Describe the fields in these protocol headers as they relate to intrusion analysis: Ethernet frame, IPv4, IPv6, TCP, UDP, ICMP, HTTP
Implementing Cisco Cybersecurity Operations (210-255)
Ethernet Frames
Public Domain, Link
The biggest thing for the Ethernet frame is to be able to identify the source and destination MAC address. Often you will be looking at packets in Wireshark which will automatically decode the frame.
IPv4
By Mro – Own work, CC BY-SA 3.0, Link
Internet Protocol version 4 (IPv4) is what most people are used to seeing currently. The key points are the Time To Live, Protocol, Source Address and Destination Address.
IPv6
IPv6 is actually simpler than an IPv4 header in the basic form. It is extendable in that other headers are added using the Next Header pointer.
TCP
By Sajidur89 – Own work, CC BY-SA 3.0, Link
TCP headers are useful in tracking packets to make sure that protocols are behaving the way they are supposed to be behaving. One thing that comes into play is the analysis of the sequence number, ack number and the flags in the 8 bits after the TCP Header Length. It is important to know how the TCP three-way handshake works. First, a packet is sent from the client to the server with the SYN flag. Then the server responds with a packet with the SYN and ACK flags set. The ACK acknowledges the initial SYN. Finally, the client responds with an ACK to acknowledge the server’s SYN.
By Fleshgrinder and The People from The Tango! Desktop Project. – Own work
Tango! Desktop Project Network Server
Tango! Desktop Project Computer, Public Domain, Link
UDP
By MichelBakni – Own work, CC BY-SA 4.0, Link
UDP headers are quite simple with just the source and destination port, length and a checksum.
ICMP
ICMP (Internet Control Message Protocol) is commonly held synonymously with the ping utility, but it does more than just that. Ping is done with echo and echo-reply packets. Destination unreachable messages can report back to ping or traceroute that a host is unavailable or unreachable.
By Austinvernsonger – Own work, CC BY-SA 4.0, Link
HTTP
HTTP headers contain a lot of useful information to security analysts. Wireshark dissects these and makes them easier to understand. A good reference is the Wikipedia guide.