Wireshark 101: Internet Protocol, HakTip 125
ฝัง
- เผยแพร่เมื่อ 4 ต.ค. 2024
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
This week on HakTip Shannon Morse discusses the Internet Protocol, or IP for short.
While ARP is used with MAC addresses to send data, IP handles most of the traffic for internetwork communication from one device to another. The Internet Protocol is found on Layer 3 of the OSI model, the Network layer.
IP addresses have 32 bits, these ID the device. The 32 bits are converted into four sets of ones and zeroes, which is then converted into base 10. This is where you get the 192.168.1.1 number notation. The computer registers the IP address as 32 bits of binary data, in 1's and 0's, then we see it as 192.168.1.1 instead of 11000000 10101000 00000000 00000001.
The first two quarters usually tell you the network address, and the last two the host address. I say usually, because it's not always the first two that are the network address = these can be determined by looking at a subnet or network mask. If you run across a netmask of 11111111 11111111 00000000 00000000 that means that the first two quarters are the network address and the second two the host. This would be 255.255.0.0.
If you don't want to remember how many bits are supposed to be the netmask and how many are the device itself, look at the network's CIDR notation (or Classless Inter-Domain Routing) notation. For my local network of 192.168.0.1 (my local computer) and the netmask of 255.255.0.0, my CIDR notation would be 192.168.0.1/16. Remember my HakTip about NMap (#92)? We showed you how to use CIDR notation to scan multiple targets in NMAP. This stuff always has a way of coming back around full circle!
So now you know how an IP address is built. But what does it look like in Wireshark? Well, first lets dissect the IP header packet.
This packet has the Version or IP being used (IPv4, 6?), the length, type of service, the total length of the header and data included, a ID # to ID the packet, a flag to show you if the packet is part of some larger sequence of packets, a fragment offset which is used to tell you if the packet is a fragment or not, TTL (or Time To Live) shows you the lifetime of the packet in hops / second, the Protocol, a header checksum for error detection, the source IP address, the destination IP address, any extra options, and the actual Data. Time to Live tells you how long a packet is alive for, and transmitting. If stuck in an error, a packet could end up in a never-ending loop, so it's important to know how long a packet will go through all the routers on the internet before it dies.
IP Fragmentation. Sometimes an IP packet needs to be split up into multiple parts to allow reliable delivery on various network types. This is based on the MTU or Maximum Transmission Unit size of the layer 2 protocol (like Ethernet). Ethernet's default MTU size is 1500 bytes, so the IP fragmentation would occur if the packet size was over 1500. When you look at the packet header info for one of these IP packets, you'll notice that under the "More Fragments" section, it'll list how many other packets include that data. The Fragment Offset section will also give you a number depending on where the packet falls in the series of fragments, and how many bytes are in the packet (it might be less than 1500 for the Header Length). Lastly, you'll notice "More Fragments" says 0 once you find the last packet in the series, because it's the last one.
Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
• Bash Bunny Primer - Ha...
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.
![[UNCUT] “บอสณวัฒน์” ลากไส้!! ใครหนุนหลัง "แม่ตั๊ก ป๋าเบียร์" I คนดังนั่งเคลียร์ I 30 ก.ย. 67](http://i.ytimg.com/vi/QlD7mU2KKRk/mqdefault.jpg)
this saves me hours and hours beautifull
Awesome, thank you for this!
great show, very useful!
I'm pretty sure offset shouldn't be zero for the last fragment. Usually a fragment starts with zero and increments by the amount of data.
The way to check if it is the last fragment is to check if the M(More fragments) flag is set to zero.
next time you want to explain IP addressing - draw it out.
What program do you use to record this? Pretty cool.
*But can it capture in promiscuous mode running on Windows 7 x64 ?*
what do the numbers and letters at bottom mean???
How to open TH-cam.com by typing it's IP. When I type IP it opens google.com instead of TH-cam.
***** Can you please elaborate as I am a noob. Thanks.
***** Ok here is my problem. My country blocked alot of websites. But I can access those websites if i enter their ip isntead of domain. So same way I want to access TH-cam as it is also blocked by ISP currently using VPN but wanna do it without VPN.
stablizershock hello there, u can try to ping or trace route(tracert) to get IP or else u can use some software.... ;)
Akash Paraswar I did all I know the ip but dont open youtube
whats her name
Yo, She's so hot