CCNA CyberOps SECOPS – Objective 2.2

Describe the fields in these protocol headers as they relate to intrusion analysis: Ethernet frame, IPv4, IPv6, TCP, UDP, ICMP, HTTP

Implementing Cisco Cybersecurity Operations (210-255)

Ethernet Frames

Ethernet Type II Frame format.svg
Public Domain, Link

The biggest thing for the Ethernet frame is to be able to identify the source and destination MAC address. Often you will be looking at packets in Wireshark which will automatically decode the frame.


Ipv4 header.svg
By MroOwn work, CC BY-SA 3.0, Link

Internet Protocol version 4 (IPv4) is what most people are used to seeing currently. The key points are the Time To Live, Protocol, Source Address and Destination Address.


IPv6 header rv1.png
CC BY-SA 3.0, Link

IPv6 is actually simpler than an IPv4 header in the basic form. It is extendable in that other headers are added using the Next Header pointer.


TCP Header.png
By Sajidur89Own work, CC BY-SA 3.0, Link

TCP headers are useful in tracking packets to make sure that protocols are behaving the way they are supposed to be behaving. One thing that comes into play is the analysis of the sequence number, ack number and the flags in the 8 bits after the TCP Header Length. It is important to know how the TCP three-way handshake works. First, a packet is sent from the client to the server with the SYN flag. Then the server responds with a packet with the SYN and ACK flags set. The ACK acknowledges the initial SYN. Finally, the client responds with an ACK to acknowledge the server’s SYN.

By Fleshgrinder and The People from The Tango! Desktop Project. – Own work Tango! Desktop Project Network Server Tango! Desktop Project Computer, Public Domain, Link


By MichelBakniOwn work, CC BY-SA 4.0, Link

UDP headers are quite simple with just the source and destination port, length and a checksum.


ICMP (Internet Control Message Protocol) is commonly held synonymously with the ping utility, but it does more than just that. Ping is done with echo and echo-reply packets. Destination unreachable messages can report back to ping or traceroute that a host is unavailable or unreachable.

By AustinvernsongerOwn work, CC BY-SA 4.0, Link


HTTP headers contain a lot of useful information to security analysts. Wireshark dissects these and makes them easier to understand. A good reference is the Wikipedia guide.