date: “2016-12-01” draft: false title: “IPv4”
IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery.
IPv4 Headers
byte 0 1 2 3 4
bit 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 |Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 | Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12 | Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
16 | Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
20 | Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IPv4 Header length = 24 bytes
IPv4 Header Descriptions
| Bytes | Field | Description |
|---|---|---|
ip[0] & 0xF0 |
Version | IPv4 = 4, IPv6 = 6 |
ip[1] & 0x0F |
IHL | Internet Header Length, number of 4 byte blocks, min=5=20bytes |
ip[1] |
TOS | Type of Service,set packet priority (RFC 2472 and 3168) |
ip[2:2] |
Total Length | Defines the entire packet size in bytes, 0-65535 |
ip[4:2] |
Identification | Used for uniqely identifying fragements accoring to their group |
ip[6] & 0x80 |
Flags: X | Reserved: Must be zero |
ip[6] & 0x40 |
Flags: DF | Don’t Fragment: prevent fragementation along route (=1) |
ip[6] & 0x20 |
Flags: MF | More Fragments: fragment packet and not the last (=1) |
ip[6:2] & 0x1FFF |
Fragment Offset | offset measured in 8-byte blocks, 13 bits, max=65,528 |
ip[8] |
TTL | Time to Live: maximum hops the pacet is allowd to traverse |
ip[9] |
Protocol Number | Payload IANA assigned IP protocol number (see list) |
ip[10:2] |
Checksum | Header checksum, silent discard if not correct |
ip[12:4] |
Source | IPv4 Address of originating host |
ip[16:4] |
Destination | IPv4 Address of destination host |
ip[20:n] |
Extra Options | variable length, optional, not common |
IPv4 Example Packets
Fragmentation
ip[TODO]- the whole packet (MF is off and Offset is zero, then it is)ip[TODO]- the first fragment (MF is on and Offset is zero)ip[TODO]- a middle fragment (MF is on and Offset is non zero)ip[TODO]- the last fragment (MF is off and Offset is non zero)ip[8] <= 64- likely a unix system (see Packet Forensics - IPv4 initial TTL)
IPv4 BPF Shortcuts
| BPF Shortcut Syntax | Description |
|---|---|
ip proto protocol |
packet of protocol type protocol (icmp, udp, tcp) |
ip broadcast |
an IPv4 broadcast packet |
ip multicast |
an IPv4 multicast packet |
ip host host |
either the IPv4/v6 source or destination of the packet is host |
ip |
abbreviaition for: ether proto ip |