Your global information security experts
Search for Vulnerabilities via
The National Vulnerability Database
Understanding IP Packets. Part 1
by Roamer - 4/08/01
This is the first of a three part series designed to give a basic overview of IP Packets. This installment covers the IP header. Part two will cover TCP packets and Part 3 will cover UDP and ICMP packets.
The IP header as defined in RFC 791 looks like this:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The first four bytes are the header definition. The first half of the byte defines the IP Version the second half defines the header length. An example of this in a dump would look like this:
0x000 45c0 005c e857 0000 3f01 5a93 aa81 3534
Lets look at the bold fields above. The 4 indicates that this is IP version 4. The five indicates that the Header length is 5 double words or 20 bytes long. Coincidentally, this is the smallest possible size for and IP Header.
Next lets look at the total length field.
0x000 45c0 005c e857 0000 3f01 5a93 aa81 3534
The bold text above (bytes 2 and 3) are set to 0x005c. This converts to 92 decimal and indicates that the entire length of the packet, including the header is 92 bytes. Since we know that the header is 20 bytes, we now know that there is 72 bytes of data.
The next two bytes represent the IP Identification number.
0x000 45c0 005c e857 0000 3f01 5a93 aa81 3534
The IP identification number is mainly useful for identifying anomalous signatures. This is essentially a random number, however it is generated in different ways depending on the IP stack that is used. It is also used in conjunction with the next two bytes ( flags and offset) to control fragmentation.
0x000 45c0 005c e857 0000 3f01 5a93 aa81 3534
The first bold byte above (3f) indicates the time to live (TTL). After the TTL is the Protocol Field (01). This indicates the type of protocol that this packet encapsulates. For the purpose of this series, we will focus on 0x01, 0x06, and 0x11 or decimal 1 (ICMP) , 6 (TCP), and 17 (UDP). The above example indicates an ICMP packet.
The next eight bytes give the source (aa81 3534) and destination (5804 003d) IP addresses. These (as well as all information in a packet header) are encoded in Network Byte Order. This means that aa813535 decoded is the IP address 170.129.53.52
0x000 45c0 005c e857 0000 3f01 5a93 aa81 3534
0x010 5804 003d 0303 4a7d 0000 0000 4500 002c
The next three bytes indicate any options for this packet and the final byte of the header is padding.
As you can see, once broken down, an IP Header is not just a random collection of numbers. Each part of the IP header has a specific function. Try running TCPDump or Snoop on your own connection for a while and decode the packet headers. With practice you will quickly be able to distinguish between the protocols and understand where the packet came from and its size.
Part 2 of this series, TCP Packets will teach you how to decode TCP packets to understand how data is transimitted via the TCP/IP Protocol.