One of the key concepts that IDS analysts should be familiar with is deep packet analysis. You should know to examine packets at the hex layer is required and dive deep into analysis. Even if you think you'll never do this on the job (you will eventually without even realizing it), you need to know how to do it for the GCIA exam. And it's not just knowing how to do it, it's knowing how to do it quickly that matters too.
So with that said, I bring you the first in an n-part series for packet analysis practice from the hex layer up. Today's practice focuses on IP fragmentation. In these questions a "middle" fragment refers to a fragment that is neither the first nor the last. Obviously, the hex dumps present only represent the beginning of the packet.
Questions:
1. What is the fragment offset? Is this the first, last, or middle fragment?
0x0000: 4500 05dc 04d2 3010 4001 b8b0 c0a8 0b41
0x0010: c0a8 0b0d 0800 cad2 0000 0000 4141 4141
2. What is the fragment offset? Is this the first, last, or middle fragment?
0x0000: 4500 05dc 04d2 2000 4001 b8b0 c0a8 0b41
0x0010: c0a8 0b0d 0800 cad2 0000 0000 4141 4141
3. What is the fragment offset? Is this the first, last, or middle fragment?
0x0000: 4500 05dc 04d2 1058 4001 b8b0 c0a8 0b41
0x0010: c0a8 0b0d 0800 cad2 0000 0000 4141 4141
The solutions are presented in the following blog post so you may check your work.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.