The Internet Protocol (IP) part of the TCP/IP suite is a four-layer model. IP is designed to interconnect networks to form an Internet to pass data back and forth. IP contains addressing and control information that enables packets to be routed through this Internet. (A packet is defined as a logical grouping of information, which includes a header containing control information and, usually, user data.) The equipment —that is, routers—that encounter these packets, strip off and examine the headers that contain the sensitive routing information. These headers are modified and reformulated as a packet to be passed along.

Packet headers contain control information (route specifications) and user data. This information can be copied, modified, and/or spoofed (masqueraded) by hackers.

One of the IP’s primary functions is to provide a permanently established connection (termed connectionless), unreliable, best-effort delivery of datagrams through an Internetwork. Datagrams can be described as a logical grouping of information sent as a network layer unit over a communication medium. IP datagrams are the primary information units in the Internet. Another of IP’s principal responsibilities is the fragmentation and reassembly of datagrams to support links with different transmission sizes.

During an analysis session, or sniffer capture, it is necessary to differentiate between different types of packet captures. The following describes the IP packet:

• Version. The IP version currently used.

• IP Header Length (Length). The datagram header length in 32-bit words.

• Type -of-Service (ToS). How the upper-layer protocol (the layer immediately above, such as transport protocols like TCP and UDP) intends to handle the current datagram and assign a level of importance.

• Total Length. The length, in bytes, of the entire IP packet.

• Identification. An integer used to help piece together datagram fragments.

• Flag. A 3-bit field, where the first bit specifies whether the packet can be fragmented. The second bit indicates whether the packet is the last fragment in a series. The final bit is not used at this time.

• Fragment Offset. The location of the fragment’s data, relative to the opening data in the original datagram. This allows for proper reconstruction of the original datagram.

• Time -to -Live (TTL). A counter that decrements to zero to keep packets from endlessly looping. At the zero mark, the packet is dropped.

• Protocol. Indicates the upper-layer protocol receiving the incoming packets.

• Header Checksum. Ensures the integrity of the IP header.

• Source Address/Destination Address. The sending and receiving nodes (station, server, and/or router).

• Options. Typically, contains security options.

• Data. Upper-layer information.

Key fields to note include the Source Address, Destination Address, Options, and Data.

IP Datagrams, Encapsulation, Size, and Fragmentation

IP datagrams are the very basic, or fundamental, transfer unit of the Internet. An IP datagram is the unit of data commuted between IP modules. IP datagrams have headers with fields that provide routing information used by infrastructure equipment such as routers.

Be aware that the data in a packet is not really a concern for the IP. Instead, IP is concerned with the control information as it pertains to the upper-layer protocol. This information is stored in the IP header, which tries to deliver the datagram to its destination on the local network or over the Internet. To understand this relationship, think of IP as the method and the datagram as the means.

The IP header is the primary field for gathering information, as well as for gaining control.

It is important to understand the methods a datagram uses to travel across networks. To sufficiently travel across the Internet, over physical media, we want some guarantee that each datagram travels in a physical frame. The process of a datagram traveling across media in a frame is called encapsulation.

An ideal situation is one where an entire IP datagram fits into a frame; and the network it is traveling across supports that particular transfer size. But as we all know ideal situations are rare. One problem with our traveling datagram is that networks enforce a maximum transfer unit (MTU) size, or limit, on the size of transfer. To further confuse the issue, different types of networks enforce their own MTU; for example, Ethernet has an MTU of 1500, FDDI uses 4470 MTU, and so on. When datagrams traveling in frames cross network types with different specified size limits, routers must sometimes divide the datagram to accommodate a smaller MTU. This process is called fragmentation.

Routers provide the fragmentation process of datagrams, and as such, become vulnerable to passive and intrusive attacks.