HakTip 125 – Wireshark 101: Internet Protocol
This week on HakTip Shannon Morse discusses the Internet Protocol, or IP for short.
While ARP is used with MAC addresses to send data, IP handles most of the traffic for internetwork communication from one device to another. The Internet Protocol is found on Layer 3 of the OSI model, the Network layer.
IP addresses have 32 bits, these ID the device. The 32 bits are converted into four sets of ones and zeroes, which is then converted into base 10. This is where you get the 192.168.1.1 number notation. The computer registers the IP address as 32 bits of binary data, in 1’s and 0’s, then we see it as 192.168.1.1 instead of 11000000 10101000 00000000 00000001.
The first two quarters usually tell you the network address, and the last two the host address. I say usually, because it’s not always the first two that are the network address = these can be determined by looking at a subnet or network mask. If you run across a netmask of 11111111 11111111 00000000 00000000 that means that the first two quarters are the network address and the second two the host. This would be 255.255.0.0.
If you don’t want to remember how many bits are supposed to be the netmask and how many are the device itself, look at the network’s CIDR notation (or Classless Inter-Domain Routing) notation. For my local network of 192.168.0.1 (my local computer) and the netmask of 255.255.0.0, my CIDR notation would be 192.168.0.1/16. Remember my HakTip about NMap (#92)? We showed you how to use CIDR notation to scan multiple targets in NMAP. This stuff always has a way of coming back around full circle!
So now you know how an IP address is built. But what does it look like in Wireshark? Well, first lets dissect the IP header packet.
This packet has the Version or IP being used (IPv4, 6?), the length, type of service, the total length of the header and data included, a ID # to ID the packet, a flag to show you if the packet is part of some larger sequence of packets, a fragment offset which is used to tell you if the packet is a fragment or not, TTL (or Time To Live) shows you the lifetime of the packet in hops / second, the Protocol, a header checksum for error detection, the source IP address, the destination IP address, any extra options, and the actual Data. Time to Live tells you how long a packet is alive for, and transmitting. If stuck in an error, a packet could end up in a never-ending loop, so it’s important to know how long a packet will go through all the routers on the internet before it dies.
IP Fragmentation. Sometimes an IP packet needs to be split up into multiple parts to allow reliable delivery on various network types. This is based on the MTU or Maximum Transmission Unit size of the layer 2 protocol (like Ethernet). Ethernet’s default MTU size is 1500 bytes, so the IP fragmentation would occur if the packet size was over 1500. When you look at the packet header info for one of these IP packets, you’ll notice that under the “More Fragments” section, it’ll list how many other packets include that data. The Fragment Offset section will also give you a number depending on where the packet falls in the series of fragments, and how many bytes are in the packet (it might be less than 1500 for the Header Length). Lastly, you’ll notice “More Fragments” says 0 once you find the last packet in the series, because it’s the last one.
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.