Homework 5: Packet Analysis of an Echo Reply (12 points) Introduction: Previously we decoded an echo...

Transcribed Image Text:

Homework 5: Packet Analysis of an Echo Reply (12 points) Introduction: Previously we decoded an echo request. The purpose of Homework 5 is to give you practice decoding an Echo Reply. The hexadecimal output from our previous lab is copied below. 4500 0054 31a2 0000 4001 4b05 7f00 0001 7f00 0001 0000 dela 456e 0007 42cb bd62 0000 0000 156f 0800 0000 0000 1011 1213 1415 1617 1819 lalb 1cld lelf 2021 2223 ...... How to start? 1) Remember the output is an IP Header with its payload or data. Copy the Sans TCP/IP and tcpdump reference guide IP Header Template https://www.sans.org/security- resources/tcpip.pdf IPv4 Header Offset: Add column+row. e.g. Protocol=9 ip[9] = "IP header offset 9" or the protocol field 1 2 3 0 Ver IHL TOS Total Length IP Identification HOM Offset 0 4 8 12 16 20 TTL Protocol Checksum Source Address Destination Address Options (optional) 2) Overlay the hexadecimal output on the template 3) Hopefully you will agree with the following: IPv4 Header Offset: Add column+row. e.g. Protocol=9 ip[9] = "IP header offset 9" or the protocol field 0 1 2 3 Ver HL TOS Total Length 0 4 IP Identification HOM 31 TTL 840 127 167 20 4 Offset 20000 Protocol Checksum 475 o Source Address Destination Address Options (optional) 4) Now that you have overlaid the IP Header template with the hexadecimal output, let's interpret the packet contents. a. What is the version of IP? b. What is the length of the IP Header in bytes? IHL x 4 = C. What is the total length of the IP datagram in decimal? d. What is the IP Identification number in decimal? e. You will note that the Fragment Flags and Fragment Offset are all zero. It means the Don't Fragment and More Fragment bits are set to zero. f. What is the Time to Live field in decimal? g. What protocol is indicated in the protocol field? h. What is the Checksum in decimal? i. What is the Destination Address in dotted decimal? 5) Underline or highlight the IP Header 4500 0054 31a2 0000 4001 4b05 7f00 0001 7f00 0001 0000 dela 456e 0007 42cb bd62 0000 0000 156f 0800 0000 0000 1011 1213 1415 1617 1819 lalb 1c1d 1elf 2021 2223 Remember in 4)b. above you calculated the IP header to be 20 bytes long. The minimum length of an IP Header is 20 bytes long. A 20-byte IP Header does not include Options. If an IP Header contains options, the IHL will be greater than 5. 6. What protocol follows the IP Header? If you answered ICMP, you are right. The IP header must include the protocol type that follows so hardware devices know how to interpret the remaining packet information. In order to decipher the rest of the packet you will need to copy the Sans TCP/IP and tcpDump reference guide ICMP Template which I have included below. I have written in the hexadecimal packet contents into the template. What type of ICMP packet is our example? 0 4 Type 0 3 4 5 8 9 11 12 I ! I I T 1 I I I I I I I 0 1 Type Code I 1 1 Code 0 0 1 2 3 et Addtl. information depending on type/code 4 5 ICMP 6 7 8 9 10 11 12 13 0 0 1 2 3 0 0 0 1 0 1 2 Name Echo Reply Network Unreachable Host Unreachable IProtocol Unreachable IPort Unreachable Checksum Fragmentation Required Source Route Failed Dest. Network Unknown Destination Host Unknown Source Host Isolated Net Administratively Prohibited Host Administratively Prohibited 3 INetwork unreschable for TOS Host unreachable for TOS Communication Admin. Prohibited Source quench Network Redirect Host Redirect ITOS & Network Redirect ITOS & Host Redirect Echo [Echo Request] Router Advertisement Time to live exceeded in transit Fragment Reassembly time exceeded Parameter Prob. Pointer indicated the error Missing a required option Note: If the protocol in the IP Header was 6, you would need to continue to decode with Sans TCP/IP and tcpDump reference guide TCP Template. If the protocol in the IP Header was 17 (0x11), you would need to continue to decode with Sans TCP/IP and tcpDump reference guide UDP Template. What follows the 4-byte ICMP Header is the ICMP's payload or data. Homework 5: Packet Analysis of an Echo Reply (12 points) Introduction: Previously we decoded an echo request. The purpose of Homework 5 is to give you practice decoding an Echo Reply. The hexadecimal output from our previous lab is copied below. 4500 0054 31a2 0000 4001 4b05 7f00 0001 7f00 0001 0000 dela 456e 0007 42cb bd62 0000 0000 156f 0800 0000 0000 1011 1213 1415 1617 1819 lalb 1cld lelf 2021 2223 ...... How to start? 1) Remember the output is an IP Header with its payload or data. Copy the Sans TCP/IP and tcpdump reference guide IP Header Template https://www.sans.org/security- resources/tcpip.pdf IPv4 Header Offset: Add column+row. e.g. Protocol=9 ip[9] = "IP header offset 9" or the protocol field 1 2 3 0 Ver IHL TOS Total Length IP Identification HOM Offset 0 4 8 12 16 20 TTL Protocol Checksum Source Address Destination Address Options (optional) 2) Overlay the hexadecimal output on the template 3) Hopefully you will agree with the following: IPv4 Header Offset: Add column+row. e.g. Protocol=9 ip[9] = "IP header offset 9" or the protocol field 0 1 2 3 Ver HL TOS Total Length 0 4 IP Identification HOM 31 TTL 840 127 167 20 4 Offset 20000 Protocol Checksum 475 o Source Address Destination Address Options (optional) 4) Now that you have overlaid the IP Header template with the hexadecimal output, let's interpret the packet contents. a. What is the version of IP? b. What is the length of the IP Header in bytes? IHL x 4 = C. What is the total length of the IP datagram in decimal? d. What is the IP Identification number in decimal? e. You will note that the Fragment Flags and Fragment Offset are all zero. It means the Don't Fragment and More Fragment bits are set to zero. f. What is the Time to Live field in decimal? g. What protocol is indicated in the protocol field? h. What is the Checksum in decimal? i. What is the Destination Address in dotted decimal? 5) Underline or highlight the IP Header 4500 0054 31a2 0000 4001 4b05 7f00 0001 7f00 0001 0000 dela 456e 0007 42cb bd62 0000 0000 156f 0800 0000 0000 1011 1213 1415 1617 1819 lalb 1c1d 1elf 2021 2223 Remember in 4)b. above you calculated the IP header to be 20 bytes long. The minimum length of an IP Header is 20 bytes long. A 20-byte IP Header does not include Options. If an IP Header contains options, the IHL will be greater than 5. 6. What protocol follows the IP Header? If you answered ICMP, you are right. The IP header must include the protocol type that follows so hardware devices know how to interpret the remaining packet information. In order to decipher the rest of the packet you will need to copy the Sans TCP/IP and tcpDump reference guide ICMP Template which I have included below. I have written in the hexadecimal packet contents into the template. What type of ICMP packet is our example? 0 4 Type 0 3 4 5 8 9 11 12 I ! I I T 1 I I I I I I I 0 1 Type Code I 1 1 Code 0 0 1 2 3 et Addtl. information depending on type/code 4 5 ICMP 6 7 8 9 10 11 12 13 0 0 1 2 3 0 0 0 1 0 1 2 Name Echo Reply Network Unreachable Host Unreachable IProtocol Unreachable IPort Unreachable Checksum Fragmentation Required Source Route Failed Dest. Network Unknown Destination Host Unknown Source Host Isolated Net Administratively Prohibited Host Administratively Prohibited 3 INetwork unreschable for TOS Host unreachable for TOS Communication Admin. Prohibited Source quench Network Redirect Host Redirect ITOS & Network Redirect ITOS & Host Redirect Echo [Echo Request] Router Advertisement Time to live exceeded in transit Fragment Reassembly time exceeded Parameter Prob. Pointer indicated the error Missing a required option Note: If the protocol in the IP Header was 6, you would need to continue to decode with Sans TCP/IP and tcpDump reference guide TCP Template. If the protocol in the IP Header was 17 (0x11), you would need to continue to decode with Sans TCP/IP and tcpDump reference guide UDP Template. What follows the 4-byte ICMP Header is the ICMP's payload or data.