1
1
Network Traffic Analysis
Using tcpdump
Judy Novak
Judy Novak
Johns Hopkins University Applied Physics Laboratory

Examination of Datagram
Fields I
All material Copyright  Novak, 2000, 2001. All rights reserved.
2
2
Examination of Datagram Fields
•
Introduction to tcpdump
•
Writing tcpdump Filters
•
Examination of Datagram Fields
•
Beginning Analysis
•
Real World Examples
•
Step by Step Analysis
This page intentionally left blank.
3
3
Objectives
•

Look at different IP datagram fields
•
What is normal behavior/values for fields?
•
Why and how might values might be altered?
This page intentionally left blank.
4
4
Why are Packets ”Crafted”?
•
Attempt to fingerprint remote operating system
•
Elude detection by IDS
•
Send covert messages/channels
•
Elicit a response for mapping live hosts
Why would someone craft traffic to be abnormal or different in some way? We’ll examine this topic
in this section as we see mutations that are done to the IP datagram. Some of the reasons for this are:
Fingerprinting: The intent is to send an unexpected stimulus of some sort by altering the datagram
and detecting how a target host responds. If enough deviant stimuli are sent and responses gathered,
it is possible to identify the operating system of the target host. This is done to better know how to
target a future attack.
Evasion: If the intent is to scan hosts or do some kind of reconnaissance for a future attack or attack
a host, why not try to send traffic that will scan yet, at the same time elude notice by an intrusion
detection system?
Covert messages/channels: It is possible to alter fields or protocol operations in an attempt to send
secret traffic between hosts. Fields or methods have to be selected that are not likely to attract
attention.
Elicit a response for mapping: If live host mapping cannot be done in a more classic sense with

echo requests and replies, perhaps because of access control lists; there are less conventional ways to
map. Some of these ways include sending traffic to a host and having it respond with some kind of
error message. This is enough to indicate that the host is alive.
5
5
How are Packets “Crafted”?
•
Normally, IP datagram assembled by layers of TCP/IP stack
•
Different means of crafting packets
•
Application Programming Interfaces (API)
•
Unix sockets
•
Unix libnet interface
•
Tools
•
nmap
•
hping2
•
ISIC
A good paper is available that discusses Unix sockets – it is entitled “Raw IP Networking FAQ” and
is found at www.whitefang.com/rin. Both socket and libnet routines are used in programs such as C
or perl. The user must decide what values to use to construct the packet and use the routines to
fashion and send the packet.
There are many software packages available to craft packets. These are easier to use than the API’s
because all you need to do is select command line options and the packet is crafted for you.

Here is where to go to get the software mentioned in the slide:
libnet – www.packetfactory.net
nmap – www.insecure.org
hping2 – packetstorm.securify.com - hping2-beta54.tar.gz
ISIC – packetstorm.securify.com - isic-0.05.tar.gz
“Libnet is a collection of routines to help with the construction and handling of network packets. It
provides a portable framework for low-level network packet shaping, handling and injection. Libnet
features portable packet creation interfaces at the IP layer and link layer, as well as a host of
supplementary and complementary functionality. “
6
6
nmap
•
“Network exploration tool and security scanner”
•
Scans network/hosts to determine:
•
Live hosts
•
Services running on hosts
•
Operating system running on hosts
Straight from the man page for nmap, the description of the tool is “network exploration tool and
security scanner”. nmap is one of the most sophisticated tools available for remote scanning of a
host. Through overt and stealthy means, it can map a network for live hosts, map hosts for services
running, and send hosts connections that are intended to elicit responses to assist in determining how
they are unique and therefore figuring out the operating system of the scanned host.
nmap has a bevy of command line options to alter its behavior. It can scan in stealth modes so as to
evade notice or attempt to elude detection. It can send “decoy” traffic as it scans and fires off traffic
to the scanned host with a spoofed source ip(s) so that the receiving host or network will not know

the real source of the traffic from the bogus traffic. This is a truly remarkable and useful tool; the
author is Fyodor.
7
7
hping2
•
“A network tool able to send custom
ICMP/UDP/TCP packets and display target
replies”
•
Can be used to test firewall rules
•
Scan ports of hosts
•
Test network performance
hping2 is a very useful tool in scanning and crafting traffic to send to remote hosts.
Some of its capabilities are:
• sending spoofed source IP addresses
• setting a default initial TTL
• setting an IP ID number
• fragmenting packets
• setting TOS field
• setting source port
• setting TCP window size
• sending data with TCP transmission
• setting any TCP flag
The author of hping2 is antirez.
8
8
ISIC

•
“Intended to test the integrity of an IP stack and
its component stacks (TCP, UDP, ICMP)”
•
Suite of tools: isic, tcpsic, udpsic, icmpsic
•
Test firewall ability to block unusual values in
packets
•
Test IDS ability to detect
isic is used to generate random mutations to the IP header. tcpsic, udpsic, and icmpsic generate
mutant packets for TCP, UDP, and ICMP portions of the datagram. The intention is to test how the
receiving host’s TCP/IP stack responds to very strange traffic. Some of the capabilities of this tool
suite are:
• corrupt fields in the IP header such as:
•IP version
• header length
•protocol
• send strange fragments
• corrupt fields in the TCP header such as:
•flag fields
• header length
• acknowledgement numbers
• checksum
• corrupt fields in the UDP header such as:
• header length
• checksum
• corrupt fields in the ICMP header such as:
•ICMP type
• ICMP code

• checksum
The author of ISIC is Mike Frantzen.
9
9
How Does nmap do OS
Fingerprinting?
In the next several slides, we’ll examine how nmap determines a remote host’s operating system. It
does a series of tests against the remote host and matches responses with a file that contains expected
responses per operating system. Different TCP/IP stacks respond differently to the same stimulus.
10
10
nmap-os-fingerprints
•
nmap comes with a file nmap-os-fingerprints
•
Scanning host sends remote host many different
connections:
•
9 different “tests” are examined
•
File contains expected responses for various different
operating systems
nmap comes with a fingerprinting file which lists hundreds of variations of operating systems and the
expected responses of each OS to 9 different tests. nmap probes remote systems for responses that
differ among operating systems. Some of these tests send unexpected stimuli to see how the remote
host will respond. Using a combination of these tests, nmap accurately distinguishes not only
operating system types, but actual releases of the same operating system.
There is a wonderful article that comes with nmap that discusses what the operating system
fingerprinting attempts to accomplish and how it does so. This is located in the file nmap-
fingerprinting-article.txt. This can also be found at the nmap site, www. insecure.org

.
11
11
nmap OS Tests
# Tseq is the TCP sequenceability test
# T1 is a SYN packet with a bunch of TCP options to open port
# T2 is a NULL packet w/options to open port
# T3 is a SYN|FIN|URG|PSH packet w/options to open port
# T4 is an ACK to open port w/options
# T5 is a SYN to closed port w/options
# T6 is an ACK to closed port w/options
# T7 is a FIN|PSH|URG to a closed port w/options
# PU is a UDP packet to a closed port
The first test that nmap does is to discover open TCP ports and send a series of packets to that port to
determine how the remote TCP/IP stack generates its initial sequence numbers (ISN’s). As you can
see, there are seven tests that send a combination of normal and mutant TCP traffic to the remote
host to see how it responds. Finally, a UDP packet is sent to a closed port to examine the ICMP
message that is returned and its embedded message.
One thing to note is that all required tests must receive an exact response to classify a particular
operating system. Not all tests require a response, but any response that is received must match all
the conditions for a given test to fit a given classification.
12
12
Looking for Windows Host
Fingerprint Windows NT4 / Win95 / Win98
TSeq(Class=TD|RI%gcd=1|2|3|4|5|A|14|1E|28|5A%SI=<1F4)
T1(DF=Y%W=2017|16D0|860|869F%ACK=S++%Flags=AS%Ops=M|MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=2017|16D0|860|869F%ACK=S++%Flags=AS%Ops=M|MNWN
NT)

T4(DF=N%W=0%ACK=S++|O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=S++|O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++|S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=13
4%DAT=E)
The information on the slide above represents all the tests and responses that must be received in
order to classify a remote host as a Windows NT4/ Win95/ Win98 host. Each of the 9 tests must
receive exact responses if a response is received. There are multiple conditions for each test
separated from each other with a % sign.
Of all the tests, T2 and T3 must receive a response. All others are optional. The first test Tseq is
different than the others because it tries to identify how initial sequence numbers are generated.
Windows hosts have a time dependent (TD) or random incremental formula. Also, the ISN has a
greatest common denominator of any of the values listed (separated by the pipe sign “|”). Finally,
the Windows sequence index is a hex 1F4 or decimal 500.
13
13
SYN|FIN|URG|PSH With
TCP Options
T3(Resp=Y%DF=Y%W=2017|16D0|860|869F%ACK=S++%Flags=AS%Op
s=M|MNWNNT)
14:06:16.683030 verbo.60839 > win98.netbios-ssn: SFP
1656491547:1656491547(0) win 2048 urg 0 <wscale 10,nop,mss
265,timestamp 1061109567 0,eol>
14:06:16.683555 win98.netbios-ssn > verbo.60839: S
1454135502:1454135502(0) ack 1656491548 win 8215 <mss
1460> (DF)
Response required = Yes, DF flag set = Yes, Window = 0x2017 (8215),
ACK = 1656491548 (SYN + 1), Flags = ACK, SYN, TCP options = mss
Let’s examine one of the tests and see how it applies to traffic sent to a Windows 98 host. T3 is a

SYN|FIN|URG|PSH packet with options to an open port. The scanner, verbo, sends a TCP connection
with the SYN, FIN, URG, PUSH flags set to destination port 139 which is listening. All of the following
conditions must be met:
Resp=Y means that there has to be a response to this test in order to classify the operating system as
Windows.
DF=Y means that the Don’t Fragment flag is set which we see in the response.
W=2017|16D0|860|869F We have a choice of 4 different window size values (all in hexadecimal) and
separated by the pipe sign “|” to signify an or. The decimal window size of 8215 is the hex equivalent of
2017.
ACK=S++ The acknowledgement number must be 1 more than the initial sequence number sent by the
scanner, verbo. We see that it is 1656491548 which is 1 more than the ISN of verbo.
Flags=AS Both the ACK and SYN flags have to be set.
Ops=M|MNWNNT The TCP options can either be a maximum segment size (mss) alone which is what
we have or a combination of MSS, NOP, NOP, WindowScale, NOP, NOP, Timestamp in that exact
order.
14
14
SYN to Closed Port With TCP
Options
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
14:06:16.683436 verbo.60841 > win98.tcpmux: S
1656491547:1656491547(0) win 2048 <wscale 10,nop,mss
265,timestamp 1061109567 0,eol>
14:06:16.684189 win98.tcpmux > verbo.60841: R
0:0(0) ack
1656491548 win 0
No DF, Window = 0, ACK = S++, Flags = ACK and RESET, no
TCP options
Let’s see another test to the Windows 98 host. T5 is a SYN to a closed port w/options. The scanner,
verbo, sends a TCP connection to closed destination port 1 on win98. Unlike the previous condition

we examined, this one doesn’t require a response to classify this as a Windows hosts if all other
required tests succeed.
DF=N The Don’t Fragment flag is not set on the response.
W=0 The response window size is 0.
ACK=S++ The acknowledgement number of 1656491548 is one more than the ISN set by verbo.
Flags=AR Both the ACK and Reset flags are set.
Ops= There are no TCP options on the response.
15
15
UDP Packet to a Closed Port
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UC
K=E%ULEN=134%DAT=E)
14:06:16.684016 verbo.60830 > win98.1: udp 300
4500 0148 b937
0000 3711 1122 ccf0 8f05
ccf0 8f65 ed9e 0001 0134
397c 6d6d 6d6d (more data)
14:06:16.684902 win98 > verbo: icmp: win98 udp port 1
unreachable
4500
0038 98a0 0000 8001 e9d8 ccf0 8f65
ccf0 8f05 0303 d4ac 0000 0000 <4500 0148
b937 0000 3711 1122 ccf0 8f05 ccf0 8f65
ed9e 0001 0134
397c>
TOS IPLEN
RIPTL
R
I
D

ULEN UCK
RIPCK
< > -
Embedded ICMP
response
UCKULEN
I
D
IPCK
And, now let’s examine one final test to a Windows 98 host. This test checks a UDP packet to a closed
port. In this case a packet is sent to win98 destination port 1 UDP which is not listening. This test is
somewhat different than the ones we’ve seen before. This one tests a lot of fields of the ICMP message in
response to the closed port scan. Many of the fields of interest are located in the embedded ICMP
response message that follows the ICMP message. This message contains the original IP header from the
message that elicited this response (the UDP packet to port 1) and 8 bytes of UDP data. This test doesn’t
require a response. The tests for the ICMP response are as follows:
DF=N Don’t Fragment flag not set – it is not.
TOS=0 Type of service is 0.
IPLEN=38 The IP datagram length is a hex 38.
RIPTL=148 The return IP datagram length is 0x148.
RID=E The return IP identification number is the same as the one sent; it matches the 0xb937. The “E”
flag means it matches, a flag of “F” would mean it does not.
RIPCK=E The return IP checksum is the same as the one sent – both are 0x1222.
UCK=E The return UDP checksum is the same as the one sent – both are 0x397c.
ULEN=134 The return UDP length is 0x134, which it is.
DAT=E There is no UDP data in the embedded response.