Quick Overview of TCP/IP Protocol Header Structures
Ethernet Frame
Size in octets:
8 6 6 2 64 to 1500 4
+----------+---------+---------+-------+-----------------------+-----+
| Preamble | Dest. | Source | Frame | Frame | CRC |
| | Address | Address | Type | Data | |
+----------+---------+---------+-------+-----------------------+-----+
The Preamble is 64 bits of alternating 0-1-0-1-0-1... with the last two bits ...-1-1, so the receiver can synchronize to the incoming frame.
The Destination and Source Addresses are 6-octet strings, the first 3 indicate the manufacturer and the remaining three make it unique to that device.
Frame Type indicates what's inside,
see /etc/ethertypes for a list.
Common values are:
0x0800 = IPv4
0x0806 = ARP
0x8100 = 802.1q
0x86dd = IPv6
0x8847 = MPLS
0x8906 = FCoE, Fibre Channel over Ethernet
Historic values include:
0x0805 = X.25
0x0bad = Banyan VINES
0x809b = Appletalk
0x8137 = IPX
0x8191 = NetBEUI
See the
authoritative list at IANA
for more.
ARP — Address Resolution Protocol
Full details: RFC 826.
Ethernet header 28-octet ARP request/reply
| |
/-----------+----------\ /---------------------------+------------------------------\
width in | | |
octets: | 6 6 | 2 2 2 1 1 2 6 4 6 4 |
+-----------+-----------+---+---+---+-+-+---+-----------+-------+-----------+-------+
| Ethernet | Ethernet | | | |H|P| | Sender | Sender| Target |Target |
|destination| source |FT |HT |PT |S|S|OP | Ethernet | IP | Ethernet | IP |
| address | address | | | | | | | Address |Address| Address |Address|
+-----------+-----------+---+---+---+-+-+---+-----------+-------+-----------+-------+
^ ^ ^ ^ ^ ^
| | | | | |
| | | | | +-- Operation:
| | | | | 1 = ARP request, 2 = ARP reply
| | | | | 3 = RARP request, 4 = RARP reply
| | | | |
| | | | +-- Protocol Size, number of octets
| | | | in the requested network address.
| | | | IP has 4-octet addresses, so 0x04.
| | | |
| | | +-- Hardware Size, number of octets in
| | | the specified hardware address.
| | | Ethernet has 6-octet addresses, so 0x06.
| | |
| | +-- Protocol Type, 0x0800 = IP.
| |
| +-- Hardware Type, Ethernet = 0x0001.
|
+-- Frame Type, 0x0806 = ARP Request or ARP Reply.
This answers "What's inside?" for the encapsulated
data within the Ethernet frame
IP / IPv4 — Internet Protocol, version 4
Full details: RFC 791, updated by RFC 1349.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type of service
If using "classic" TOS, use and interpret the TOS field as "PreDTRCx", where:
Pre = Precedence = 000 through 111 (with DOD interpretations if desired) D = Delay (1 = minimize delay) T = Throughput (1 = maximize throughput) R = Reliability (1 = maximize reliability) C = Cost (1 = minimize cost) x = reserved, set to "0"
If using Differentiated Services (DiffServ), use and interpret as "000000xy", where:
x: "1" = "ECN capable" y: "1" = "congestion experienced"
Flags:
Three bits, use and interpret as "0DM", where:
0 = Use a "0" here! D = Don't Fragment M = More Fragments
Protocol:
See /etc/protocols for a list,
common ones are:
0x01 = 1 = ICMP
0x02 = 2 = IGMP
0x06 = 6 = TCP
0x11 = 17 = UDP
0x32 = 50 = IPsec ESP
0x33 = 51 = IPsec AH
0x59 = 89 = OSPF
0x73 = 115 = L2TP
IANA maintains the
authoritative complete list.
Note that 0x41 or decimal 65 means IPv6,
referring to IPv6
encapsulated within
IPv4 or IPv6.
IPv6-in-IPv4 could be used to tunnel IPv6 across an IPv4
Internet between two IPv6 enclaves.
The
U.S. DoD STIG
requires using
nftables
(or iptables on legacy systems)
to block encapsulated IPv6, which they over-simplify to
"block protocol 41 (IPv6)",
misleading people to mistakenly conclude that
blocking IPv6 is both necessary and sufficient.
IP / IPv6 — Internet Protocol, version 6
The IPv6 header is simpler but larger than the IPv4 header. Simpler to speed processing, larger to accommodate the 128-bit addresses.
Full details: RFC 2460.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Traffic Class | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Length | Next Header | Hop Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source | | Address | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination | | Address | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ICMP — Internet Control Message Protocol
Full details: RFC 792.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | unused | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Internet Header + 64 bits of Original Data Datagram | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type, some of which use Code:
0 = Echo reply
3 = Destination unreachable
Code
0 Net unreachable
1 Host unreachable
2 Protocol unreachable
3 Port unreachable
4 Fragmentation needed but DF set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for requested TOS
12 Host unreachable for requested TOS
13 Communication administratively prohibited
4 = Source quench
5 = Redirect
Code
0 Redirect datagram for the network
1 Redirect datagram for the host
2 Redirect datagram for the TOS and network
3 Redirect datagram for the TOS and host
8 = Echo request
9 = Router advertisement
10 = Router selection
11 = Time exceeded
Code
0 Time to live exceeded in transit
1 Fragment reassembly time exceeded
12 = Parameter problem
Code
0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 = Timestamp
14 = Timestamp reply
15 = Information request
16 = Information reply
17 = Address mask request
18 = Address mask reply
30 = Traceroute (probably just Microsoft hosts, traceroute
should be done via UDP)
Amazon 013608530X
Amazon 0321336313
DS3 interfaces on a Cisco 7000 series router.
ICMPv6 — Internet Control Message Protocol for IPv6
Full details: RFC 4443.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Internet Header + 64 bits of Original Data Datagram | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
ICMPv6 error messages 1 Destination Unreachable 2 Packet Too Big 3 Time Exceeded 4 Parameter Problem 100 Private experimentation 101 Private experimentation 127 Reserved for expansion ICMPv6 informational messages 128 Echo Request 129 Echo Reply 130 Multicast Listener Query 131 Multicast Listener Report 132 Multicast Listener Done 133 Router Solicitation (NDP) 134 Router Advertisement (NDP) 135 Neighbor Solicitation (NDP) 136 Neighbor Advertisement (NDP) 137 Redirect Message (NDP) 138 Router Renumbering 139 ICMP Node Information Query 140 ICMP Node Information Response 141 Inverse Neighbor Discovery Solicitation Message (NDP) 142 Inverse Neighbor Discovery Advertistement Message (NDP) 143 Version 2 Multicast Listener Report 144 Home Agent Address Discovery Request Message 145 Home Agent Address Discovery Reply Message 146 Mobile Prefix Solicitation 147 Mobile Prefix Advertisement 148 Certifcation Path Solicitation (SEND) 149 Certifcation Path Advertisement (SEND) 150 used by experimental mobility protocols such as Seamoby 151 Multicast Router Advertisement (MRD) 152 Multicast Router Solicitaion (MRD) 153 Multicast Router Termination (MRD) 154 FMIPv6 Messages 155 RPL Control Message 200 Private experimentation 201 Private experimentation 255 Reserved for expansion
DNS — Domain Name System
Full details: RFC 1034 and RFC 1035 with many updates.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification | Flags | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Number of questions | Number of answer RRs | + 12 bytes +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Number of authority RRs | Number of additional RRs | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | \ / Questions / | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | / Answers (variable number of resource records) / | These | | | fields +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-- are of | | | variable / Authority (variable number of resource records) / | length. | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | / Additional information (variable number of resource records) / | | | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags are a 16-bit field:
1 1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | | | | | | | <-- 4-bit return code:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0000 = no error
^ ^ ^ ^ ^ ^ ^ 0011 = name error
| | | | | | |
| | | | | | +-- 3-bit field that must contain 000.
| | | | | |
| | | | | +-- RA, 1-bit field for "Recursion Available". Set
| | | | | in the response if the server supports recursion.
| | | | |
| | | | +-- RD, 1-bit field for "Recursion Desired".
| | | | Set in the query, returned in the response.
| | | |
| | | +-- TC, set to 1 in the response if the answer
| | | was truncated to 512 bytes.
| | |
| | +-- AA, 1-bit flag meaning "Authoritative Answer"
| | if set to 1 in the response.
| |
| +-- opcode, 4-bit field: 0000 = standard query
| 0001 = inverse query
| 0010 = server status request
|
+-- QR, 1 bit field for Query (0) versus Response (1).
TCP — Transmission Control Protocol
Full details: RFC 793, updated by RFC 1122, and RFC 3168.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... data .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
UDP — User Datagram Protocol
Full details: RFC 768.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... data .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+