Internet Protocol (IP)
The purpose of protocols at layer 3 of the OSI model is to allow for communication between networks. MAC address is used for communication on a single network at layer 2. In much the same fashion, layer 3 is responsible for addresses used in internetwork communication. A few protocols can do this, but the most common is the Internet Protocol (IP). which currently has two versions in use—IP version 4 and IP version 6. We’ll start by examining IPv4 address. which is defined in RFC 791.
IPv4 addresses are 32-bit assigned numbers used to uniquely identify devices connected to a network. It’s a bit much to expect someone to remember a sequence of ones and zeros that is 32 characters long. so IP addresses are written in dotted-quad notation. In quad-dotted notation, each of the four sets of ones and zeros that make up an IP address is converted to base 10 and represented as a number between 0 and 255 in the format A.B.C.D (see Fig 10.0). Let’s consider the IP address 10101100 00010000 00000000 00000001. It is obviously a bit much to remember or notate. Using dotted-quad notation, we can represent it as below.
Binary format 10101100 00010000 00000000 00000001
Decimal format 172 16 0 1
Figure 10.0: IPv4 address notation
An IP address has two parts network portion and host portion.Network portion identifies the LAN the device is connected to host portion identifies the device itself on that network. The determination of which part of the IP address belongs to the network or host portion is not always the same. This information is communicated by another set of addressing information called the network mask or subnet mask.
The network mask identifies which part of the IP address belongs to the network portion and which part belongs to the host portion.The network mask number is also 32 bits long and every bit that is set to a 1 identifies the part of the IP address that is reserved for the network portion. The remaining all bits are set to 0 to identify the host portion.
Let’s consider the IP address 10.10.20.30, represented in binary as 00001010 00001010 00010100 00011110. To determine the allocation of each section of the IP address, we can apply our network mask. In this case, our network mask is 11111111 11111111 00000000 00000000. This means that the first two portion of the IP address (10.10 or 00001010 00001010) is reserved for the network portion. The last two portion of the IP address (.20.30 or 00010100 00011110) identifies the individual host on this network,as shown in Fig 10.1.
Host [ Binary digits of decimal (Host & Mask) ] 10.10.20.30 00001010 00001010 00010100 00011110 255.255.0.0 11111111 11111111 00000000 00000000 Mask [ Network Portion ] [ Host Portion ] Figure 10.1: The network mask determines the allocation of the bits in an IP address
As indicated in Figure 10.1, netmasks can also be written in dotted-quad notation. For example, the netmask 11111111 11111111 00000000 00000000 is written as 255.255.0.0.IP addresses and network masks are commonly written in Classless Inter-Domain Routing (CIDR) notation. IP address is written in full and followed by a forward slash (/) and the number of bits that represent the network portion of the IP address. For example, an IPV4 address of 10.10.20.30 and a netmask of 255.255.0.0 would be written in CIDR notation as 10.10.20.30/16
IPv4 Packet Structure
of bits that represent the network portion of the IPv4 address. For example, an IP address of 10.10.20.30 and a netmask of 255.255.0.0 would be written in CIDR notation as 10.10.20.30/16. IPv4 Packet Structure The source and destination IP addresses are the crucial components of the IPv4 packet header.But that’s not all of the IP information you’ll find in a packet. The IP header is quite complex compared to the ARP packet we just examined. It includes a lot of extra functionality that helps IP do its job.As shown in 10.2, the IPv4 header has the following fields:
Version : The version of IP being used, and this will always be 4 for IPv4.
Header Length : The length of the IP header is 20 bytes so with 32 bit increments, you would see value of 5 here. The maximum value we could create with 4 bits is 15 so with 32 bit increments that would be a header length of 60 bytes.
Type of Service : This is used for Quality of Service (QOS), which are used by routers to prioritize traffic. There are 8 bits that can be used to mark the packet.
Total Length : This is 16-bit field and indicates the entire size of the IP packet (header and data) in bytes. If you have no data then minimum size will be 20 bytes and the maximum size is 65.535 bytes that’s the highest value you can create with 16 bits.
Identification : This is 16 bit field. In case of fragmentation in IP Packet, each fragmented packet will use the same 16 bit identification number to identify to which IP packet they belong to.
Flags : Used to identify whether a packet is part of a sequence of fragmented packets.
Fragment Offset : This is 13 bit field. If a packet is a fragment the value of this field is used to reassemble the packets in the correct order.
Time to Live : Defines the lifetime of the packet, measured in hops or seconds through routers.
Protocol : Identifies the transport layer header that encapsulates the IPv4 header.
Header Checksum : An error-detection mechanism used to verify that the contents of the IPV4 address header are not damaged or corrupted.
Source IP Address : This is 32 bit source IPv4 address.
Destination IP Address : This is 32 bit destination IP address.
Options : Reserved for additional IP options. It includes options for source routing and timestamps.
Data : The actual data being transmitted with IP
Figure 10.2: The IPv4 address packet structure
Time to Live (TTL)
The Time to Live (TTL)value defines a period of time that can elapse or a maximum number of routers a packet can traverse before the packet is discarded for IPv4. TTL value is defined when a packet is created and generally is decremented by 1 every time the packet is forwarded by a router. Let’s consider if a packet has a TTL of 2, the first router it reaches will decrement the TTL to 1 and forward it to the second router. This router will then decrement the TTL to zero and if the final destination of the packet is not on that network the packet will be discarded (see Figure 10.3).
Figure 10.3: The TTL of a packet decreases every time it traverses a router
Why is the TTL value important? Usually we are concerned about the lifetime of a packet only in terms of the time that it takes to travel from its source to its destination. However, consider a packet travels to a host across the internet while traversing dozens of routers. At some point in path of packet it could encounter a misconfigured router and lose the path to its final destination. In such a case the router could do a number of things one of which could result in the packet’s being forwarded around a network in a never-ending loop.
An infinite loop can cause all sorts of issues but it typically results in the crash of a program or an entire operating system.The packets would keep looping between routers. As the number of looping packets increased the available bandwidth on the network would deplete until a denial of service condition occurred. To prevent this, TTL was created.
Figure 10.4: The IP header of the source packet
You can see that the version of IP being used is version 4 the IPheader length is 20 bytes the total length of the header and payload is 60 bytes, and the value of the TTL field is 128. The purpose of an ICMP ping is to test communication between devices. Data is sent from one host to other host as a request and the receiving host should send that data back as a reply. In this file, we have one device with the address of 10.10.0.3 sending an ICMP request to a device with the address 192.168.0.128. Initial capture file was created at the source host 10.10.0.3.
Now open the fileip_ttl_dest.pcapng. In this file, the data was captured at the destination host, 192.168.0.128. Expand the IP header of the first packet in this capture to examine its TTL value (seeFigure 10.5).You should immediately notice that the TTL value is (127) 1 less than the original TTL of 128. Without even knowing the architecture of the network, we can conclude that one router separates these devices and thus the passage through that router reduced the TTL value by 1.
Figure10.5: The IP header shows us that the TTL has been decremented by 1.
Fragmentation of packet is a feature of IP that permits reliable delivery of data across varying types of networks by splitting a data stream into smaller fragments. Packet’s fragmentation is done based on the maximum transmission unit (MTU)size of the layer 2 data link protocol in use and the configuration of the devices using this layer 2 protocol. In most the cases, the layer 2 data link protocol in use is Ethernet.
Ethernet has a default MTU of 1,500, which means that the maximum packet size that can be transmitted over an Ethernet network is 1,500 bytes (not including the 14-byte Ethernet header itself).
When a device prepares to transmit an IP packet, it determines whether it must fragment the packet by comparing the packet’s data size to the MTU of the network interface from which the packet will be transmitted. If the size of data is greater than the MTU, the packet will be fragmented.
Fragmenting a packet involves the following steps: 1.For successful data transmission, device splits the data into the number of packets . 2.The Total Length of each IP header is set to the segment sizeof each fragment. 3.The MF (More fragments) flag is set to 1 on all packets in the data stream, except for the last one.
4.The Fragment offset field is set in IP header of the fragments. 5.The packets are transmitted.
The file ip_frag_source.pcapng was taken from a computer with the address 10.10.0.3, transmitting a ping request to a device with the address 192.168.0.128. Let’s see the Info column of the Packet List pane lists two fragmented IP packets, followed by the ICMP (ping) request.Let’s examine the IP header of packet 1 (see Figure 10.6). More fragments and Fragment offset values can indicate a fragmented packet.
We can see that this packet is part of a fragment based on the More fragments and Fragment offset fields. Packets that are fragments will either have a positive Fragment offset value or have the More fragments flag set. In the first packet, the More fragments flag is set, indicating that the receiving device should expect to receive another packet in this sequence. The Fragment offset is set to 0. indicating that this packet is the first in a series of fragments.
The IP header of the second packet (see Figure 10.7) also has the More fragments flag set but in this case, the Fragment offset value is 1480. This is indication of the 1500-byte MTU, minus 20bytes for the IP header. The third packet (see Figure 10.8) does not have the More fragments flag set which marks it as the last fragment in the data stream and the Fragment offset is set to 2960 the result of 1480 + (1500 – 20). These fragments can all be identified as part of the same series of data because they have the same values in the Identification field of the IP header.
Figure 10.7: The Fragment offset value increases based on the size of the packets.
Figure 10.8: More fragments is not set, indicating that this fragment is the last.