Hints About Looking for Network Packet Fragments

3 December 2013 (05/20/2017)


Hunting for fragments of network traffic requires knowledge of the network protocols for which you are searching. This page is not an in-depth tutorial but is meant to give some hints to help you along the way.

In your study of network protocols, you might also want to read "The Case for Teaching Network Protocols to Computer Forensics Examiners" (Kessler & Fasulo, 2007) and/or "On Teaching TCP/IP Protocol Analysis to Computer Forensics Examiners" (Kessler, 2008). If you are particularly interested in TCP/IP, you might want to look at my TCP/IP Tutorial and/or TCP/IP Pocket Reference Guide.

Network Signatures

Data protocols exist as a stack where lower layer protocols transport higher layer protocols, applications, and services. Therefore, it is essential that you understand the protocol layering and relationships.

The most common stack is the TCP/IP protocol stack, which I will show here as having four protocol layers:

Application Layer
(e.g., HTTP, FTP, POP)
Transport Layer
(e.g., TCP, UDP, ICMP)
Network Layer
(i.e., IP)
Network Access Layer
( e.g., Ethernet/IEEE 802.3, WiFi/IEEE 802.11)

What this shows is that a message from an Application Layer protocol (such as HTTP or FTP) is handed down to a lower Transport Layer protocol, such as TCP or UDP. A TCP segment, UDP datagram, or ICMP message is transported in an IP packet which is, in turn, carried in an Ethernet (or Ethernet-like) frame (at least on a typical wired or wireless local area network).

If one were to look at the bits on the line, we would see the following bit stream composed to the various protocol data units (PDUs):

|<-------------------------------- Network Access PDU ------------------------------------------>|
|                 |<-------------------- Network PDU ------------------------>|                  |
|                 |           |<------------- Transport PDU  ---------------->|                  |
|                 |           |                     |<--- Application PDU --->|                  |
+-----------------+-----------+---------------------+-------------------------+------------------+
| Ethernet Header | IP Header | TCP/UDP/ICMP Header |         Message         | Ethernet Trailer |
+-----------------+-----------+---------------------+-------------------------+------------------+

An Ethernet frame starts with a 14-byte header composed of:

Unless you know the MAC address of the sender or receiver, you can't search for the MAC addresses. But if you know what higher layer protocol — i.e., the format of the data transported in this frame — is being used, they you can search for the EtherType field. Alternatively, you can search for, or otherwise spot, hex digit sequences that indicate certain protocol types.

The EtherType is the last two bytes in the Ethernet/IEEE 802.3 header, meaning that the next byte in the stream will be the first byte in the header of the next higher protocol. If the EtherType = 0x0800, the higher-layer protocol is IPv4. The first byte of the IPv4 header (byte 0) contains two items of information:

If the EtherType is 0x86DD, the higher-layer protocol is IPv6. The first byte of the IPv6 header (byte 0) also contains two items of information:

What we've learned, then, is that the string 0x08-00-45 could well be a fragment of an Ethernet frame containing an EtherType indicating IPv4, followed by the first byte of an IPv4 packet. There's certainly no guarantee that this is the case, but it is a reasonable guess so far, particularly if you find this information starting at byte offset 12. (It is also possible that the string 0x86-DD-6 at byte offset 12 is an IPv6 packet but this is as far as I will go with IPv6-guessing!)

One further indicator that helps narrow down the search is to look at byte 9 of the IPv4 Header (or byte 6 of an IPv6 header), which is the higher (Application) layer protocol identifier. Possible values in this field include 0x01 = ICMP, 0x06 = TCP, and 0x11 = UDP. So, finding the string 0x08-00-45 followed nine bytes later (or 0x86-DD-6? [where "?" means any value] followed six bytes later) by a 0x01, 0x06, or 0x11 could very well indicate ICMP, TCP, or UDP, respectively:

If you're willing to guess that you have a network packet hit, there's a lot more information that can be parsed, e.g.:

You now have a bit of work to do because you need to find the end of the IP header in order to find the beginning of the TCP, UDP, or ICMP header. In TCP and UDP, the source port number occupies the first 16 bytes of the header and the destination port number occupies the next 16 bytes of the header. Examining the port numbers will give you a good guess as to the Application layer protocol, where you can then start to piece things together to see if the data makes sense. The RFCs or the packet reference guide mentioned above can all help in network traffic data analysis.

As you can see, there are a number of ways to search for network traffic in RAM or unallocated space because of the fact that there are common values that can be found in known, fixed locations. But you do need to know what you're looking for!