Monday, May 18, 2015

Packet analysis practice part 1

While teaching SANS SEC503 (Intrusion Detection In-Depth) I routinely create extra exercises for students throughout the week.  One of the things that trips students up when taking the GCIA is the ability to decode packets at the hex level.  As one of my students quipped last week "this isn't hard, it's just time consuming." Of course he's right.  While the GCIA is an open book exam, it is time constrained and questions asking students to decode packets tend to steal precious time away from GCIA candidates.  I've been asked repeatedly to share some of my extra practice exercises for students and I finally got around to making these a little more formal while teaching in Amsterdam this week.

One of the key concepts that IDS analysts should be familiar with is deep packet analysis.  You should know to examine packets at the hex layer is required and dive deep into analysis.  Even if you think you'll never do this on the job (you will eventually without even realizing it), you need to know how to do it for the GCIA exam.  And it's not just knowing how to do it, it's knowing how to do it quickly that matters too.

So with that said, I bring you the first in an n-part series for packet analysis practice from the hex layer up.  Today's practice focuses on IP fragmentation.  In these questions a "middle" fragment refers to a fragment that is neither the first nor the last.  Obviously, the hex dumps present only represent the beginning of the packet.

Questions:
1. What is the fragment offset?  Is this the first, last, or middle fragment?
0x0000:  4500 05dc 04d2 3010 4001 b8b0 c0a8 0b41
0x0010:  c0a8 0b0d 0800 cad2 0000 0000 4141 4141

2. What is the fragment offset?  Is this the first, last, or middle fragment?
0x0000:  4500 05dc 04d2 2000 4001 b8b0 c0a8 0b41
0x0010:  c0a8 0b0d 0800 cad2 0000 0000 4141 4141

3. What is the fragment offset?  Is this the first, last, or middle fragment?
0x0000:  4500 05dc 04d2 1058 4001 b8b0 c0a8 0b41
0x0010:  c0a8 0b0d 0800 cad2 0000 0000 4141 4141

The solutions are presented in the following blog post so you may check your work.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.