Hints About Looking for Network Packet Fragments

3 December 2013 (07/23/2016)

Hunting for fragments of network traffic requires knowledge of the network protocols for which you are searching. This page is not an in-depth tutorial but is meant to give some hints to help you along the way.

In your study of network protocols, you might also want to read "The Case for Teaching Network Protocols to Computer Forensics Examiners" (Kessler & Fasulo, 2007) and/or "On Teaching TCP/IP Protocol Analysis to Computer Forensics Examiners" (Kessler, 2008). If you are particularly interested in TCP/IP, you might want to look at my TCP/IP Tutorial and/or TCP/IP Pocket Reference Guide.

Network Signatures

Data protocols exist as a stack where lower layer protocols transport higher layer protocols, applications, and services. Therefore, it is essential that you understand the protocol layering and relationships.

The most common stack is the TCP/IP protocol stack, which I will grossly simplify here to have these three layers:

Ethernet/IEEE 802.3

What this means is that a TCP segment, UDP datagram, or ICMP message is transported in an IP packet which is, in turn, carried in an Ethernet frame (at least on a local area network).

An Ethernet frame starts with a 14-byte header composed of:

Unless you know the MAC address of the sender or receiver, you can't search for the MAC addresses. But if you know what higher layer protocol — i.e., the data transported in this frame — is being used, they you can search the EtherType field. Alternatively, yo can search for, or otherwsie spot, hex digit sequences that indicate certain protocol types.

The EtherType is the last two bytes in the Ethernet/IEEE 802.3 header, meaning that the next byte in the stream will be the first byte in the header of the next higher protocol. If the EtherType = 0x0800, the higher-layer protocol is IPv4. The first byte of the IPv4 header (byte 0) contains two items of information:

If the EtherType is 0x86DD, the higher-layer protocol is IPv6. The first byte of the IPv6 header (byte 0) also contains two items of information:

What we've learned, then, is that the string 0x08-00-45 could well be a fragment of an Ethernet frame containing an EtherType indicating IPv4, followed by the first byte of an IPv4 packet. There's certainly no guarantee that this is the case, but it is a reasonable guess so far, particularly if you find this information starting at byte offset 12. (It is also possible that the string 0x86-DD-6 is an IPv6 packet but this is as far as I will go with IPv6-guessing!)

One further indicator that helps narrow down the search is to look at byte 9 of the IPv4 Header (or byte 6 of an IPv6 header), which is the higher (Application) layer protocol identifier. Possible values in this field include 0x01 = ICMP, 0x06 = TCP, and 0x11 = UDP. So, finding the string 0x08-00-45 followed nine bytes later (or 0x86-DD-6? [where "?" means any value] followed six bytes later) by a 0x01, 0x06, or 0x11 could very well indicate ICMP, TCP, or UDP, respectively:

If you're willing to guess that you have a network packet hit, there's a lot more information that can be parsed, e.g.:

Once you have a guess as to the Application layer, then you can start to piece things together to see if the data makes sense. The RFCs or the pcoket reference guide mentioned above can all help in network traffic data analysis.

As you can see, there are a number of ways to search for network traffic in RAM or unallocated space because of the fact that there are common values that can be found in known, fixed locations. But you do need to know what you're looking for!