IP packet header

IP uses 32 bit words, aka 4 octect (byte) words.
IP headers are usually 20 bytes, or 5 words.
tcpdump -x displays four words on a line. This is an ICMP echo:
        4500 0054 162f 4000 ff01 2e3f a0a0 a0a0
        a0a0 a0a1 
IP Version
4 bits
(usually 4)
Header Len
4 bits
(in 32 bit words)
(usually 5)
TOS (Type of Service)
8 bits (3,1,1,1,2)
Precedence
0=normal, 7=network control
D
low delay
T
high thru
R
high reli
Unused
proposed: ECN
Total Length
16 bits
(in octets) including header and data
Identification
16 bits
Flags
3 bits
  DF MF
Fragment Offset
13 bits
(in 32 bit words)
Time to live
8 bits
(in hops)
Protocol
8 bits
(01=ICMP, 06=TCP, 0x11=UDP)
Header checksum
16 bits
Source IP address  10.10.10.10
32 bits
Destination IP address  10.10.10.11
32 bits
IP options (if any)
variable length
Since the Header length (5 means no options, or 20 bytes) is specified in 32 bit words, the options and padding fields need to end on a word boundary
Padding
(if needed)



ICMP Packets

Each ICMP message has its own format but they all start with the same word: type (8 bits), code (8 bits), and checksum (16 bits)

09:22:30.840043 10.10.10.10 > 10.10.10.11: icmp: echo request (DF)
   4500 0054 162f 4000 ff01 2e3f 0a0a 0a0a   first 20 bytes = IP header
   0a0a 0a0b 0800 c5ca 2bdf 0000 3ac2 0fc6   next 4+ bytes = ICMP header
   1415 1617 1819

IP Version Header Len Service type Total Length
Identification Frag flags & offset
Time to live Protocol 01 Header checksum
Source IP address
Destination IP address
Type
8 bits
Code
8 bits
Checksum
Identifier
16 bits
Seq number
16 bits
...data...



UDP Datagrams

UDP datagram headers are eight bytes
IP Version Header Len Service type Total Length
Identification Frag flags & offset
Time to live Protocol 0x11 Header checksum
Source IP address
Destination IP address
UDP Source Port
16 bits
UDP Destination Port
16 bits
UDP Message length
16 bits
UDP checksum
16 bits
 
...Data... (if any)
 



TCP packets

TCP headers are usually 20 bytes

23:06:01.790441 10.10.10.10.32934 > 10.10.10.11.23: . ack 79 win 8760 (DF)
   4500 0028 39ef 4000 ff06 5874 0a0a 0a0a   first 20 bytes = IP header
   0a0a 0a0b 80a6 0017 9c71 8519 c511 9503   next 20 bytes = TCP header
   5010 2238 a7d2 0000

IP Version Header Len Service type Total Length
Identification Frag flags & offset
0x4000 means DF
Time to live Protocol 06 Header checksum
Source IP address  10.10.10.10
Destination IP address  10.10.10.11
Source Port  32934
16 bits
Destination Port  23
16 bits
Sequence number
32 bits
Acknowledgement number
32 bits
Header length
4 bits
Reserved
6 bits
6 Code bits
URG
20
ACK
10
PSH
08
RST
04
SYN
02
FIN
01
Windows size
16 bits
Checksum
16 bits
Urgent Pointer
16 bits
Options (if any)
Since the Header length (5 means no options, or 20 bytes) is specified in 32 bit words, the options and padding fields need to end on a word boundary
Padding
(if needed)
 
...Data... (if any)
 

Example

  • display all but the TCP data stream packets
        sudo tcpdump -i eth-s2p2c0 'tcp[13] & 0x18 == 0' or not tcp

  • display interesting packets, TCP (non-payload), not IPSEC, others
        sudo tcpdump -n -i xl0 'ip[9]!=50 and (tcp[13] & 0x18 == 0 or not tcp )'