Week 6
Please sit on the right half of the room
--->
Protocols
What is a protocol?
- Definition: A protocol is a set of rules governing the format and transmission of data between devices in a network.
-
Examples:
- HTTP: Hypertext Transfer Protocol (web browsing)
- TCP/IP: Transmission Control Protocol/Internet Protocol (internet communication)
- DNS: Domain Name System (translating domain names to IP addresses)
- Importance: Protocols define communication standards that enable communication between devices.
How are protocols defined?
Modern networking relies on layering multiple protocols (OSI model)
| Layer | Name | Purpose | Examples |
|---|---|---|---|
| 7 | Application | User interaction, services | HTTP, FTP, DNS |
| 6 | Presentation | Data representation | SSL, TLS |
| 5 | Session | Sessions between apps | NetBIOS, PPTP |
| 4 | Transport | Reliable transmission | TCP, UDP |
| 3 | Network | Addressing and routing | IP, ARP, ICMP |
| 2 | Data Link | Manages physical media | Ethernet, PPP |
| 1 | Physical | Transmits raw bitstreams | Ethernet, USB |
At the network layer, data is transmitted as packets with a defined header
A closer look at TCP and UDP
Transport-layer protocols (manage transmission reliability)
TCP
- Establishes reliable connections
- Uses seq numbers and acks
- Includes congestion control
- Error checking and re-transmissions
- Larger overhead
UDP
- Connectionless
- Does not guarantee delivery, order, or integrity
- No congestion control
- Basic error checking
- Lower overhead
What are some examples of media that might be best suited to TCP or UDP?
A closer look at TCP and UDP
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ----------------------------------------------------------------- | Source Port | Destination Port | ----------------------------------------------------------------- | Length | Checksum | -----------------------------------------------------------------
A closer look at TCP and UDP
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Offset| Res. | Flags | Window | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Notice how neither TCP nor UDP specify the IP address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Traffic Class | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Length | Next Header | Hop Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Source Address + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Destination Address + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IP (network layer) encapsulates TCP/UDP (transport layer)
| |
+ TCP/UDP +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Internet Protocol (IP)
Layered protocols are encapsulated, usually in data segments
Questions?
More on Protocols
A closer look at TCP and UDP
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Offset| Res. | Flags | Window | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags
- ACK: Acknowledgement valid
- PSH: Request for push
- RST: Reset the connection
- SYN: Synchronize sequence numbers
- FIN: Terminate the connection
TCP Handshake
- SYN (Client to Server): The client provides an initial sequence number
- SYN-ACK (Server to Client): The server responds acknowledges the request and sends its own sequence number
- ACK (Client to Server): The client acknowledges the server's sequence number, completing the handshake.
Establishes a connection between two devices
Common Protocols
| Protocol | Layer | Purpose |
|---|---|---|
| Ethernet | Link Layer | Data transmission over physical networks |
| ARP | Link Layer | Maps IP addresses to MAC addresses |
| IP | Internet Layer | Routes packets between networks |
| TCP | Transport Layer | Ensures reliable, ordered packed delivery |
| UDP | Transport Layer | Provides fast, connectionless data transfer |
| FTP | Application Layer | File transfers |
| HTTP | Application Layer | Transmitting web pages |
Protocol Versioning
| IPV4 IPV6 |
Dotted decimal (e.g., 192.168.1.1) Hexadecimal (e.g., 2001:0db8::1) |
32 bit addresses 128 bit addresses |
| HTTP 2.0 QUIC |
Built on TCP Built on UDP |
Optional encryption Mandatory encryption |
Exact details of the protocol may vary between versions
Questions?
Packet Analysis
When reversing, we may want to inspect an applications network traffic
- Packet capturing
- Filtering
- Graphical user interface
- Packet saving and exporting
- Simplified protocol inspection
Wireshark
Start/Stop Capture
Packet Listing
Packet Content Tree
Raw Data