TCP/IP
1. 2. IP 3. TCP/IP 4. IPv6
1 TCP/IP 7 6 5 4 Application Presentation Session Transport 3 Network 2 1 Data Data link link Physical
2 IP IPv4
2.1 IPv4
2.1 IPv4
2.1 IPv4
2.1 IPv4-
2.1 IPv4-
2.1 IPv4-
2.1 IPv4-
2.1 IPv4- IETF A B C 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 Internet Internet
2.1 IPv4- Internet IP a1.b1.c1.d1 a2.b2.c2.d2 an.bn.cn.dn NAT a3.b3.c3.d3 x1.x2.x3.x4 x1.x2.x3.x4 x1.x2.x3.x4
2.1 IPv4-48bits Ipconfig /all
2.2 IPv4 Network Mask Def. A B C 255.0.0.0 255.255.0.0 255.255.255.0
2.2 Sub-Network Mask Hostid Netid N 1+ M 0=32 IP =
2.2 Sub-Network Mask
202.183.56.1xxxxxxx 202.183.56.xxxxxxxxx 202.183.56.0xxxxxxx
202.112.11.0 A B C ip 120 60 62 ip
3 TCP/IP : ICMP IGMP ARP RARP : UDP TCP : SMTP/POP HTTP DNS FTP
3.1 ARP/RARP ICMP IGMP
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram Version (4 bits): tells that this is IP Version 4 (IPv4)
IPv4 header structure Version Version Time-to-live Time-to-live IHL IHL Type Type of of Service Service Identification Identification Protocol Protocol Options Options Total Total length length of of IP IP datagram datagram Flags Flags Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram Header length (4 bits) is needed since Options + Padding can vary in length. Options Security (packet classification), Strict source routing (the whole routing list), Loose source routing (the mandatory routing list), Record route (record the IP address of each hop), Timestamp (record the IP address and timestamp of each hop).
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram ToS = Type of Service (8 bits) is used for QoS management purposes. The first 3 bits of TOS indicate priorities, 0 being low (normal packet) and 7 being high (network control packet); the next 3 bits indicate service types, being delay, throughput, and reliability; the last 2 bits are reserved. Source could use service type bits to indicate the routing metrics to be used.
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram Datagram length (16 bits): since this field is 16 bits long, the IP datagram can contain up to 2 16 = 65535 bytes (in theory). Most routers, however, cannot handle such large datagrams.
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification All fragments contain the same number Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Has value zero Destination Position of Destination IP IP address address in last fragment in Padding fragment original datagram Padding Payload Payload of of IP IP datagram datagram IP fragmentation: a large IP datagram may be fragmented (in any router along the path) and will be reassembled at the destination. Flags: 1st bit reserved; 2nd bit DF, 0 fragment yes, 1 fragment no; 3rd bit MF, 0 last fragment, 1 more fragment. SEU 31
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram Time-to-live (8 bits): this number is decreased by one in each router along the path. If number zero is reached in a router, IP datagram is discarded and router sends an ICMP message (TTL expired) to the source of the datagram.
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Starts here... Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Payload Payload of of IP IP datagram datagram Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Protocol field (8 bits): describes which higher layer protocol is used (TCP, UDP, SCTP...). The header of this upper protocol is located at the beginning of the IP datagram payload. e.g. 6 TCP, 17 UDP, 1 ICMP, 89 OSPF, etc. SEU 33
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram Header checksum (16 bits): used for error control (if used, routers along the path have to recalculate the checksum). This kind of error control is not used in IPv6 (since the same error control function is offered by TCP - and even UDP). SEU 34
IPv4 header structure Version Version IHL IHL Time-to-live Time-to-live Identification Identification Type Type of of Service Service Protocol Protocol Options Options Flags Flags Total Total length length of of IP IP datagram datagram Fragment Fragment offset offset Header Header checksum checksum (for (for error error control) control) Source Source IP IP address address Destination Destination IP IP address address Padding Padding Payload Payload of of IP IP datagram datagram Source and destination IP address (32 bits each): note that these addresses are not changed in routers along the route. SEU 35
IP
(ARP/RARP)
ARP/RARP
ARP
ARP 1 IP 0800
ARP
example broadcast unicast
ARP
ARP -cache
C:\Documents and Settings\Administrator>PING 172.18.12.199 Pinging 172.18.12.199 with 32 bytes of data: Reply from 172.18.12.199: bytes=32 time<1ms TTL=128 Reply from 172.18.12.199: bytes=32 time<1ms TTL=128 Reply from 172.18.12.199: bytes=32 time<1ms TTL=128 Reply from 172.18.12.199: bytes=32 time<1ms TTL=128 Ping statistics for 172.18.12.199: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Documents and Settings\Administrator>ARP -D C:\Documents and Settings\Administrator>ARP -A No ARP Entries Found C:\Documents and Settings\Administrator>ARP -S 172.18.12.199 00-88-88-88-88-88 C:\Documents and Settings\Administrator>APR -A 'APR' C:\Documents and Settings\Administrator>ARP -A Interface: 172.18.12.192 --- 0x10005 Internet Address Physical Address Type 172.18.12.199 00-88-88-88-88-88 static C:\Documents and Settings\Administrator>PING 172.18.12.199
sniffer
Arp A: ip 192.168.0.1 AA:AA:AA:AA:AA:AA B: ip 192.168.0.2 BB:BB:BB:BB:BB:BB C: ip 192.168.0.3 CC:CC:CC:CC:CC:CC
Arp 1. 192.0.0.3 C 2. ip 192.0.0.3 3. ip 192.168.0.3, MAC BB:BB:BB:BB:BB:BB A A arp 4. arp C ip-->mac ip mac telnet
ARP ip mac ip+mac mac-->ip
ARP Proxy
RARP
RARP
RARP
ARP LAN IP
3.1.2 ICMP
ICMP
ICMP
ICMP
ICMP
ICMP
ICMP ICMP ip 8 ICMP
ICMP A R1 R2 R3 B 1 2 3 4 ICMP
ICMP
ICMP
ICMP
ICMP ID SN
ICMP ping
TRACEROUTE LINUX TRACERT WINDOWS sniffer
3.1.3 IGMP Multicast Internet Group Management Protocol RFC1112
IGMP
1 0 2
224.0.0.0 224.0.0.1 224.0.0.2 224.0.1.1 NTP.
01.00.5e.00.00.00~01.00.5e.7f.ff.ff 5 1 1 1 0 ID 32
3.2 TCP UDP
3.2
3.2.1 TCP
TCP I P I P TCP TCP
Tcp TCP IP IP
Tcp
TCP Connect and discon
TCP Connect and discon syn syn ISN+1 ISN
TCP Connect Reliability
TCP Connect and discon
TCP Connect and discon
TCP Connect and discon
TCP Connect and discon TCP
TCP How to Get RTT
TCP Max-Send-Segment MSS=Min MTU SMSS RMSS Sniffer
3.2.2 UDP
TCP/UDP
TCP/UDP
TCP/UDP
UDP
3.3 http DNS FTP
3.3.1 Mail
3.3.1 Mail Protocol SMTP Postel J B.Simple Mail Transfer Protocol. RFC821[EB/OL].http://www.ietf.org/ rfc/ rfc0821.txt POP Myers J. Post Office Protocol - Version 3.RFC1939[EB/OL].http://www.ietf.org/rfc/rfc l939.txt
3.3.1 Mail Theory SMTP POP Foxmail Outlook SENDMAIL QMAIL
3.3.1 Mail Format rfc822 Rfc 822
3.3.1 Mail Format-MIME RFC1341 (RFC2231 RFC2646 ) MIME Multipurpose Internet Mail Extensions
3.3.1 MIME
3.3.1 MIME base64
3.3.1 MIME base64
3.3.1 MIME Quoted-printable
3.3.1 MIME Quoted-printable
3.3.1 Mail Format
3.3.1 Mail Format
3.3.1 SMTP Connect 25 Connection establishment
Message transfer
Connection termination
3.3.1 Pop-post office protocol
pop3
3.3.1 SPAM
SPAM
SPAM
SPAM
SPAM Black Menu White Menu rule
SPAM
SPAM
SPAM
HTTP Hypertext Transfer Protocol
HTTP Paradigm
HTTP Message types
HTTP Request Message
HTTP Request Line
HTTP GET Method HEAD POST PUT DELETE
HTTP GET
HTTP POST
HTTP HEAD
HTTP URL
HTTP Response message
HTTP Status line
HTTP STATUS CODE
HTTP
GET
HTTP HEAD
HTTP POST
Web (http://www.w3c.org) Web1.0
Web
WWW world wide web
WWW world wide web
Hypertext
Brower structure
Web
html xml xhtml
html xml xhtml
Web phishing
Web phishing
APWG SPONSORS
APWG Global Research Partners:
S1:Email
S2 Visible link: https://www.paypal.com/us/cgi-bin/webscr? cmd=_login-run Actual link to: http://218.246.224.203/icons/.cgi-bin/paypal/cgi-bin/webscrcmd_login.php Phish site IP:218.246.224.203
Web phishing handling Html image
Web phishing handling
Web phishing handling
3.3.3 DNS
DNS g e t h o s t b y n a m e g e t h o s t b y a d d r
DNS
DNS
DNS
DNS
DNS
DNS 0-std query ip 1-recursive 0-iterative 1-inverse query 2-server query query states 0-query 1-response Authoritative answer
DNS types
Format of Query & Answer
What protocol-udp/tcp Client (resolver) Client (resolver) Udp/tcp Udp/tcp Port:53 Main server tcp additional server
Name length Domain name Name=label.label label. Length of label <=63 octet Length of name <=255 octet
DNS domain name structure
DNS Query Process Iterative in which the server refers the client to another server and lets the client pursue the query. Recursive in which the first server pursues the query for the client at another server. Both approaches have advantages and disadvantages, but the iterative approach is preferred for the datagram style of access. The domain system requires implementation of the iterative approach, but allows the recursive approach as an option.
Instance of iterative query
Instance of recursive query User MIT DNS edu DNS root cn DNS Edu.cn DNS Seu.edu.cn DNS MIT DNS edu DNS root cn DNS ibm edu.cn DNS seu.edu.cn DNS User com root edu cn......... User MIT com seu edu pku www email ftp gov ptt tsinghua
3.3.4 Ftp rfc0959
Ftp user-ftp process A set of functions including a protocol interpreter, a data transfer process and a user interface which together perform the function of file transfer in cooperation with one or more server-ftp processes. The user interface allows a local language to be used in the command-reply dialogue with the user server-ftp process A process or set of processes which perform the function of file transfer in cooperation with a user-ftp process and, possibly, another server. The functions consist of a protocol interpreter (PI) and a data transfer process (DTP)
Ftp PI The protocol interpreter. server-dtp The data transfer process, in its normal "active" state, establishes the data connection with the "listening" data port. user-dtp The data transfer process "listens" on the data port for a connection from a server-ftp process.
Ftp FTP model
Ftp Two connections control connection The communication path between the USER-PI and SERVER-PI for the exchange of commands and replies. This connection follows the Telnet Protocol. data connection A full duplex connection over which data is transferred, in a specified mode and type. The data transferred may be a part o a file, an entire file or a number of files. The path may be between a server-dtp and a user-dtp, or between two server-dtps. Normally the client active the control connection the server active the data connection
Ftp PORT ADDRESS Both the user and the server DTPs have a default data port. The user-process default data port is the same as the control connection port,the server-process default data port is the port adjacent to the control connection port (i.e., 21-1=20). the user can set new data port.
Ftp
ftp
ftp
ftp 3-4byte
ftp restart marker marker get put restart 130 CuteFTP Log FTP Netants FTP SIZE.job
4 IPV6
IPV6
IPV6
510000000 149000000 29.2 361000000 71.8 ipv6
IPV6
IPV6
Windows xp Linux ipv6 install
IPV6 Tunnel Ipv4(1)-v6(1) Ipv4(2)-v6(2) Ipv4(3)-v6(3) Ipv4(4)-v6(4) Ipv4(n)-v6(n) How to realize? Ipv4(1)-v6(1) Ipv4(2)-v6(2) Ipv4(3)-v6(3) Ipv4(4)-v6(4) Ipv4(n)-v6(n)
IPV6 Add & Protocol transformation
END of TCP/IP