Restart
Principles of Modern Communication
Back
Next
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
Protocol Analysis
Version - the version of the IP protocol. For exampe, for IPv4, the field has a value of 4.
Address Spoofing
Attackers may use IP spoofing to disguise their true identity, making it appear as though packets are coming from a trusted source.
Header Length - the length of the header in 32-bit words. The minimum value is 20 bytes; the maximum value is 60 bytes.
Close
Routing Issues
Helps detect routing issues, misconfigurations, or malicious route changes that can lead to data interception or loss.
Type of Service - specifies how the datagram should be handled. The first 3 bits are priority bits.
Total Length (16 bits)
Close
Total Length - the length of the entire packet (header + data). The minimum length is 20 bytes; the maximum is 65,535 bytes.
Fragment Offset (13 bits)
Source IP address - the IP address of the sender.
click each field to learn more
Identification - used to differentiate fragmented packets from different datagrams.
Header Checksum (16 bit)
Destination IP address - the IP address of the host that is to receive the packet.
Flags - used to control or identify fragments.
Type of Service
(8 bits)
Flags
(3 bits)
Options - used for network testing, debugging, and security. This field is usually empty.
Fragment Offset - used for fragmentation and reassembly if the packet is too large to put in a frame.
Identification(16 bits)
Destination Address (32bits)
Version
(4 bits)
Time to live - limits a datagram's lifetime. If the packet does not get to its destination before the TTL expires, it is discarded.
Options and Padding (variable length)
click a button to reveal the term’s definition
Protocol - defines the protocol used in the data portion of the IP datagram. TCP is represented by number 6 and UDP is number 17.
Source Address (32 bits)
IHL
(4 bits)
Header checksum - used for error checking. If a packet arrives at a router and the router calculates a different checksum than the one in this field, the packet gets discarded.
Time to Live (8 bits)
Protocol (8 bits)
The Internet Protocol (IP) is responsible for addressing and routing packets of data so they can travel across networks and arrive at the correct destination. IP operates on a best-effort delivery model, meaning it does not guarantee delivery, order, or error checking of packets.
Monitor IP for Address Spoofing, DDoS Attacks, and Routing Issues.
IP
DDoS Attacks
Multiple compromised systems flood a targeted IP address with traffic, causing service disruption.
Data
Close
Close
Length (16 bits)
Checksum - used for error-checking the header and data.
Traffic Anomalies
Indicates attempts to exploit vulnerabilities in applications that use UDP.
Check Sum (16 bits)
Close
Service Discovery
Detects unauthorized discovery attempts that may indicate reconnaissance activities.
UDP
Close
Source Port - specifies the port number of the sending application.
Destination Port (16 bits)
Destination Port - specifies the port number of the receiving application.
User Datagram Protocol (UDP) sends messages (datagrams) without establishing a connection and is best used for live and real-time data transmission when speed is more important than reliability.
Monitor UDP for DDoS Attacks, Service Discovery, Traffic Anomalies.
Source Port (16 bits)
Length - specifies the length of the UDP header and data.
Reserved (3 bits)
Sequence Number - keeps track of the position of the data within the entire transmission, ensuring data is reassembled in the correct order.
Urgent Pointer - used in conjunction with the URG flag to mark urgent data that needs immediate attention.
Flags (9 bits)
Acknowledgment Number - indicates which data has been received and what the next expected byte is, ensuring reliable delivery.
Options - allow for various TCP features such as maximum segment size, window scaling, and timestamps. Padding ensures the header length is a multiple of 32 bits by adding extra bytes as needed.
Data Offset
(4 bits)
Data Offset - specifies the length of the TCP header, indicating where the actual data begins.
Reserved - set aside for future use, always set to zero.
Flags - control bits that manage the state and control flow of the TCP connection (e.g., SYN for connection start, FIN for connection end).
Window Size - indicates the amount of data that the sender is willing to accept, facilitating flow control.
Window Size (16 bits)
Checksum - provides error-checking for the header and data to ensure integrity during transmission.
TCP
Session Hijacking
Attackers can hijack active TCP sessions, gaining unauthorized access to sensitive information or systems.
Transmission Control Protocol (TCP) provides reliable, ordered, and error-checking delivery of a stream of data between applications running on hosts. TCP is connection-oriented so it requires an established connection before data can be sent.
Monitor TCP for Session Hijacking, Port Scanning, and Data Exfiltration.
Close
Data Exfiltration
Helps in detecting unusual data flows that might indicate data theft.
Close
Urgent Pointer (16 bits)
Acknowledgement Number (32 bits)
Port Scanning
Reveals port scanning activities, where attackers probe for open ports to find vulnerabilities.
Sequence Number (32 bits)
Checksum (16 bits)
Source Port - identifies the sending port number, allowing the receiver to know which application sent the data.
Close
Destination Port - identifies the receiving port number, directing the data to the correct application on the receiving end.
ARP
Protocol Size - specifies the length of the protocol address.
Close
Address Resolution Protocol (ARP) maps IP addresses to MAC addresses. ARP ensures that data packets reach the correct hardware device on a local network.
Monitor ARP for ARP Spoofing, Network Reconnaissance, and Network Integrity.
Target IP Address (32 bits)
Hardware Size
(8 bits)
Opcode - specifies the operation being performed (e.g., request or reply).
Network Integrity
Helps prevent issues like IP conflicts and ensures the correct routing of data packets.
Sender MAC Address - specifies the hardware address of the sender.
Close
Sender IP Address - specifies the IP address of the sender.
Target MAC Address - specifies the hardware address of the target.
Protocol Type (16 bits)
Opcode (32 bits)
Hardware Type - specifies the type of hardware used for the local network (e.g., Ethernet).
Target MAC Address (48 bits)
Protocol Type - Specifies the type of protocol being used (e.g., IPv4).
Hardware Type (16 bits)
Sender IP Address (32bits)
Network Reconnaissance
Helps detect unauthorized devices trying to discover active hosts on the network.
Close
Hardware Size - specifies the length of the hardware address.
ARP Spoofing
Attackers can send forged ARP messages to associate their MAC address with the IP address of a legitimate host, enabling them to intercept, modify, or stop traffic (Man-in-the-Middle attacks).
Sender MAC Address (48 bits)
Target IP Address - specifies the IP address of the target.
Close
Close
Close
Network devices use the Internet Control Message Protocol (ICMP) to send error messages and operational information indicating success or failure when communicating with another IP address. For example, when a host or router cannot be reached, an error occurs. ICMP is not used to exchange data between systems.
Monitor ICMP for Ping Floods, Network Mapping, and Error Messages.
Code - provides further information abouth the ICMP message type.
Type (8 bits)
Checksum - used for error-checking the ICMP header and data.
Code (8 bits)
Network Mapping
Detects unauthorized network scans.
Ping Floods
Attackers can use ICMP echo requests (pings) in flood attacks to overwhelm a target with ICMP traffic.
ICMP
Rest of Header (32 bits)
Rest of Header - contains further information that depends on the Type and Code fields.
Error Messages
Helps identify network issues, misconfigurations, or potential malicious activities.
Type - indicates the type of the ICMP message (Echo Request, Echo Reply).
IMAP
ARP
Network
NTP
Application
SMTP
As a cybersecurity threat analyst, monitoring network protocols is crucial for identifying potential threats and ensuring the security of an organization’s infrastructure. When you click on each protocol, you will learn more about the protocol and why you would want to monitor it. Monitoring these protocols helps in identifying malicious activities, preventing data breaches, and maintaining the overall security posture of an organization.
Datalink
TCP
ICMP
Physical
Click on each of the protocol buttons
UDP
Transport
POP3
FTP
Session
IP
OSI Layers
HTTP
Presentation
Protocol Analysis
Main Menu
Close
HTTP transmits pages on the Internet.
Monitor HTTP for web-based attacks such as SQL Injection, Cross-site Scripting (XSS), and Cross-Site Request Forgery (CSRF), DDoS Attacks, and Malware Delivery.
Cross-Site Request Forgery (CSRF)
Attackers trick users into performing actions on web applications where they are authenticated, leading to unauthorized actions.
URI (8 bits)
Close
Headers - contains metadata for the HTTP response, such as Host, User-Agent, Content-Type, etc.
Method - specifies the HTTP method, such as GET, POST, PUT, etc.
Version - indicates the HTTP version, such as HTTP/1.1 or HTTP/2.
Close
SQL Injection
Attackers exploit vulnerabilities in web applications to execute arbitrary SQL code, which can lead to data breaches and unauthorized access to sensitive information.
Headers (variable)
Close
Reason Phrase (Variable)
URI - specifies the Uniform Resource Identifier, which indicates the resource on the server.
Method (8 bits)
Version (8 bits)
Headers - contains metadata for the HTTP request, such as Host, User-Agent, Content-Type, etc.
Reason Phrase - provides a textual description of the status code.
Status Code (8 bits)
HTTP Response Header
Status Code - indicates the status of the response, such as 200 for OK, 404 for Not Found, etc.
Cross-site Scripting
Malicious scripts are injected into web pages, which can be executed in the context of another user's browser, leading to session hijacking, data theft, and other malicious activities.
HTTP
HTTP Request Header
Close
Malware Delivery
Malicious websites trick users into revealing sensitive information such as login credentials or personal information.Malicious software downloads and installs without the user's knowledge or consent.
FTP Commands
Command okay.
LIST (variable length)
Close
221 (8 bits)
230 (8 bits)
Credential Theft
FTP often transmits credentials (usernames and passwords) in plain text, making them susceptible to interception and theft by attackers using packet-sniffing tools.
331 (8 bits)
Data Exfiltration
Helps detect unusual or unauthorized file transfers that could indicate data theft.Large or unusual file transfers can signal potential data exfiltration attempts.
Close
425 (8 bits)
Close
550 (8 bits)
Message (variable length)
FTP Responses
200 (8 bits)
FTP
Unauthorized Access
Helps identify unauthorized access attempts, such as brute-force attacks where attackers try multiple password combinations to gain access.
220 (8 bits)
Terminates the FTP session.
Stores (uploads) a file to the server.
The command completed successfully.
Changes the working directory on the server.
Service ready for new user.
File Transfer Protocol (FTP) transfers file between systems.
Monitor FTP for Credential Theft, Unauthorized Access, and Data Exfiltration.
The user has successfully logged in.
The server is ready for a new user to connect.
STOR (variable length)
Specifies the password for authentication.
User name okay, need password.
Service closing control connection.
The username is accepted, but the password is required.
The server is closing the control connection.
Lists the files in the current directory on the server.
Retrieves (downloads) a file from the server.
Can't open data connection.
RETR (variable length)
User logged in, proceed.
CWD (variable length)
The server is unable to open the data connection.
Specifies the username for authentication.
Requested action not taken. File unavailable.
USER (variable length)
PASS (variable length)
The requested file is not available or cannot be accessed.
QUIT (variable length)
Modifies message data in the selected mailbox.
Retrieves specific messages or message data from the selected mailbox.
Searches for messages in the selected mailbox that match the specified criteria.
COPY (maximum 1024 characters)
SELECT (maximum 1024 characters)
IMAP
Selects a mailbox to access its messages.
Indicates that the command was successful.
Brute Force Attacks
Helps detect and mitigate brute force attacks by attackers attempting to gain unauthorized access by trying multiple password combinations.
Copies specific messages to another mailbox.
STORE (maximum 1024 characters)
Internet Message Access Protocol (IMAP) is used by email clients to retrieve messages from a mail server. IMAP allows users to view and manage their email directly on the mail server without downloading it to their local device. This protocol supports multiple clients connected to the same mailbox, allowing for better email synchronization across different devices.
Monitor IMAP for Phishing Attacks, Malware Disbribution, Brute Force Attacks, and Account Compromise.
SEARCH (maximum 1024 characters)
Indicates that the connection was pre-authenticated.
FETCH (maximum 1024 characters)
LOGOUT (maximum 1024 characters)
NOOP (maximum 1024 characters)
IMAP Commands
Terminates the IMAP session.
Indicates that the command was not successful.
Indicates a protocol error or command syntax error.
Account Compromise
Reveals unusual login patterns, such as logins from unexpected geographic locations or at unusual times, indicating potential account compromise.
Close
Malware Distribution
Attackers distribute malware via malicious attachments or links within an email. Monitoring IMAP traffic helps detect and block these emails before they reach end-users.
Authenticates the user by specifying the username and password.
NO (maximum 512 characters)
Close
IMAP Responses
Close
BYE (maximum 512 characters)
Indicates that the server is terminating the connection.
Close
Phishing Attacks
Helps identify and block phishing emails that trick users into revealing sensitive information or clicking on malicious links.
Requests a no-operation response from the server to keep the connection alive.
OK (maximum 512 characters)
PREAUTH (maximum 512 characters)
LOGIN (maximum 1024 characters)
BAD (maximum 512 characters)
Close
Accurate Timestamps
Many regulatory requirements (e.g., PCI-DSS, HIPAA) mandate accurate time synchronization for logging and auditing purposes. Monitoring NTP traffic helps ensure that logs and records have precise timestamps, which are critical for forensic analysis during security incidents.
Stratum - Indicates the stratum level of the local clock, with 0 being the highest level (primary reference) and increasing numbers representing lower levels.
Root Delay (32 bits)
Version #
(3 bits)
Reference ID - Indicates the reference identifier, which depends on the stratum and type of the clock.
NTP
Close
Root Delay - Indicates the total round-trip delay to the primary reference source, in NTP short format.
Reference Timestamp (64 bits)
Receive Timestamp - Indicates the time at which the request arrived at the server, in NTP timestamp format.
Poll Interval (8 bits)
Stratum (8 bits)
Poll Interval - Indicates the maximum interval between successive NTP messages, in log2 seconds.
Origin Timestamp
Precision (8 bits)
Precision - Indicates the precision of the local clock, in log2 seconds.
Reference Timestamp - Indicates the time when the system clock was last set or corrected, in NTP timestamp format.
Origin Timestamp - Indicates the time at which the request departed the client for the server, in NTP timestamp format.
Root Dispersion (32 bits)
Receive Timestamp (64 bits)
Transmit Timestamp (64 bits)
Time Drift Detection
Causes issues with logging, event correlation, and the operation of time-sensitive applications compromising network reliability.
Root Dispersion - Indicates the maximum error relative to the primary reference source, in NTP short format.
Close
Reference ID (32 bits)
Mode
(3 bits)
Version Number - Indicates the NTP version number.
Network Time Protocol (NTP) synchronizes closcks across computers and devices within a network so that all systems have accurate and consistent time.
Monitor NTP for NTP Amplification Attacks, Time Drift Detection, and Accurate Timestamps.
NTP Amplification Attacks
Attackers send small requests to NTP servers with a spoofed source IP address (the target's IP), causing the servers to send large responses to the target, overwhelming it with traffic.
Leap Indicator - Warns of an impending leap second to be inserted or deleted in the last minute of the current day.
LI
(2bits)
Mode - Indicates the mode of the NTP message, such as client, server, broadcast, etc.
Transmit Timestamp - Indicates the time at which the reply departed the server for the client, in NTP timestamp format.
Data Exfiltration
Helps detect unusual or unauthorized email retrieval activities that could indicate data theft.Unusual patterns in email downloads can signal potential data exfiltration attempts.
Requests the server to send the full content of a message.
-ERR (maximum 512 characters)
+OK (maximum 512 characters)
Close
Requests the server to send a response with the number of messages and the total size of the mailbox.
QUIT (4 characters)
Requests the server to send a list of messages with their sizes.
Spam Detection
Helps detect and filter out spam emails, which often serve as a vector for various cyber threats.
STAT (4 characters)
POP3 Commands
Terminates the session and deletes any messages marked for deletion.
Indicates a positive response from the server.
DELE (variable length)
Resets the session, marking all messages as not deleted.
Malware Distribution
Attackers distribute malware via malicious attachments. Monitoring POP3 traffic helps detect and block these attachments before they reach end-users.
Close
POP3 Responses
Close
USER (maximum 40 characters)
Close
RSET ( 4 characters)
Requests the server to delete a specific message.
PASS (maximum 40 characters)
NOOP (4 characters)
Indicates a negative response from the server.
Post Office Protocol 3 (POP3) allows users to download their emails from the server to their local device, making it accessible offline. The protocol supports basic functions such as user authentication, message retrieval, and deletion.
Monitor POP3 for Phishing Attacks, Spam Detection, Data Exfiltration, and Malware Disbribution.
POP3
Sends a no-operation command to keep the connection alive.
The receiving server is unable to process the message due to email authentication rules.
Indicates that the following lines constitute the message data.
The email was delivered.
Simple Mail Transfer Protocol (SMTP) provides a set of commands that authenticates and directs the transfer of email from one mail server to another.
Monitor SMTP for Phishing Attacks, Malware Distribution, Data Exfiltration, and Credential Protection.
354 (maximum 512 characters)
The recipient does not exist, the mailbox does not have permission to receive the email, or the message was rejected due to a blocklist or filter.
NOOP (maximum 512 characters)
VRFY (maximum 512 characters)
Phishing Attacks
Helps detect and phishing emails that contain malicious links or attachments.
HELO (maximum 512 characters)
Credential Protection
Helps detect and mitigate the risk of usernames and passwords being intercepted by attackers. Also helps when attackers try multiple password combinations to gain access to accounts.
Close
250 (maximum 512 characters)
EXPN (maximum 512 characters)
Close
QUIT (maximum 512 characters)
DATA (variable length)
MAIL FROM (maximum 512 characters)
Identifies the client to the server.
421 (maximum 512 characters)
Terminates the SMTP session.
The email “header” has been received, the server is now waiting for the “body” of the message.
SMTP
The receiving server or sending server is not reachable but another mail delivery will be attempted.
Malware Distribution
Attackers distribute malware via malicious email attachments or links. .
550 (maximum 512 characters)
SMTP Commands
221 (maximum 512 characters)
Close
500 (maximum 512 characters)
Specifies the sender's email address.
Requests a no-operation response from the server.
451 (maximum 512 characters)
The receiving server is ready for the next command.
450 (maximum 512 characters)
Expands a mailing list.
The recipient’s email address does not exist.
Data Exfiltration
Helps detect unusual or unauthorized email transmissions that could indicate data theft.Unusual patterns in email downloads can signal potential data exfiltration attempts.
Resets the current mail transaction.
Verifies the existence of a mailbox.
The receiving server is closing the SMTP connection.
220 (maximum 512 characters)
The receiving server does not recognize the command.
RCPT TO (maximum 512 characters)
SMTP Responses
Close
Specifies the recipient's email address.
RSET (maximum 512 characters)