion window in half)
U
A
P
R
S
F

(1
(1
(1
(1
(1
(1

=
=
=
=
=
=

Urgent pointer valid)


Acknowledgement field value valid)
Push data)
Reset connection)
Synchronize sequence numbers)
no more data; Finish connection)

Checksum
Covers pseudoheader and entire TCP segment
Urgent Pointer
Points to the sequence number of the byte
following urgent data.
Options
0 End of Options list
1 No operation (pad)
2 Maximum segment size

3 Window scale
4 Selective ACK ok
8 Timestamp

You might also like