{"id":6,"date":"2025-05-17T21:51:46","date_gmt":"2025-05-17T21:51:46","guid":{"rendered":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=6"},"modified":"2025-05-17T21:51:46","modified_gmt":"2025-05-17T21:51:46","slug":"concepts-of-tcp-ip","status":"publish","type":"post","link":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=6","title":{"rendered":"Concepts of TCP\/IP"},"content":{"rendered":"\n

Objective:<\/strong>
In this lab, I explored various aspects of the TCP\/IP protocol by using tcpdump<\/code> to analyze network traffic. The goal was to familiarize myself with the functionality of tcpdump<\/code> and practice using its command-line options to read and interpret packet capture files.<\/p>\n\n\n\n

Exercise 1: Reading a PCAP File<\/strong>
The first exercise involved using tcpdump<\/code> to read a packet capture file named concepts.pcap<\/code>. The objective was to analyse the contents and identify the number of recorded packets. I utilized the following command to read the file:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Six records are displayed:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exercise 2: Reading Specific Records from a PCAP File<\/strong><\/p>\n\n\n\n

Objective:<\/strong>
In this exercise, I practiced using tcpdump<\/code> to read a specified number of records from a packet capture file. The goal was to extract and display the first two records from the file concepts.pcap<\/code> efficiently as well as identify the source IP address of the second record .<\/p>\n\n\n\n

Command Explanation:<\/strong>
To achieve this, I used the following tcpdump<\/code> command:<\/p>\n\n\n\n

\n
\"\"<\/figure>\n<\/figure>\n\n\n\n
    \n
  • The -c 2<\/code> option instructs tcpdump<\/code> to limit the output to the first two records.<\/li>\n\n\n\n
  • The -t<\/code> option suppresses the display of timestamps, making the output more concise.<\/li>\n\n\n\n
  • The -n<\/code> option ensures that IP addresses are displayed as numerical values rather than being resolved to hostnames.<\/li>\n\n\n\n
  • The -r<\/code> option specifies that tcpdump<\/code> should read from the file rather than capturing live traffic.<\/li>\n<\/ul>\n\n\n\n

    These options can be combined in a single command for efficiency.<\/p>\n\n\n\n

    The second source IP address is 192.168.11.13 which is found here: <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Exercise 3: Displaying Network Records in Hexadecimal<\/strong><\/p>\n\n\n\n

    Objective:<\/strong>
    In this exercise, I learned how to use tcpdump<\/code> to read a single record from a packet capture file and display it in hexadecimal format. This technique is useful when analyzing raw packet data for low-level protocol analysis. I am also asked to identify the first two bytes seen on the hex dump for the first record, the IP protocol field value and the TTL located the IP header. <\/p>\n\n\n\n

    \n\n\n\n

    Command Explanation:<\/strong>
    To view the first record from the file concepts.pcap<\/code> in hexadecimal format, I used the following command:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    The -x<\/code> option displays the packet data in hexadecimal format.<\/p>\n\n\n\n

    Regarding the first two bytes question: A hexadecimal character represents 4 bits (or a nibble), so a byte corresponds to 2 hexadecimal characters. The first two bytes are 0x45<\/code> and 0x00<\/code>, respectively.<\/p>\n\n\n\n

    The IP protocol field value is 0x0<\/code>1. It is a one-byte field located in the 9th byte offset from the beginning of the IP header. This tells us that the embedded transport protocol is ICMP. <\/p>\n\n\n\n

    The TTL is located in the 8th byte offset from the beginning of the IP header and like the IP protocol field is a one-byte field. it is equal to 0x40<\/code> or 16*4 + 1*0 = 64 in decimal value. <\/p>\n\n\n\n

    Exercise 4: Displaying MAC\/Ethernet Addresses from a PCAP File<\/strong><\/p>\n\n\n\n

    Objective:<\/strong>
    In this exercise, I practiced using tcpdump<\/code> to display the MAC (Media Access Control) addresses from a packet capture file. The goal was to read the first record from the file concepts.pcap<\/code> and identify both the source and destination MAC addresses.<\/p>\n\n\n\n

    \n\n\n\n

    Command Explanation:<\/strong>
    To display the MAC addresses from the first record, I used the following command:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    The -e<\/code> option displays the link-layer (MAC\/Ethernet) headers, showing both source (00:04:00:0a:04) and destination (00:0c:29:03:23:19) MAC addresses.<\/p>\n\n\n\n

    The -v option increases the verbosity of the output, providing more detailed information about each packet. I can easily identify the ethertype which indicates which protocol follows the ethernet header (in this case it is IPv4). I can also quickly see that the protocol following the IP header is ICMP (It can be seen in the “proto” field). <\/p>\n\n\n\n

    Exercise 5: Analyzing DNS Traffic in UDP Packets<\/strong><\/p>\n\n\n\n

    Objective:<\/strong>
    In this exercise, I analyzed DNS traffic captured in a PCAP file using tcpdump<\/code>. The goal was to identify the type of activity and data within specific UDP packets, focusing on DNS queries and responses.<\/p>\n\n\n\n

    Using the same command as in the last exercise, we can see the following two packets: <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    The output displayed two consecutive UDP packets related to DNS activity:<\/p>\n\n\n\n

      \n
    1. Source and Destination:<\/strong>\n
        \n
      • Source IP: 192.168.11.65<\/code>, Source Port: 52894<\/code><\/li>\n\n\n\n
      • Destination IP: 192.168.11.53<\/code>, Destination Port: 53<\/code> (DNS port)<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • Packet Details:<\/strong>\n
          \n
        • The first packet contains a DNS query (A? giac.org.<\/code>), indicating that the client is requesting the IP address for the domain giac.org<\/code>.<\/li>\n\n\n\n
        • The second packet contains the DNS response, indicating that the server resolved giac.org<\/code> to the IP address 66.35.45.203<\/code>.<\/li>\n\n\n\n
        • Both packets use the UDP protocol (proto UDP (17)<\/code>).<\/li>\n\n\n\n
        • The length of the first packet is 54<\/code> bytes, while the response packet is 70<\/code> bytes.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n

          Analysis:<\/strong>
          The presence of port 53<\/code> in the packet indicates DNS traffic. The query type (A?<\/code>) specifies that the client is requesting an IPv4 address for the domain giac.org<\/code>. The response from the DNS server includes the resolved IP address, confirming that the communication was successful.<\/p>\n","protected":false},"excerpt":{"rendered":"

          Objective:In this lab, I explored various aspects of the TCP\/IP protocol by using tcpdump to analyze network traffic. The goal was to familiarize myself with the functionality of tcpdump and practice using its command-line options to read and interpret packet capture files. Exercise 1: Reading a PCAP FileThe first exercise involved using tcpdump to read […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4,3],"class_list":["post-6","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-tcp-ip","tag-tcpdump"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/6","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6"}],"version-history":[{"count":2,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/6\/revisions"}],"predecessor-version":[{"id":18,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/6\/revisions\/18"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}