Notes: Packets & Frames | Pre Security | THM

What are Packets and Frames

- small pieces of data - formed together = larger piece of information or message

- 2 different things in the OSI Model:

- frame: layer 2 Data Link (no info as IP adr)

- encapsulation

- talking IP adr = packets

- encapsulation info stripped away = frame

Packets

- efficient: small pieces

- different structures dependant upon type of packet being sent

- Internet Protocol:

- set of headers containing additional pieces of info to data sent across network:

- Time to Live: expiry timer to not clog up network if never reach host or escape

- Checksum: Integrity check for protocols like TCP/IP

- Source Address: IP adr of device packet sent from - know where to return data

- Destination Address: IP adr of destination packet sent to

TCP/IP (The Three-Way Handshake)

Transmission Control Protocol (TCP)

- rules in networking

- similar to the OSI Model - like a summarised version

- 4 layers

- Application

- Transport

- Internet

- Network Interface

- information is added to each layer as the piece of data traverses it = encapsulation (reverse = decapsulation)

- connection-based: must establish connection between client and a device acting as a server before data is sent = Three-way handshake: guarantee any data sent will be received on the other end

Advantages

- guarantee integrity of data

- can synchronize 2 devices to avoid flooded with data in wrong order

- reliability

Disadvantages

- require reliable connection between two device - if small chunk of data not received = entire chunk of data can't be used and must be re-sent

- slow connection can bottleneck another device because of constant connection

- slower than UDP

TCP packets contain various section of information = Headers

Headers are added from encapsulation

Headers

Source Port: port opened by sender to send TCP packet from. Value chosen randomly from unused ports between 0 and 65535

Destination Port: Port number application/service is running on the remote host (receiving endpoint). F.ex.: webserver on port 80. This is not chosen randomly!

Source IP: IP adr of device sending packet

Destination IP: IP adr of destination device

Sequence Number: When a connection occurs, the first piece of data transmitted is given a random number

Acknowledgement Number: After data has been given a sequence number, the next piece of data will have sequence number + 1

Checksum: (TCP integrity) mathematical calculation is made where output is remembered - if this differs when the receiving device perform the calculations it means the data is corrupt

Data: bytes of the file being transmitted is stored in this header

Flag: determine how the packet should be handled by either device during the handshake process

Three-way handshake

- the term given for the process used to establish a connection between two devices

- communicate with a few special messages:

Step 1: SYN

- initial packet sent by a client during the handshake

- initiate a connection and synchronise two devices together

Step 2: SYN/ACK

- packet sent by receiving device to acknowledge the synchronisation

Step 3: ACK

- packet can be sent by either client or server to acknowledge a series of msg/packets have been successfully received

Step 4: DATA

- when connection established data (like bytes of a file) is sent via the DATA msg

Step 5: FIN

- packet sent to properly/cleanly close the connection after completion

Step #: RST

- packet abruptly ends all communication

- last resort, indicate problem during process

Sent data is given a random number sequence and is reconstructed the number and incrementing it by 1 (sender/receiver must agree on same number sequence for data to be sent in correct order):

1. SYN

Client: Here's my Initial Sequence Number (ISN) to SYNchronise with (0)

2. SYN/ACK

Server: Here's my Initial Sequence Number (ISN) to SYNchronise with (5,000), and I ACKnowledge your Initial Number Sequence (0)

3. ACK

Client: I ACKnowledge your Initial Sequence Number (ISN) of (5000), here is some data that is my ISN+1 (0+1)

TCP Closing a Connection

- will close connection when a device has determine the other device has successfully received all data

- best practice to close TCP connections as soon as possible because it reserves system resources on device

- to initiate the close: device sends a FIN packet - other device responds with ACK and then sends FIN - device initiating the closure responds with ACK to close connection

UDP/IP

User Datagram Protocol (UDP)

- stateless protocol (no acknowledgement is sent)

- don't require a constant connection

- used where applications can tolerate dataloss (video streaming, voice chat)

- fewer headers than TCP

Advantages

- faster than TCP

- leaves application (user software) to device if any control over the speed packets are sent

- don't reserve a continuous connection

Disadvantages

- don't care about dataloss

- flexible to software developers

- unstable connections - terrible user experience

- no data integrity

Standard Headers

Time to Live (TTL): expiry timer for packet, avoid clogging on network if it never reach destination or escape

Source Address: IP adr of sending device, know where to return data

Destination Address: IP adr of receiving device

Source Port: value of port opened by sender, randomly chosen unused ports between 0 and 65535

Destination Port: a certain port number for application/service running on destination device, f.ex.: webserver on port 80

Data: this header store the bytes of the file being transmitted

UDP Connection

Request sent

Response sent

Response sent

Response sent

Ports

Networking devices use ports to enforce stricts rules when communicating with one another

When connection established, any data sent/received will be sent through these ports.

Ports are numerical value between 0 and 65535

Common Ports: 0-1024

All common ports: http://www.vmaxx.net/techinfo/ports.htm

Port 21: File Transfer Protocol (FTP)

Port 22: Secure Shell (SSH)

Port 80: HyperText Transfer Protocol (HTTP)

Port 443: HyperText Transfer Protocol Secure (HTTPS)

Port 445: Server Message Block (SMB) (file share + device share (printers))

Port 3389: Remote Desktop Protocol (RDP)

Applications can be administered to other ports than the standards, f.ex. running a webserver on port 8080 instead of the standard port 80. A colon (:) will need to be provided with port number