Your global information security experts
Search for Vulnerabilities via
The National Vulnerability Database
Understanding IP Packets. Part 2
by Roamer - 5/28/01
This is the second of a three part series designed to give a basic overview of IP Packets. This installment covers the TCP packets. Part three will cover UDP and ICMP packets.
The TCP header looks like this:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgement Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This header would follow the IP Header if the protocol byte is set to 6.
The first two bold fields below represent the source and destination ports.
0x010 ca82 1233 fdb9 0050 bd51 a0f4 0000 0000
fdb9 indicates a source port of 64473 and 0050 represents a destination port of 80 or HTTP.
The next two 32 bit values are the sequence numbers. The first value is the sequence number of this packet and the second value is the sequence number that is being acknowledged.
0x010 ca82 1233 fdb9 0050 bd51 a0f4 0000 0000
This gives us a sequence number of 3176243444 and an acknowledgement number of 0.
Next we come to the data offset.
0x020 7002 4000 785d 0000 0204 05b4 0101 0402
Here we have a size of 7. Multiply this by 4 bytes to get a length of 28 bytes. The shortest possible length for a TCP header is 20 bytes which is represented by a 5 in this field.
Next we have the code bits.
0x020 7002 4000 785d 0000 0204 05b4 0101 0402
In order to understand the code bits we need to take a look at this section of the TCP header.
2 1 8 4 2 1
We have : | U | A | | P | R | S | F |
In our case (02) would mean that neither the 2 or 1 (U or A) are set in the first 2 bits and the 2 (S) is set in the second four bits. These bits represent Urgent, Ack, Push, Reset, Syn, and Fin. So in our case, the Syn bit is the only one set.
The window size is used to implement flow control, which is how much data is sent through at a time.
0x020 7002 4000 785d 0000 0204 05b4 0101 0402
In our case the window size is 0x4000 or 16384. This means that the other end can send up to 16384 bytes. Once this size has been sent, the other side will wait for an Ack or an adjustment in the window size before sending more.
The urgent pointer is only useful is the URG bit is set. In our case it is not so we have a value of 0000.
0x020 7002 4000 785d 0000 0204 05b4 0101 0402
If it were set, this would indicate where the urgent data is within the packet.
Finally we have the TCP Options. This field is not required and will only appear when the header is larger than 5. If there are any options there must be a multiple of 4 bytes in this field.
0x020 7002 4000 785d 0000 0204 05b4 0101 0402
After the options comes the actual data to be transmitted. This concludes our look at TCP packets. Part 3 of this series, UDP and ICMP Packets will teach you how to decode UDP and ICMP packets to understand how data is transmitted via those protocols.