Understanding IP Packets. Part 3

by Chris Hurley - 6/9/01

This is the final installment of a three part series designed to give a basic overview of IP Packets. This installment covers UDP and ICMP packets.

The UDP header looks like this:

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |       Source Port             |          Destination Port     |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |       UDP Length              |          Chekcsum             |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |                              Data                             |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The first two bold fields below represent the source and destination ports.

0x010 ca82 1233 05ab 0035 0032 2dc1 0000 0000

05ab indicates a source port of 1451 and 0035 represents a destination port of 53 or DNS.

Next is the message length. This filed will be analogous to the datagram length field in the IP header.

0x010 ca82 1233 05ab 0035 0032 2dc1 0000 0000

The UDP checksum, like all IP checksum values, is used by the destination machine to check the validity of the packet.

Finally, we will look at ICMP packets. ICMP is a messaging protocol used to test connectivity, handle error correction, and make notifications. Ping is the most common use of ICMP.

The ICMP header has only three parts:

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   |    Type        |      Code   |          Checksum              |

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

0x010 7002 4000 785d 0800 c3ee 05b4 0101 0402

The first two bytes (08) tell us that this is an echo request or ping packet. The code (00) tells us there is no code. The following table can be used to decode ICMP types and codes.

Type	Name	Code(s)
0	Echo reply	0 - none
1	Unassigned
2	Unassigned
3	Destination unreachable	0 - Net unreachable
		1 - Host unreachable
		2 - Protocol unreachable
		3 - Port unreachable
		4 - Fragmentation needed and DF bit set
		5 - Source route failed
		6 - Destination network unknown
		7 - Destination host unknown
		8 - Source host isolated
		9 - Communication with destination network is administratively prohibited
		10 - Communication with destination host is administratively prohibited
		11 - Destination network unreachable for TOS
		12 - Destination host unreachable for TOS
4	Source quench	0 - none
5	Redirect<o:p><//p>	0 - Redirect datagram for the network
		1 - Redirect datagram for the host
		2 - Redirect datagram for the TOS and network
		3 - Redirect datagram for the TOS and host
6	Alternate host address	0 - Alternate address for host
7	Unassigned
8	Echo	0 - None
9	Router advertisement	0 - None
10	Router selection	0 - None
11	Time Exceeded	0 - Time to live exceeded in transit
		1 - Fragment reassembly time exceeded
12	Parameter problem	0 - Pointer indicates the error
		1 - Missing a required option
		2 - Bad length
13	Timestamp	0 - None
14	Timestamp reply	0 - None
15	Information request	0 - None
16	Information reply	0 - None
17	Address mask request	0 - None
18	Address mask reply	0 - None
19	Reserved (for security)
20-29	Reserved (for robustness experiment)
30	Traceroute
31	Datagram conversion error
32	Mobile host redirect
33	IPv6 where-are-you
34	IPv6 I-am-here
35	Mobile registration request
36	Mobile registration reply
37-255	Reserved

c3ee is the checksum, which as we discussed earlier is used to test validity.

This concludes our look at IP Packets. This series was not designed to make you an expert at decoding packets, but rather was geared toward giving you the ammunition that you will need to begin decoding and understanding packets as they come across your network.