TCP/IP Concepts Review

Lesson Objectives
 Upon completing this lesson, you will be able to:
– Describe the TCP/IP protocol stack
– Explain the basic concepts of IP addressing
– Explain the binary, octal, and hexadecimal numbering
systems.
 Overview of TCP/IP
 Protocol
– A set of rules that govern how
computers operate and
communicate
– Transmission Control
Protocol/Internet Protocol
(TCP/IP)
• Most widely used
 TCP/IP stack
– Four distinct layers
• Network
• Internet
• Transport
• Application
 TCP/IP to OSI Mapping
Compare the TCP/IP stack with the OSI Model stack, which is composed of seven
layers: Physical, Data Link, Network, Session, Transport, Presentation, and Application.

• Protocols for Client Software

Appl
icati • OSI  Application, Presentation, Session
on

• TCP/UDP Services Transporting Data Packets

Tran
spor • OSI  Transport
t

• IP Addressing
Inter
net
• OSI  Network

• Physical Network Pathway

Net
work
• OSI  Data Link, Physical
 What is Wireshark?
It’s a tool that is used to inspect data passing through a network interface which could
be the Ethernet and WiFi.

 The De-Facto Network Protocol Analyzer

– Open-Source (GNU Public License)
– Multi-platform (Windows, Linux, OS X, Solaris, FreeBSD, NetBSD,
and others)
– Large development group.
 Previously Named “Ethereal”
 What we can:
Purpose of using this tool
– Capture network traffic
– Define filters – capture and
display
– Watch smart statistics
– Analyze problems
 Some Network administrators
and engineers use Wireshark
for:
– Troubleshoot network
problems
– Examine security problems
 Capturing Packets (1/2)
Select the interface for capturing packets
 Capturing Packets (2/2)
Wireshark Interface Capture options.
 Wireshark TCP/IP Stack Example
 Wireshark Output

1. Network
2. Internet
3. Transport
4. Application

1
2

4
 The Application Layer
 The application layer is the OSI layer closest to the end user, which means both
the OSI application layer and the user interact directly with the software
application.
– (e.g. Web browser using HTTP for accessing the website)
 The Transport Layer
The Transport Layer is responsible for establishing a temporary communication session
between two applications and delivering data between them.

 TCP/IP uses two protocols to

achieve this:
– Transmission Control Protocol (TCP)
– User Datagram Protocol (UDP)
 TCP is a connection-oriented
protocol.
 UDP is a connection-less
protocol.

Wireshark Output
 TCP Segment Headers
As a security professional, it is important to clearly understand the critical components
of a TCP header.
 Hackers usually try to exploit
these components to
discover vulnerabilities and
perform attacks.
 Critical components include:
– TCP flags
– Initial sequence number
(ISN)
– Source and destination
port numbers
 Transport Layer : TCP Flags
The six flags in a TCP header are switches that can be set to on or off to indicate the
status of a port or service.

 Each flag occupies one bit of the TCP

segment
– Can be set to 0 (off) or 1 (on)
 Initial Sequence Number
(ISN)
 The initial sequence number (ISN) is a 32-bit
number that tracks packets received by a node and
allows reassembling large packets that have been
broken up into smaller packets.
 Steps 1 and 2 of the three-way handshake send an
ISN. That is, the ISN from the sending node is sent
with the SYN packet, and the ISN from the receiving
node is sent back to the sending node with the SYN-
ACK packet. An ISN can be quite a large number
because 232 allows a range of numbers from zero to
more than four billion.

 The ISN has always been the subject of security

issues, as it seems to be a favorite way for hackers
to 'hijack' TCP connections.
 TCP Ports
The logical component of a connection that identifies the service running on a
network device.
 TCP packet
– Two 16-bit fields
– Contains source and
destination port numbers
 Port
– Logical, not physical, TCP
connection component
– Identifies running service
– Example: HTTP uses port 80
 Helps you More running services,
more ports open for attack.
 Stop or disable unneeded services
 Only the first 1023 ports are
considered well-known
 List of well-known ports available at
Internet Assigned Numbers
Authority: www.iana.org
 User Datagram Protocol (UDP)
The UDP is simplest Transport Layer communication protocol available of the
TCP/IP protocol suite and it involves minimum amount of communication mechanism.

 UDP is used when acknowledgement of

data does not hold any significance.
 UDP is good protocol for data flowing
in one direction.
 UDP is simple and suitable for query
based communications such as DNS
query.
 UDP is not connection oriented.
 UDP does not guarantee ordered
delivery of data.
 UDP is suitable protocol for streaming
applications such as VoIP, multimedia
streaming.
 The Internet Layer
The Internet layer is responsible for routing packets to their destination using a
logical addressing scheme, called IP addressing.

 It is responsible for Routing packets to

their destination using IP address.
 Like UDP, IP addressing packet
delivery is connectionless
 Internet Control Message Protocol
(ICMP) sends messages related to
network operations.
 Several attacks can be avoided by
blocking ICMP traffic
 Helps troubleshoot network
connectivity problems.
• Ping command
 Tracks the route a packet pass through
• Traceroute command (Linux)
• Tracert command (Windows)
 IP Addressing
An IP address is an address used in order to uniquely identify a device on an IP
network.

 IP Addressing is Logical Addressing

 It works on Network Layer (Layer 3)
 Two Version of IP Addressing
– IP Version 4 – 32 bit addressing
– IP Version 6 – 128 bit addressing
 IP address is a 32 bit binary number that is unique for each device.
 Divided into two components with the help of a subnet mask.
– Network address
– Host address
 IP address is converted to a decimal format to make them readable for the humans.
 IP address is interpreted in a binary format consisting of 0 and 1.
 IP Addressing (cont’d.)
 Class A or /8 network host host host

– First byte is reserved for network address

– Last three bytes are available for host computers
– Supports more than 16 million host computers

– Limited number of Class A networks

• Reserved for large corporations and governments
– Format: network.node.node.node
• An example of a Class A IP address is 102.168.212.226, where
"102" identifies the network and "168.212.226" identifies the
host on that network.
 IP Addressing (cont’d.)
 Class B or /16 network network host host
– Divided evenly
• Two-octet network address
• Two-octet host address
– Supports more than 65,000 hosts

• Assigned to large corporations and Internet Service Providers (ISPs)

– Format: network.network.node.node
• An example of a Class B IP address is 168.212.226.204 where "168.212"
identifies the network and "226.204" identifies the host on that network.
 IP Addressing (cont’d.)
 Class C or /24 network network network host

– Three-octet network address and one-octet host address

• More than two million Class C addresses

– Supports up to 254 host computers

• Usually available for small business and home use
– Format: network.network.network.node
• An example of a Class C IP address is 200.168.212.226 where
"200.168.212" identifies the network and "226" identifies
the host on that network.
 IPv6 Addressing
 Internet Protocol version 6 (IPv6)
– Developed to increase IP address space and provide
additional security.
– IPv6 does not use the dotted-decimal subnet mask
notation
 Prefix length indicates the network portion of an IPv6 address
using the following format:

• IPv6 address/prefix length

• Prefix length can range from 0 to 128
• Typical prefix length is /64

• IPv6 can theoretically hold 2^128 IP addresses.

• 2^128
= 340,282,366,920,938,463,463,374,607,431,768,211,456

.
 Overview of Numbering Systems
 This section provides a review of the binary, octal, and hexadecimal numbering
systems.
 As a security professional, knowledge of numbering systems will come into play
– Binary (Base 2  0 and 1)
– Octal (Base 8  0, 1, 2…7)
– Decimal (Base 10  0, 1, 2…9)
– Hexadecimal (Base 16  0, 1, 2…9, A, B, C, D, E, F)
Reviewing the Binary Numbering System
 Uses number 2 as its base
Converting from Decimal to Binary
 Hexadecimal numeral system
The hexadecimal numeral system, also known as just hex, is a numeral system made
up of 16 symbols (base 16).
 With hex, the first 10 digits, 0 thru 9, are the same as decimal.
 However, 10 thru 15 decimal are represented as a single hex digit A thru F.

 Binary to hex - nibbles and bits

– To convert a binary byte to hex byte, first split the binary number into two nibbles,
treating them as separate numbers, and then compute the hex equivalent for each
half.
– Finally, concatenate the two hex numbers into a single solution.
– This works perfectly because a nibble has a value from 0 thru 15 or 0x0 thru 0xF.
 Reviewing the Octal Numbering System
The octal numeral system, or oct for short, is the base-8 number system, and uses the
digits 0 to 7
 Octal numerals can be made from binary
numerals by grouping consecutive binary
digits into groups of three (starting from
the right).
 Uses 8 as its base
– Supports values from 0 to 7
 Octal digits can be represented with only
three bits
 UNIX permissions
– Owner permissions (rwx)
– Group permissions (rwx)
– Other permissions (rwx)
• Setting permission (rwxrwxrwx) means they
all have read, write, and execute permissions
 Summary (1/3)
 TCP/IP is the most widely used protocol for communication over the
Internet.
 The TCP/IP stack consists of four layers that perform different
functions.
– Network, Application, Transport ,and Internet
 The Application layer protocols are the front end to the lower-layer
protocols..
– Examples of protocols operating at this layer are HTTP, SMTP,
Telnet, and SNMP
 The Transport layer is responsible for encapsulating data into
segments and uses.
– UDP or TCP headers for connections and for forwarding data.
– TCP is a connection-oriented protocol.
– UDP is a connectionless protocol
 Summary (2/3)
 The critical components of TCP segment headers are
– TCP flags,
– initial Sequence number (ISN),
– Source and destination port numbers
 TCP ports identify the services running on a system.
– Port numbers from 1 to 1023 are considered well-known ports.
– A total of 65,535 port numbers are available
 The Internet layer is responsible for routing a packet to a destination
address.
 IP addresses as well as ICMP messages are used in this layer.
 IP, like UDP ,is a connectionless protocol.
 ICMP is used to send messages related to network operations.
 Summary (3/3)
 An IP addresses consist of 4bytes ,also called octets, which are divided
into two components: a network address and a host address.
 Three classes of addresses are used on the Internet :Class A, B, and C.
 An IPv6 addresses consist of 16 bytes and are written in hexadecimal
notation.
 Binary numbers are represented by 0 Or 1.
 The octal numbering system (base8) uses numbers from 0 to 7.
 The number7,which can be written with 3 binary bits:111.
 Hexadecimal is a base-16 numbering system that uses numbers from 0
to15.
 After 9,the numbers 10,11,12,13,14, and15 are represented as
A,B,C,D,E, and F