HakTip 127 – Wireshark 101: User Datagram Protocol and Internet Control Message Protocol

Today on HakTip, Shannon Morse explains the User Datagram Protocol and the Internet Control Message Protocol with Wireshark.

Download HD  |   Download MP4

UDP stands for User Datagram Protocol. This is another layer 4 protocol, commonly called a ‘connectionless protocol’, that is used on lots of modern networks to make the transmission of data fast! The weird thing about UDP is it doesn’t have a start handshake and a cutoff process like with TCP. Since UDP doesn’t have the whole packet handshake that TCP does, you’d think that it wouldn’t work right, but it actually HELPS other protocols streamline data in a fast pace.

A UDP header packet is super small and only has four parts. First you have the Bit Offset, the source port / destination port, the packet length, and the checksum.. The source and destination are self-explanatory. The packet length is in bytes and the checksum ensures the data is intact when it arrives.

Next we have ICMP. This stands for the Internet Control Message Protocol. This protocol works with TCP/IP, and tells you if a device, service or route is available on a TCP/IP network. ICMP packet headers have a Type, a Code, a Checksum, and a Variable. The Type is the type of ICMP message based on RFC code. The Code is the subclass of ICMP message, also part of the RFC code. Checksum makes sure the content is intact, and Variable is a bit that changes depending on the type and code. This IANA website shows you all the known types and codes you might run into when dealing with an ICMP packet. If there is a problem with a connection, it may have to do with this packet. Using the Type and the Code, you can determine what went wrong and where.

I also wanted to mention a bit about why ICMP exists for other reasons. First, it’s great for the ping utility. In command prompt, type ping 10.71.31.1 (your target) to see an echo/ping request and response. You can also see what happens when you run Ping and check it in Wireshark.

ICMP packets are also a part of trace routing. Trace routing is when you ID the path that some data takes from one device to another. It’ll tell you how many routers it had to go through to get to it’s destination. If you find an ICMP packet that has a TTL value is set to 1 (that’s time to live), that means it only had to travel through one router. In a traceroute, the packet will return to the original source with a type of 11 and a code of 0. This means the destination was unreachable due to the TTL being exceeded during transit. You might find some people call this a double-headed packet because there is an extra IP header inside it. This data is from the original echo request. You’ll see this pattern continue until the destination host is reached by the packet. The route can also be seen in CMD with tracert 8.8.8.8.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>