Page 763 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 763
what type of packet it is. The IP header’s protocol field indicates the
identity of the next encapsulated protocol (in other words, the protocol
contained in the payload from the current protocol layer, such as
ICMP or IGMP, or the next layer up, such as TCP or UDP). Think of it
as like the label on a mystery-meat package wrapped in butcher paper
you pull out of the freezer. Without the label, you would have to open
it and inspect it to figure out what it was. But with the label, you can
search or filter quickly to find items of interest. For a list of other
protocol field values, please visit www.iana.org/assignments/protocol-
numbers.
Unskilled Attackers Pester Real Security Folk
It might be a good idea to memorize at least the last six of the eight
TCP header flags in their correct order. The first two flags (CWR
and ECE) are rarely used today and thus are generally
ignored/overlooked. However, the last six (URG, ACK, PSH, RST,
SYN, and FIN) are still in common widespread use.
Keep in mind that these eight flags are eight binary positions (i.e.,
a byte) that can be presented in either hex or binary format. For
example, 0x12 is the hex presentation of the byte 00010010. This
specific byte layout indicates that the fourth and seventh flags are
enabled. With the flag layout (using one letter per flag and leaving
out CWR and ECE and replacing them with XX), XXUAPRSF is
000A00S0, or the SYN/ACK flag set. Note: the hex presentation of
the TCP header flag byte is typically located in the raw data display
of a packet capturing tool, such as Wireshark, in offset position
0x2F. This is based on a standard Ethernet Type II header, a
standard 20-byte IP header, and a standard TCP header.
You can memorize this flag order using the phrase “Unskilled
Attackers Pester Real Security Folk,” in which the first letter of
each word corresponds to the first letter of the flags in positions 3
through 8.
