Network Basics Part 1

What is Protocols

Protocols are simply an agreed upon way to communicate. For instance, we here on Hackers-Arise have agreed upon the English language with all its rules and grammar as our way to communicate. That is our protocol. If we did not have an agreed upon way to communicate, people would be using many languages, grammar, and rules and none of us would understand each other.

​

Protocols are similar. A protocol simply defines a way of communication with all its rules. These rules are usually defined by a RFC (Request for Comments).

​

There are many, many protocols in use on the internet. These include TCP, IP, UDP, FTP, HTTP, SMTP, etc., and each has its own set of rules that must be complied with in order to communicate effectively (similar to the rules we use in communication via written languages). Probably the two most important protocols for use over the internet are IP and TCP, so let's take a look at each of these.

IP Protocol

what is fragment in network packets !

In networking, a fragment is a piece of a larger packet that has been broken up into smaller pieces so that it can pass through a network link with a smaller Maximum transmission unit (MTU). The fragments are reassembled by the receiving host.

The process of breaking up a packet into fragments is called fragmentation. The process of reassembling the fragments into a complete packet is called reassembly.

Fragmentation can occur for a number of reasons, including:

• The packet is too large to fit within the MTU of a network link.

• The packet is crossing multiple networks with different MTUs.

• The packet is being sent to a device that does not support the original packet size.

Fragmentation can introduce a number of problems, including:

• Increased latency: Fragmentation can add additional latency to the packet transmission process.

• Increased overhead: Fragmentation adds additional header information to each fragment, which increases the overall packet size.

• Increased complexity: Fragmentation can make it more difficult to troubleshoot network problems.

In some cases, it is possible to avoid fragmentation by using a smaller packet size. However, this may not always be possible, especially for large data transfers.

If fragmentation does occur, it is important to ensure that the fragments are reassembled correctly at the receiving host. This can be done by using a reassembler, which is a software program that reassembles the fragments into a complete packet.

Here is an example of packet fragmentation:

A packet that is 2,366 bytes in length enters an Ethernet network with a default MTU size of 1,500 bytes. The packet must be fragmented into two packets. The first packet will:

• Be 1,500 bytes in length.

• Have 20 bytes of IP header.

• Have 24 bytes of TCP header.

• Have 1,456 bytes of data.

The second packet will:

• Be 866 bytes in length.

• Have 20 bytes of IP header.

• Have 0 bytes of TCP header.

• Have 846 bytes of data.

The two fragments will then be sent over the network and reassembled by the receiving host.

What is timestamp and why is used ?

For the above example , the tcp header contains only 20 bytes but the TCP header is 24 bytes long because it contains a timestamp option. The timestamp option is used to track the time that packets are sent and received, which can be used to troubleshoot network problems.

The timestamp option is not always included in the TCP header. It is typically only included when it is needed, such as when troubleshooting network problems.

Here is a table that shows the size of the TCP header with and without the timestamp option:

drive_spreadsheetExport to Sheets

As you can see, the TCP header can be 24 bytes long if it contains the timestamp option. This is why I said that the TCP header in your example was 24 bytes long.

thumb_upthumb_downuploadGoogle itmore_vert

What is IP Header and TCP Header

The IP header and TCP header are two of the most important parts of a network packet. The IP header is responsible for routing the packet to its destination, while the TCP header provides information about how the data in the packet should be handled.

• IP header

The IP header is 20 bytes long and contains the following information:

* Source IP address: The IP address of the device that sent the packet.
* Destination IP address: The IP address of the device that the packet is being sent to.
* Protocol: The type of protocol that is being used to transport the data in the packet. In this case, the protocol is TCP.
* Length: The length of the packet, in bytes.
* Fragmentation information: This information is used if the packet needs to be fragmented in order to pass through a network link with a smaller MTU.

• TCP header

The TCP header is 20 bytes long and contains the following information:

* Source port: The port number of the device that sent the packet.
* Destination port: The port number of the device that the packet is being sent to.
* Sequence number: A number that is used to track the order of the packets in a TCP connection.
* Acknowledgment number: A number that is used to acknowledge the receipt of a packet.
* Flags: A set of bits that control the flow of data and the handling of errors.
* Window size: The maximum number of bytes that the sender is willing to receive in a single packet.
* Checksum: A value that is used to verify the integrity of the packet.

The IP header and TCP header are essential for the reliable delivery of data over a network. By providing information about the source and destination of the packet, as well as the type of protocol being used, these headers allow the packets to be routed to their destination and processed correctly.

TCP Packet Header

For Better Understanding

Row 1

• Source Port / Destination Port: Probably most importantly, these are the source port and destination port. These fields determine what port the communication came from (source) and where it is going (destination).

Row 2

• Sequence Number: The sequence number is generated by the source machine's TCP stack and is used to make certain that packets are arranged in the proper sequence when they arrive. It is also important in defeating MitM attacks.

Row 3

• Acknowledgement Number: This is an echo of the Sequence Number sent back by the receiving system. It basically says, "I received the packet with the Sequence #." In this way, the sender knows that the packet arrived. If the sender does not receive an Acknowledgment Number back in a fixed amount of time, it will resend the packet to make certain the receiver gets the packet. In this way, TCP is reliable (in contrast, UDP does not do this and is therefore unreliable).

Row 4

The first two bits in the TCP header are the Congestion Window Reduced (CWR) and ECN-Echo (ECE) flags. These flags are used to signal congestion in a TCP connection.

• CWR (Congestion Window Reduced) is set by a receiver to indicate that it has received a packet with the CE (Congestion Experienced) flag set. This tells the sender to reduce its congestion window, which is the number of bytes that it is allowed to send before it receives an acknowledgment.

• ECE (ECN-Echo) is set by a receiver to indicate that it understands and supports ECN. This allows the sender to use ECN to signal congestion without having to drop packets.

When a sender receives a packet with the CWR flag set, it reduces its congestion window by half. This helps to prevent the sender from sending too much data into the network, which can lead to congestion.

When a sender receives a packet with the ECE flag set, it knows that the receiver understands ECN and can use it to signal congestion. This allows the sender to reduce its congestion window without having to drop packets, which can improve the performance of the connection.

The CWR and ECE flags are part of the Explicit Congestion Notification (ECN) mechanism, which is a way for TCP connections to signal congestion without having to drop packets. ECN is a newer protocol than TCP, and not all routers and firewalls support it. However, ECN is becoming more widely supported, and it can be a valuable tool for improving the performance of TCP connections.

Content Starts for Layer 4 :

The first two bits, CWR and ECE, are beyond the scope of this lesson. The next six bits are the URG, ACK, PSH, RST, SYN, and FIN flags. These flags are used by TCP to communicate

• SYN: The opening of a new connection.

• FIN: The normal, "soft" closing of a connection.

• ACK: The acknowledgement of a packet. All packets after the three-way handshake should have this bit set.

• RST: The hard-close of a connection and usually used to communicate that the packet has arrived at the wrong port or IP.

• URG: This flag indicates that the following data is urgent.

• PSH: Push the data past the buffer to the application.

Window Size : In some diagrams, this is simply described as the Window field. It's role is to communicate the size of the window that the TCP stack has to buffer packets. This is the way that TCP manages flow control. From a recon or forensics perspective, this field alone can be enough to identify the OS that sent the packet. This field varies from OS to OS and even from SP to SP. Given this bit of information, one can predict with about 80% accuracy the OS that sent the packet. In fact, it is this field and a few others (DF and TTL in the IP header) that such operating system fingerprinters such as p0f use to identify the OS.

Row 5

• Checksum: This field uses a simple algorithm to check for errors. In essence, it is an integrity checker.

• URG Pointer: This field points to the last byte of the sequence number of urgent data. The URG flag must be set in conjunction to activate this field.

Row 6

• Options: Like the IP header, the TCP header has an options field that can be used if necessary and it is varying length.

• Padding: The padding is necessary to bring the TCP header to a multiple of 32 bits.