Describe the fields in these protocol headers as they relate to intrusion analysis: Ethernet frame, IPv4, IPv6, TCP, UDP, ICMP, HTTPImplementing Cisco Cybersecurity Operations (210-255)
Public Domain, Link
The biggest thing for the Ethernet frame is to be able to identify the source and destination MAC address. Often you will be looking at packets in Wireshark which will automatically decode the frame.
Internet Protocol version 4 (IPv4) is what most people are used to seeing currently. The key points are the Time To Live, Protocol, Source Address and Destination Address.
IPv6 is actually simpler than an IPv4 header in the basic form. It is extendable in that other headers are added using the Next Header pointer.
TCP headers are useful in tracking packets to make sure that protocols are behaving the way they are supposed to be behaving. One thing that comes into play is the analysis of the sequence number, ack number and the flags in the 8 bits after the TCP Header Length. It is important to know how the TCP three-way handshake works. First, a packet is sent from the client to the server with the SYN flag. Then the server responds with a packet with the SYN and ACK flags set. The ACK acknowledges the initial SYN. Finally, the client responds with an ACK to acknowledge the server’s SYN.
UDP headers are quite simple with just the source and destination port, length and a checksum.
ICMP (Internet Control Message Protocol) is commonly held synonymously with the ping utility, but it does more than just that. Ping is done with echo and echo-reply packets. Destination unreachable messages can report back to ping or traceroute that a host is unavailable or unreachable.
HTTP headers contain a lot of useful information to security analysts. Wireshark dissects these and makes them easier to understand. A good reference is the Wikipedia guide.