4.8 Interpret the fields in protocol headers as related to intrusion analysis
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. Version (4 bits)
- What it is: Indicates the IP protocol version. For IPv4, this value is always
4. - Why it matters: It confirms the packet is IPv4. If you see a different version (like 6), it’s an IPv6 packet.
- Intrusion analysis tip: Attackers might craft malformed packets with wrong version numbers to bypass security tools.
2. Internet Header Length (IHL) (4 bits)
- What it is: Shows the length of the IPv4 header in 32-bit words. Minimum value = 5 (20 bytes).
- Why it matters: It tells you where the payload starts.
- Intrusion analysis tip: Extra options (IHL > 5) can indicate suspicious packets, sometimes used in reconnaissance attacks.
3. Type of Service / Differentiated Services (8 bits)
- What it is: Specifies how the packet should be handled (priority, delay, throughput).
- Why it matters: Helps routers prioritize traffic.
- Intrusion analysis tip: Abnormal or unusual DSCP/TOS values may indicate traffic trying to bypass QoS rules or avoid inspection.
4. Total Length (16 bits)
- What it is: The total size of the IPv4 packet, including header + data. Max = 65,535 bytes.
- Why it matters: Helps you detect fragmentation and abnormal packet sizes.
- Intrusion analysis tip: Very small or very large packets may be part of a DoS (Denial of Service) or data exfiltration attempt.
5. Identification (16 bits)
- What it is: Unique ID for the packet. Used for reassembling fragmented packets.
- Why it matters: Helps the system track fragments.
- Intrusion analysis tip: Repeated or unusual IDs can indicate packet spoofing or fragmentation attacks.
6. Flags (3 bits)
- What it is: Controls fragmentation:
- Reserved – must be 0
- Don’t Fragment (DF) – packet should not be fragmented
- More Fragments (MF) – indicates more fragments follow
- Why it matters: Shows if a packet is fragmented.
- Intrusion analysis tip: Fragmented packets are often used to evade IDS/IPS detection.
7. Fragment Offset (13 bits)
- What it is: Shows the position of this fragment within the original packet.
- Why it matters: Needed to reassemble large packets split across the network.
- Intrusion analysis tip: Odd offsets or overlapping fragments can indicate evasion attempts.
8. Time to Live (TTL) (8 bits)
- What it is: Limits how long a packet can exist in the network. Each router decreases TTL by 1.
- Why it matters: Prevents packets from circulating forever.
- Intrusion analysis tip: Unusual TTL values can indicate spoofed packets or scanning tools.
9. Protocol (8 bits)
- What it is: Indicates which higher-layer protocol is inside the IPv4 packet. Common values:
1→ ICMP6→ TCP17→ UDP
- Why it matters: Helps you identify the payload type.
- Intrusion analysis tip: Unexpected protocols on certain ports may indicate malware or tunneling.
10. Header Checksum (16 bits)
- What it is: Error-checking for the header (not the payload).
- Why it matters: Ensures the header was not corrupted in transit.
- Intrusion analysis tip: Invalid checksum may indicate packet tampering.
11. Source IP Address (32 bits)
- What it is: The IP of the device that sent the packet.
- Why it matters: Identifies the origin of the traffic.
- Intrusion analysis tip: Spoofed source IPs are common in attacks like DDoS or reconnaissance.
12. Destination IP Address (32 bits)
- What it is: The IP of the device that should receive the packet.
- Why it matters: Determines the packet’s target.
- Intrusion analysis tip: Multiple packets to the same destination can indicate scanning or brute-force attempts.
13. Options (variable, optional)
- What it is: Extra fields for special features (rare in normal traffic).
- Why it matters: Can include security, routing, or timestamp options.
- Intrusion analysis tip: Attackers sometimes use options to bypass firewalls or IDS/IPS systems.
Summary Table for Exam
| Field | Size | Key Exam Tip for Intrusion Analysis |
|---|---|---|
| Version | 4b | Ensure it’s IPv4, watch for spoofed versions |
| IHL | 4b | Extra options can indicate suspicious packets |
| Type of Service | 8b | Check for unusual QoS/priority settings |
| Total Length | 16b | Spot abnormal packet sizes |
| Identification | 16b | Look for repeated or weird IDs |
| Flags | 3b | Fragmentation can hide attacks |
| Fragment Offset | 13b | Overlaps can indicate evasion |
| TTL | 8b | Unusual TTL may indicate spoofed/scanning traffic |
| Protocol | 8b | Identify TCP/UDP/ICMP payloads |
| Header Checksum | 16b | Invalid checksums may indicate tampering |
| Source IP | 32b | Watch for spoofed IPs |
| Destination IP | 32b | High-volume targeting may indicate attacks |
| Options | variable | Rare, but can be used to bypass security devices |
Key Exam Strategy:
- Always link header fields to what an attacker could exploit.
- Focus on TTL, flags, fragment offsets, protocol, source/destination IP – these are most relevant in intrusion detection.
- Be able to read a packet capture (PCAP) and interpret anomalies using these fields.
