Thursday, August 9, 2012

Packet Reading - Basics


 Before i make another video post, i wanted to fist break down how packets work. This will be the introduction on how to read the outputs of TCPDUMP, TSHARK and WireShark.

TCP Flags

A, ACK- (Acknowledge) The receiver will send an ACK that equals the senders sequence number plus the Len, or amount of data, at the TCP layer.

SYN, and FIN flags count as 1 byte. The ACK can also be thought of as the sequence number of the next octet the receiver expects to receive.

S, SYN- Synchronize is used during session setup to agree on initial sequence numbers. Sequence numbers are random.

F, FIN- Finish is used during a graceful session close to show that the sender has no more data to send.

R, RST- Reset is an instantaneous abort in both directions (abnormal session disconnection).

P, PSH- Push forces data delivery without waiting for buffers to fill. This is used for interactive traffic. The data will also be delivered to the application on the receiving end with out buffering.

U, URG- Urgent- Data is sent out of band.


Example of 3 Way Hand Shake
--------------------------------------------------------------

Time Dst IP Src IP Protocol Description

20.862 157.57.24.193 157.57.11.169 TCP ....S., len: 4, seq: 346564214, ack: 0, win: 8192,

20.866 157.57.11.169 157.57.24.193 TCP .A..S., len: 4, seq: 339000739, ack: 346564215, win: 8760,

20.866 157.57.24.193 157.57.11.169 TCP .A...., len: 0, seq: 346564215, ack: 339000740, win: 8760,


Example of Graceful Close (Modified 3 Way Hand Shake)


Time Dst IP Src IP Protocol Description 

39.295 157.57.11.169 157.57.24.193 TCP .A...F, len: 0, seq:339000917, ack: 346564257, win: 8718,

39.295 157.57.24.193 157.57.11.169 TCP .A...., len: 0, seq:346564257, ack: 339000918, win: 8583,

39.298 157.57.24.193 157.57.11.169 TCP .A...F, len: 0, seq:346564257, ack: 339000918, win: 8583,

39.300 157.57.11.169 157.57.24.193 TCP .A...., len: 0, seq:339000918, ack: 346564258, win: 8718,


In the above two traces, transmission control protocol (TCP) is the highest layer protocol, so the relevant session information can be read from the summary line of the trace. If there is a higher layer protocol (NBT, SMB, Telnet, FTP, etc.), you will have to look in the packet for the TCP flags, acks and sequence numbers.
Re-transmission Behavior

(from "TCP/IP Implementation Details")
TCP starts a re-transmission timer when each outbound segment is handed down to IP. If no acknowledgment has been received for the data in a given segment before the timer expires, then the segment is retransmitted, up to the TcpMaxDataRetransmissions times. The default value for this parameter is 5.

The re-transmission timer is initialized to 3 seconds when a TCP connection is established; however it is adjusted "on the fly" to match the characteristics of the connection using Smoothed Round Trip Time (SRTT) calculations as described in RFC793. The timer for a given segment is doubled after each re-transmission of that segment. Using this algorithm, TCP tunes itself to the "normal" delay of a connection. TCP connections over high-delay links will take much longer to time out than those over low- delay links.

The following trace clip shows the re-transmission algorithm for two hosts connected over Ethernet on the same subnet. An FTP file transfer was in progress, when the receiving host was disconnected from the network. Since the SRTT for this connection was very small, the first re-transmission was sent after about one-half second. The timer was then doubled for each of the re-transmissions that followed. After the fifth re-transmission, the timer is once again doubled, and if no acknowledgment is received before it expires, then the transfer is aborted.

delta source ip dest ip pro flags description
-------------------------------------------------------------

0.000 10.57.10.32 10.57.9.138 TCP .A...., len: 1460, seq: 8043781, ack:8153124, win: 8760

0.521 10.57.10.32 10.57.9.138 TCP .A...., len: 1460, seq: 8043781, ack:8153124, win: 8760

1.001 10.57.10.32 10.57.9.138 TCP .A...., len: 1460, seq: 8043781, ack:8153124, win: 8760

2.003 10.57.10.32 10.57.9.138 TCP .A...., len: 1460, seq: 8043781, ack:8153124, win: 8760

4.007 10.57.10.32 10.57.9.138 TCP .A...., len: 1460, seq: 8043781, ack:8153124, win: 8760

8.130 10.57.10.32 10.57.9.138 TCP .A...., len: 1460, seq: 8043781, ack:8153124, win: 8760


After computer "X's" retries are exhausted, you may not see a "Reset" right away. If computer "Y" finally responds, computer "X" may then reset the connection.

Sliding Windows

During the handshake, the send window size is set to the other host's receive window. The window size is a buffer and is the amount of data the sender can send and the receiver can receive without an ack. The "window" can slide forward after that packet is acknowledged.


With a receive window of 8760, the sender may send 8760 bytes before receiving an ack. The receiver could ack every packet, every other packet or the entire 8760 depending on the IP stack and timing. (See Delayed Ack Timer, and Retransmit timer) Windows NT will ack every other packet. If the packets are coming extremely fast, you may see Windows NT ack more than 2 packets. If the PUSH bit set, data will be delivered up to the application right away, but the ack may still be delayed.


The sequence number in frame 51 is 349349990. The ack in frame 57 is 349358750. This is the sequence number from frame 51 plus the amount of data received in frames 51 through 56 (6 frames x 1460 =8760) . Also, the ack 349358750 is the sequence number of the next packet that the host expects to receive.

Frame Time Src Other Addr Dst Other Addr Protocol Description
---------------------------------------------------------------------

50 3.923 157.57.11.169 157.57.24.193 TCP .A...., len:0, seq: 356870796, ack: 349349990, win: 8760,

51 3.924 157.57.24.193 157.57.11.169 FTP Data Transfer To Client, Port = 1636, size 1460

+ TCP: .A...., len: 1460, seq: 349349990, ack: 356870796, win: 8760, src:20 dst: 1636

52 3.940 157.57.24.193 157.57.11.169 FTP Data Transfer To Client, Port = 1636, size 1460

53 3.941 157.57.24.193 157.57.11.169 FTP Data Transfer To Client, Port = 1636, size 1460

54 3.943 157.57.24.193 157.57.11.169 FTP Data Transfer To Client, Port = 1636, size 1460

55 3.944 157.57.24.193 157.57.11.169 FTP Data Transfer To Client, Port = 1636, size 1460

56 3.946 157.57.24.193 157.57.11.169 FTP Data Transfer To Client, Port = 1636, size 1460

57 3.947 157.57.11.169 157.57.24.193 TCP .A...., len:0, seq: 356870796, ack: 349358750, win: 4096,


The window size is also used for flow control. If a host is advertising a smaller window size when its buffers are filling, or a window size of 0 if it can not receive data at all. In frame 50 above, the host is advertising a window size of 8760 and in frame 57 it has been dropped to 4096.

Ports, Connections, and Endpoints

Port numbers define the ultimate destination within a computer. Connections are identified by a pair of endpoints. An Endpoint is the (host, port). Ex. (199.199.40, 21)

Port Numbers

The port numbers are divided into three ranges: the Well-Known Ports,the Registered Ports, and the Dynamic and/or Private Ports. The Well-Known Ports are those from 0 through 1023.The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those from 49152 through 65535.


Well-Known Ports are assigned by Internet Assigned Numbers Authority (IANA) and should only be used by System Processes or by programs executed by priviledged users. An example of this type of port is 80/TCP and 80/UDP. These ports are priviledged and reserved for use by the HTTP protocol.


Registered Ports are listed by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users. An example of this type of port is 1723/TCP and 1723/UDP. Although these ports can be used by other processes they are generally accepted as the connection control port for Point To Point Tunnelling Protocol (PPTP).


Dynamic or Private Ports can be used by any process or user. They are unrestricted.


IANA maintains a list of ports on their Web site at:

http://www.iana.org/assignments/port-numbers

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.


Trace Reading Suggestions

Follow a session using source and destination IP address and Port numbers. If you find a Reset, focus on the sequence numbers and acks that proceed it. Use a calculator to see what ack is corresponding to what data sent. Newer versions of NetMon will do the calculations for you. Is the sender doing retries? Note the number of retries and the time elapsed. The default number of retries is 5. Is the receiver asking for a missed frame by ACKing a previous sequence number? Did the sender back up and resend the previous packet? A Reset can be caused by time-outs at the TCP layer or by time outs of higher layer protocols. Resets originating at the TCP layer should be easy to read from the trace. It may be more difficult to determine the cause of Resets originating from higher layer protocols.


For example, a Server Message Block (SMB) read may time out in 45 seconds and cause a Reset of the session even though communications are slow but working at the TCP layer. The trace may only narrow down what component is at fault. From there you may need to use other troubleshooting methods to determine the cause.


No comments:

Post a Comment