Monday, May 31, 2010

Introduction to Packet Analysis

I just finished up a presentation to some of my colleagues titled IP Packet Analysis. Overall, it went very well, and I'm happy with what I presented. It was pretty technical, but everyone seemed to grasp the concepts.
Packet Analysis, in a nutshell, is figuring out what data a packet of information contains. At its most basic, a chunk of information on an ethernet network, is called a frame. The most common form is the Ethernet II frame. Wikipedia has an excellent article on ethernet here; the portion on frames is here.
Contained in this frame are headers and a footer. These are fields that contain important information used by networked devices to properly transmit the information. The three headers are the Destination Mac address, the Source Mac address, and the Ethernet Type. The Mac address of a device is the hardware address of that device, generally encoded into the NIC but changeable in some devices/operating systems. The footer is a Cyclical Redundancy Check field, which is there to ensure the packet was transmitted without error. It is important to note that the ethernet frame operates at Layer 2. Mac addresses are used by layer 2 devices (such as most switches).
Stripping away the headers and footers of the ethernet frame leaves us with the data field. Contained in the data field is another chunk of information. In the IP protocol, it is called a packet. Other possible protocols include ARP (Address Resolution Protocol), OSPF (Open Shortest Path First, a routing protocol), RIP (Routing Information Protocol) and IPSec (encrypted data).
The IP protocol uses IP address for routing and transfer purposes; it is a layer 3 protocol. The header includes fields such as the destination IP, the source IP, header checksum and the embedded protocol. Following the header is a data field, which contains yet further headers, all dependent on the protocol used.
By design, this is a very brief overview.  I will post more indepth articles in the future. 

No comments: