2 - 1
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
1
IP Concepts
Internet Protocol Prerequisites
Hello, my name is Stephen Northcutt, and I’ll be your instructor today as we learn the fundamentals
of the Internet protocols.
2 - 2
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
2
Objectives
• Addressing
• What are TCP/IP Service Ports
• Packets, How is Data Transmitted
• IP Protocols (TCP, UDP, ICMP)
•Domain Name System
•Routing
These are the things we’re going to cover. In essence, we’re going to cover a ‘nutshell’ or the core
of the IP protocol. We’re going to learn IP addresses, MAC addresses, host names, and how they
relate to one another. We’re going to talk about packaging data to send it over the Internet, and the
difference between packets and frames. At the end of this course, you’re going to know what the IP
service ports are, and be familiar with some of the most common services, such as Telnet and FTP.
And you’ll be able to tell, what’s the difference between the major protocols – TCP, UDP, ICMP –
and so forth. And we’re going to understand what happens when things go wrong, and the facilities
that IP, TCP, UDP have for communicating when there’s a problem.
2 - 3
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
3

Packets, How Data is
Transmitted on a Network
Section 1
OSI Model
Application
Presentation
Session
Transport
Network
Link
Physical
OSI Model
Application
Presentation
Session
Transport
Network
Link
Physical
We’re showing the famous seven-layer OSI model. It used to be impossible to teach a course on
communications without showing this model.
The important thing for you to understand is that IP predates this model, and it does not strictly
conform to it.
2 - 4
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
4
Bits and Bytes
1 0
ORBIT=

00010001
BYTE=
(OCTET)
As of course you know, the atom of computing is a bit – a single storage location that has a value of
either a zero or a one. Now, that doesn’t hold a lot of information, so we clump these into groups of
eight (called bytes or octets), but that’s still very small. However, it is enough to hold a character
(such as the letter “A” or a comma) and it can hold an integer number as large as 255.
So, we’re going to have to do something to carry more information!
2 - 5
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
5
Packets
01001110
01001010
01000010
01001011
11001010
Header Data
The header provides addressing and type information
much like the outside of a snail-mail envelope.
We group multiple octets together for shipping across the network by putting them in packets. On
your slide you see a sample packet, and we learn right here and now one of the great truths of
networking: there is a relatively high overhead cost to slinging these packets across the network. And
so we go to a lot of trouble to package our content so that we can ship it across the network. When we
get it to the other side, we have to unwrap it and we want to make sure that it crossed the Internet
safely. And so, we have a “tamper-proof seal” which is a 16-bit cyclic redundancy checksum that is
used to let us know that the contents of the packet (or, for that matter, the header of the packet) have
not been damaged or corrupted in transit.
Now, on your slide you see a real IP packet, and the hexadecimal part of it begins with the 4500.

This is a quite common way for a packet to begin. It means that this is (the 4) Internet Protocol version
4, and the 5 tells us that no IP options are set (that’s 5 32-bit words).
Now, you’ll notice that some of the characters have been changed to XXXX XXXX. This is the location
in the header where the destination address would be. We’re showing you an analogy on your slide
between the header and the outside of an envelope. I’ve also bolded some hexadecimal characters
(d823 d9ba) for you, and that would be the source address, or the sender of this particular packet.
10:14:16.509362 216.35.217.186.telnet > PC.edu.1153: S
1472583541:1472583541(0) ack 219629 win 8736 <mss 1460> (DF) (ttl
115, id 14349)
4500 002c 380d 4000 7306 f308 d823 d9ba
XXXX XXXX 0017 0481 57c5 d775 0003 59ed
6012 2220 0b7d 0000 0204 05b4 0000
2 - 6
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
6
Packets Have Addresses
172.20.31.25
172.20.31.28
01001011
11001010
IP
Internet Protocol (IP) Addresses are like your name and
Media Access Controllers (MAC) are like your street address
in the envelope analogy
0826C1f45231
0826Cf1541f2
01001011
MAC
(

Packet shown is notional, IP Packets don’t have MAC addresses, however ethernet frames do
)
But, it turns out that packets have multiple levels of addresses. Right now, I’d like to have you think
about the hardware address and the software address. We can compare that to the address that
your house has (that would be hardware address). If your house was 1218 Parsell Street,
Fredericksburg, Virginia, that would be it’s hardware address. But, various people might live in a
house over a house’s lifetime, and that can be thought of as a software address: Stephen Northcutt
at Parsell Street. And so we have this binding between the two.
We have the same situation in IP communications. As it says in your notes, the MAC address is 48
bits long. This is a really, really large number and we’re going to see that that matters, as we go
further into the course, because we can’t keep numbers that large in tables.
2 - 7
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
7
Frames and Packets
Frames are packets on the media
Data
Frame Header
Frame Trailer
14 Bytes
4 Bytes
Now, in some sense, we can compare a software view of the world, where we talk about assembling
packets for transmission, and an electrical engineer or physical view of the world, which is when
they [the packets] are actually being transmitted. When they (packets) are transmitted, we call them
frames, and they’re going to need to have a frame header and a frame trailer, which adds to the
overhead of our packet. This is additional overhead to the packet overhead.
One of the most important things that a frame header does is that it synchronizes. This is
particularly important as we’re going faster and faster. This tells the computer’s network interface
card (NIC) when a particular frame begins. That way it [the NIC] knows, when it sees that pattern,

to start pulling in that data so it can check it out.
2 - 8
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
8
One Layer’s Header
is Another Layer’s Data
DataFrame Header
IP Datagram Header Data
Data
DataTCP Header
Headers are prepended as packet descends the stack
This is a very important concept. All of IP communications is an exercise in multiplexing and
demultiplexing. So we begin with some message or some content that we want to send, perhaps
through telnet or electronic mail. And as we pass it down through the IP stack, each of the layers is
going to have to wrap its header information around our message that we want to send.
The process of adding header information as a packet is passed down the TCP/IP stack, and reading
and removing header information as the packet is passed up the stack, is also referred to as
encapsulation and decapsulation.
I want to introduce a term at this point, called TCP segment. The message with the TCP headers
passed down to the IP layer is called the TCP segment.
2 - 9
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
9
Packets are Sort of Positional
031
Source IP Address
Destination IP Address
Protocol

Header Checksum
TTL
ID Field
Length in BytesTOS
Frag offset
VER
15
IP Header with no options shown, 20 bytes total
So, we’re looking at a big pile of zeros and ones – how do we know how to interpret them? We do
this by their position in the header. As you can see on your slide, a certain number of bits is
allocated for each field in the header. There are options flags that can be set in the headers that
change how it is processed or the expected length. Also, the protocols themselves are each handled
differently. For the purposes of this course, the primary protocols that we’re going to talk about are
the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and the Internet
Control Message Protocol (ICMP). But we will touch on other very important protocols that you
will need to learn as you continue to move through the course.
Now, let’s take an exercise – it’s your turn! Please take a minute and calculate how many bytes into
the header we need to count in order to find the beginning of the protocol field.
(Pause)
Did you come up with nine? If you came up with a different number, it’s important to realize that in
“IP header math”, we generally start counting with zero – that’s something we have to remember.
2 - 10
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
10
IP Header Identifies Protocol
IP Datagram Header Data
DataProtocol Header
Headers provide information needed to parse the packet
Protocol Field Protocol

1 0000 0001 ICMP
6 0000 0110 TCP
17 UDP
Now that we’ve counted our way to the protocol ID field, what is it, and what does it do? The value
in this field tells us what protocol the packet was constructed by. We’re going to need that
information when we demultiplex this layer from the packet.
On your slide you see values for common protocols: 1 for ICMP, 6 for TCP, and 17 for UDP. Now,
how long was the protocol field? It was eight bits. So, what is the maximum value we can display
with eight bits? If every bit is set to 1 and we start counting at zero, we have 255 of course. What
would the bit pattern in the packet be if it was a TCP packet? From left to right, it would be 0000
0110.
Now, you remember the deal for binary. We have a 0 in the 2
0
place, and so the most that could be
would be one, but that’s a zero, we can ignore it and keep going. We have a 1 in the 2
1
place, and
we have a 1 in the 2
2
place. 2
2
would be a 4, 2
1
would be a 2, so 2 + 4 is 6.
Okay, that’s great! Now we have time for one more student exercise. Please write down the bit
pattern you would see for UDP (17 in decimal). From left to right, you should have…
(Pause)
0001 0001, and that should sound familiar because we did this bit pattern earlier in this course.
2 - 11
IP Concepts - SANS GIAC LevelTwo

© 2000, 2001
11
Packets - Review
• Bits are grouped by octets
• Octets are grouped into packets
• Frames are packets “on the wire”
• Packets have header and data
sections
• A bit’s position in a packet
determines how it is interpreted
To recap, in this section we have been primarily concerned with the packaging of information to
send over the network. We’ve gone from bits, to octets, to the IP protocols. Along the way we have
introduced some terms which are needed to describe the mechanics of internetworking.
What is an Internet anyway? Internet is a term to describe connecting multiple separate networks
together.
2 - 12
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
12
Addressing: MAC to IP Address
42.2 wants to talk to 42.1, what has to happen?
-
42.2 builds a packet, puts it on the media
- 42.1 picks it up off the media and checks address
Simple! (well mostly)
-
IP addresses are kept in tables, but MAC addresses aren’t
- Need a way to determine MAC addresses
172.20.42.1
172.20.42.2

Now, you can scour the IP headers looking for the physical layer MAC address until you turn blue, but
you won’t find it. MAC addresses do not mean anything to IP, which uses logical addresses. They
aren’t part of the protocol – for all intents and purposes, they may as well not exist.
By the same token, physical Media Access Controller (MAC) addresses are how the Ethernet card
interfaces with the network. The Ethernet card does not know one thing about IP, IP headers, or logical
IP addresses. So we are faced with the signature line of Cool Hand Luke
: “what we have here is a
failure to communicate”! So clearly if things are going to work, we need an operation – a process –
that will allow us to create a correspondence between a logical IP and a physical MAC address.
The second line of the tcpdump-style trace below shows an example of such a correspondence using
ARP. The host computer – 192.186.1.5 – needs to know the MAC address for 192.168.1.1. On the
second line we see the answer, and on the first line, the query.
23:55:17.054913 B arp who-has 192.168.1.1 tell 192.168.1.5
23:55:17.054969 > arp reply 192.168.1.1 (0:50:4:62:68:ec) is-at
0:50:4:62:68:ec (0:0:86:3b:69:38)
So, on the second line it goes “arp reply” and it tells 192.168.1.5 the MAC address of 1.1. So, this
is the answer from 1.1.
2 - 13
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
13
Address Resolution Protocol (ARP)
172.20.42.1 172.20.42.2
42.1 broadcasts a packet with 42.2’s IP Address
and asks it to respond with its physical address.
HARDWARE TYPE PROTOCOL TYPE
HLEN PLEN OPERATION
SOURCE MAC SOURCE MAC
SOURCE MAC SOURCE IP
SOURCE IP TARGET MAC

TARGET MAC TARGET MAC
TARGET IP TARGET IP
01631
The Internet protocols are specified by standards documents called Requests For Comments
(RFCs). ARP [Address Resolution Protocol] is specified by RFC 826. It is not an internet protocol
per se, because it is not carried in an internet packet (or an IP packet). It is an Ethernet frame that is
sent to all systems on a network segment (this is what we call a broadcast). If a message is a
broadcast message, that means it is sent to all of the machines on part or all of the network.
The source host sends the ARP request and includes its source MAC and IP address and then
presumably the destination host will pick it up and reply. Of course, the reply will contain the
destination host’s MAC and IP address. After this is done, the two systems can talk IP to one
another. If you see an ARP, you are probably on the same physical cable segment as the sending
computer, since ARPs will not be passed through a router.
Another important concept to introduce at this point is cache. This information probably will not
change very quickly, so it can be stored for a while to reduce the number of broadcasts required to
support communications. Also, any hosts on the network that are listening for broadcasts will see
the initial ARP request and can cache the requestor’s MAC and IP addresses. This will reduce the
potential number of ARP requests (broadcast traffic), that consume bandwidth.
2 - 14
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
14
Address Resolution Protocol (2)
172.20.42.1 172.20.42.2
172.20.35.2
Link devices such as routers and
switches keep track of these
IP/MAC pairs with ARP tables.
Why are MAC addresses so huge? (Because I’ll tell you, 48 bits is a LOT of address space!) The
idea was that they would be unique for all time and space – and that sounds good if you say it real

fast, but there are always “gotchas”. Further, the manufacturers of network interface cards (NICs)
are supposed to have a prefix so that part of the MAC address allows you to determine which
manufacturer built the card.
And in your notes pages, you see some ways to see your MAC address.
For Windows 9x machines:
From a command prompt, type winipcfg
For Windows NT/2000 machines:
From a command prompt, type ipconfig /all
For Linux/UNIX machines:
From a command prompt, type ifconfig -a
2 - 15
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
15
What are IP Address Classes?
• I heard 172.20.0.0 was a Class B, what
does that mean?
– 32 bits for IP address space
– NETID HOSTID
– Class A, (24 bits HOSTID, 16M+ hosts)
– Class B, (16 bits HOSTID, 65K+ hosts)
– Class C, ( 8 bits HOSTID, 255 hosts)
The classes range from Class A to Class E. A, B, and C are the unicast addresses – when you send a
packet to them, presumably you are addressing a single machine (unless of course you are doing a
broadcast). This course is concerned with classes A, B and C, and in your notes pages you see the
ranges of these addresses. So, the first multicast address would begin at 224.0.0.1, and that’s the
“all hosts” multicast address.
Class Address Range
Unicast Addresses Begin End
A 0.0.0.0 127.255.255.255

B 128.0.0.0 191.255.255.255
C 192.0.0.0 223.255.255.255
2 - 16
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
16
So what? Why do I care?
• Net ID (172.20), Subnet
(172.20.X.0) and host ID
(172.20.subnet.host)
•Netmasktells your computer what
is net ID and what is host ID
• 172.20.SUBNET means
255.255.255.0 for a netmask
The second line of the slide says 172.20.X.0. The idea here is to give up one of the net ID octets and
make it part of the host ID. In essence, we are converting a Class B network address into a family of
(size of) Class C network addresses. If we do this, we go from a single network that can have
something over 65,000 hosts to a collection of 255 networks that can each have 255 hosts – which
still comes out to something in the range of 65,000 hosts. So great! Everything is wonderful! There
is just one problem; how will our computers know what we have done? A Class B network uses two
octets for the net ID and we are using three.
The answer is the netmask. The netmask tells the computer system how many bits to “mask off” as
the net ID and of course the remainder is the host ID. Netmasks are usually expressed as a notation
similar to the one on the slide – 255.255.255.0 – which is a common netmask for breaking up Class
B address space. A netmask is also referred to as a subnet mask.
2 - 17
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
17
Addressing - Review

• Computers have physical (MAC) and
protocol (IP) addresses
• Computers need to map between MAC and
IP addresses
• ARP maps between MAC and IP
• There are classes of IP addresses (A, B, C)
• Netmasks tell computers how to parse IP
addresses
This is a summary slide that covers the critical points in this section. If you are interested in further
details on TCP beyond what we have covered, my favorite book on the subject is TCP/IP Illustrated,
Volume 1 by Richard Stevens. Rich, by the way, was one of the SANS Institute faculty members –
he has passed away at this point – but his book is still one of the greatest references there is for
TCP/IP.
(Editor’s note: Dr. Richard Stevens passed away soon after this webcast was originally created. He
was our friend. He was our teacher and we miss him. SANS has created a scholarship in his name
and, more importantly, begun a process to implement one of his most powerful teaching techniques
into every full day course. – SRN 10/17/99)
2 - 18
IP Concepts - SANS GIAC LevelTwo
© 2000, 2001
18
What are TCP/IP Service Ports?
Section 3
This is a pretty easy section. TCP and UDP have a 16-bit port number field. This means there can
be as many as 65,536 different ports, or services and they are numbered from 0 to 65,535. I would
like to state up front that, though a service is usually located at its assigned port number, there is no
guarantee this is true. Any service can be run at any port. On the other hand, if you want to network
with other people, it is best to follow the standards.