This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 5 and 21 (spanning 16 versions)
Revision 5 as of 2004-09-16 07:18:30
Size: 3544
Editor: UlfLamping
Comment: add a link to IP-address
Revision 21 as of 2018-10-09 12:21:34
Size: 5480
Editor: AlexHammer
Comment: Correct spelling of independent in fourth paragraph
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Internet Protocol (IP) = = Internet Protocol version 4 (IP) =
Line 6: Line 6:
The IP protocol is used to transfer packets from one ["IP-address"] to another. The user of this layer will give a packet and a remote IP address, and IP is responsible to transfer the packet to that host. This page describes IP version 4, which is widely used. There's also an [[IPv6]] protocol page available.
Line 8: Line 8:
IP will (hopefully) guide the packet the right way to the remote host. The data transfer is independant of the underlying network hardware (e.g. ["ATM"], ["Ethernet"], or even a SerialLine). If the underlying hardware is not able to transfer the maximum length required (especially on SerialLine's or ["ATM"]), IP will split the data into several smaller IP fragments and reassemble it into a complete one at the receiving host. The IP protocol is used to transfer packets from one [[IP-address]] to another. The user of this layer will give a packet and a remote IP address, and IP is responsible to transfer the packet to that host.
Line 10: Line 10:
When IP wants to send a packet, it must first translate the ["IP-address"] given into the underlying hardware address (e.g. an ["Ethernet"] address). IP uses ["ARP"] for this translation, which is done dynamically. IP will (hopefully) guide the packet the right way to the remote host. The data transfer is independent of the underlying network hardware (e.g. [[ATM]], [[Ethernet]], or even a SerialLine). If the underlying hardware is not able to transfer the maximum length required (especially on SerialLine's or [[ATM]]), IP will split the data into several smaller IP fragments and reassemble it into a complete one at the receiving host.

When IP wants to send a packet on a LAN, it must first translate the [[IP-address]] given into the underlying hardware address (e.g. an [[Ethernet]] address). IP uses [[ARP]] for this translation, which is done dynamically. On a point-to-point line, this is obviously not necessary, as there's only one host to which a given machine can send a packet.
Line 14: Line 16:
IP uses ["ICMP"] to transfer control messages to a remote host, like: "Please don't send me more IP packets, I'm full". The famous ping tool also use ["ICMP"]. IP uses [[ICMP]] to transfer control messages to a remote host such as "Please don't send me more IP packets, I'm full". The famous ping tool also use [[ICMP]].
Line 16: Line 18:
The typical protocols on top of IP are ["TCP"] and ["UDP"]. The typical protocols on top of IP are [[TCP]] and [[UDP]].
Line 18: Line 20:
The version 4 of the IP protocol is widely used all over the world. As the available ["IP-address"] range is becoming short, version 6 with a much wider address range is becoming more and more popular these days. Version 4 of the IP protocol is widely used all over the world. As the available [[IP-address]] range is becoming short, version 6 with a much wider address range is becoming more and more popular these days.
Line 22: Line 24:
The [http://www.ietf.org/rfc/rfc791.txt RFC791] "INTERNET PROTOCOL" was released in September 1981. The [[http://www.ietf.org/rfc/rfc791.txt|RFC791]] "INTERNET PROTOCOL" was released in September 1981.
Line 26: Line 28:
 * ["Ethernet"]: IP can use ["Ethernet"] and many other protocols. The well known Ethernet type for IP is 0x800.
 * ["ICMP"]: IP uses ["ICMP"] for control messages between hosts.
 * [[Ethernet]]: IP can use [[Ethernet]] and many other protocols. The assigned Ethernet type for IP is 0x800.
 * [[ICMP]]: IP uses [[ICMP]] for control messages between hosts.
Line 31: Line 33:
XXX - Add example traffic here (as plain text or Ethereal screenshot). XXX - Add example traffic here (as plain text or Wireshark screenshot).
Line 33: Line 35:
== Ethereal == == Wireshark ==
Line 35: Line 37:
IP dissector is fully functional. Ethereal provides some advanced features such as IP defragmentation. IP dissector is fully functional. Wireshark provides some advanced features such as IP defragmentation.
Line 39: Line 41:
(XXX add links to preference settings affecting how IP is dissected).  * Decode IPv4 TOS field as DiffServ field: Whether the IPv4 type-of-service field should be decoded as a Differentiated Services field (see RFC2474/RFC2475)
 * Reassemble fragmented IP datagrams: Whether fragmented IP datagrams should be reassembled
 * Show IP summary in protocol tree: Whether the IP summary line should be shown in the protocol tree
 * Validate the IP checksum if possible: Whether to validate the IP checksum
 * Support packet-capture from IP TSO-enabled hardware: Whether to correct for TSO-enabled hardware captures, such as spoofing the IP packet length
 * Enable GeoIP lookups: Whether to look up IP addresses in each GeoIP database we have loaded
 * Interpret Reserved flag as Security flag (RFC 3514): Whether to interpret the originally reserved flag as security flag
Line 43: Line 51:
XXX - Add a simple example capture file. Keep it short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically. XXX - Add a simple example capture file. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
Line 46: Line 54:
A complete list of IP display filter fields can be found in the [http://www.ethereal.com/docs/dfref/i/ip.html display filter reference] A complete list of IP display filter fields can be found in the [[http://www.wireshark.org/docs/dfref/i/ip.html|display filter reference]]
Line 48: Line 56:
 Show only the IP based traffic (beware: you won't see any ARP packets, if you use this filter!): {{{  Show only IPv4-based traffic (beware: you won't see any ARP packets if you use this filter!): {{{
Line 51: Line 59:
 Show only the IP based traffic to or from host 192.168.0.10: {{{  Show only the IP-based traffic to or from host 192.168.0.10: {{{
Line 54: Line 62:
 Show only the IP based traffic '''not''' to or from host 192.168.0.10 (beware: this is not identical to ip.addr!=192.168.0.10): {{{  Show only the IP-based traffic to or from the subnet 192.168.43.0/24 (The /24 is CIDR notation for a network address with a mask of 24 one bits, that is, a subnet mask of 255.255.255.0): {{{
 ip.addr==192.168.43.0/24 }}}

 Show only the IP-based traffic '''not''' to or from host 192.168.0.10 (beware: this is not identical to ip.addr!=192.168.0.10): {{{
Line 59: Line 70:
 Show only the IP based traffic to or from host 192.168.0.10: {{{  Capture IPv4-based traffic only: {{{
 ip }}}

 Capture
only the IP-based traffic to or from host 192.168.0.10: {{{
Line 61: Line 75:

 Capture only the IP-based traffic to or from the subnet 192.168.43.0/24 (The /24 is CIDR notation for a network address with a mask of 24 one bits, that is, a subnet mask of 255.255.255.0): {{{
 ip net 192.168.43.0/24 }}}

 Capture only the IP-based traffic '''not''' to or from host 192.168.0.10: {{{
 not host 192.168.0.10 }}}
Line 64: Line 84:
 * [http://www.ietf.org/rfc/rfc791.txt RFC791] "INTERNET PROTOCOL"
 * [http://www.ietf.org/rfc/rfc894.txt RFC894] "Transmission of IP Datagrams over Ethernet Networks"
 * [http://www.ietf.org/rfc/rfc950.txt RFC950] "Internet Standard Subnetting Procedure"
 * [http://www.ietf.org/rfc/rfc1112.txt RFC1112] "Host Extensions for IP Multicasting"
 * [http://www.ietf.org/rfc/rfc1812.txt RFC1812] "Requirements for IP Version 4 Routers"
 * [[http://www.ietf.org/rfc/rfc791.txt|RFC791]] ''INTERNET PROTOCOL''
 * [[http://www.ietf.org/rfc/rfc894.txt|RFC894]] ''Transmission of IP Datagrams over Ethernet Networks''
 * [[http://www.ietf.org/rfc/rfc950.txt|RFC950]] ''Internet Standard Subnetting Procedure''
 * [[http://www.ietf.org/rfc/rfc1112.txt|RFC1112]] ''Host Extensions for IP Multicasting''
 * [[http://www.ietf.org/rfc/rfc1812.txt|RFC1812]] ''Requirements for IP Version 4 Routers''

 === Differentiated Services (replaces Type of Service) ===
 * [[http://www.ietf.org/rfc/rfc2474.txt|RFC2474]] ''Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers''
 * [[http://www.ietf.org/rfc/rfc2475.txt|RFC2475]] ''An Architecture for Differentiated Services''

Internet Protocol version 4 (IP)

The Internet Protocol provides the network layer (layer 3) transport functionality in the InternetProtocolFamily.

This page describes IP version 4, which is widely used. There's also an IPv6 protocol page available.

The IP protocol is used to transfer packets from one IP-address to another. The user of this layer will give a packet and a remote IP address, and IP is responsible to transfer the packet to that host.

IP will (hopefully) guide the packet the right way to the remote host. The data transfer is independent of the underlying network hardware (e.g. ATM, Ethernet, or even a SerialLine). If the underlying hardware is not able to transfer the maximum length required (especially on SerialLine's or ATM), IP will split the data into several smaller IP fragments and reassemble it into a complete one at the receiving host.

When IP wants to send a packet on a LAN, it must first translate the IP-address given into the underlying hardware address (e.g. an Ethernet address). IP uses ARP for this translation, which is done dynamically. On a point-to-point line, this is obviously not necessary, as there's only one host to which a given machine can send a packet.

IP doesn't provide any mechanism to detect PacketLoss, DuplicatePackets and alike.

IP uses ICMP to transfer control messages to a remote host such as "Please don't send me more IP packets, I'm full". The famous ping tool also use ICMP.

The typical protocols on top of IP are TCP and UDP.

Version 4 of the IP protocol is widely used all over the world. As the available IP-address range is becoming short, version 6 with a much wider address range is becoming more and more popular these days.

History

The RFC791 "INTERNET PROTOCOL" was released in September 1981.

Protocol dependencies

  • Ethernet: IP can use Ethernet and many other protocols. The assigned Ethernet type for IP is 0x800.

  • ICMP: IP uses ICMP for control messages between hosts.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

IP dissector is fully functional. Wireshark provides some advanced features such as IP defragmentation.

Preference Settings

  • Decode IPv4 TOS field as DiffServ field: Whether the IPv4 type-of-service field should be decoded as a Differentiated Services field (see RFC2474/RFC2475)

  • Reassemble fragmented IP datagrams: Whether fragmented IP datagrams should be reassembled
  • Show IP summary in protocol tree: Whether the IP summary line should be shown in the protocol tree
  • Validate the IP checksum if possible: Whether to validate the IP checksum
  • Support packet-capture from IP TSO-enabled hardware: Whether to correct for TSO-enabled hardware captures, such as spoofing the IP packet length
  • Enable GeoIP lookups: Whether to look up IP addresses in each GeoIP database we have loaded
  • Interpret Reserved flag as Security flag (RFC 3514): Whether to interpret the originally reserved flag as security flag

Example capture file

XXX - Add a simple example capture file. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of IP display filter fields can be found in the display filter reference

  • Show only IPv4-based traffic (beware: you won't see any ARP packets if you use this filter!):

     ip 

    Show only the IP-based traffic to or from host 192.168.0.10:

     ip.addr==192.168.0.10 

    Show only the IP-based traffic to or from the subnet 192.168.43.0/24 (The /24 is CIDR notation for a network address with a mask of 24 one bits, that is, a subnet mask of 255.255.255.0):

     ip.addr==192.168.43.0/24 

    Show only the IP-based traffic not to or from host 192.168.0.10 (beware: this is not identical to ip.addr!=192.168.0.10):

     !(ip.addr==192.168.0.10) 

Capture Filter

  • Capture IPv4-based traffic only:

     ip 

    Capture only the IP-based traffic to or from host 192.168.0.10:

     host 192.168.0.10 

    Capture only the IP-based traffic to or from the subnet 192.168.43.0/24 (The /24 is CIDR notation for a network address with a mask of 24 one bits, that is, a subnet mask of 255.255.255.0):

     ip net 192.168.43.0/24 

    Capture only the IP-based traffic not to or from host 192.168.0.10:

     not host 192.168.0.10 

  • RFC791 INTERNET PROTOCOL

  • RFC894 Transmission of IP Datagrams over Ethernet Networks

  • RFC950 Internet Standard Subnetting Procedure

  • RFC1112 Host Extensions for IP Multicasting

  • RFC1812 Requirements for IP Version 4 Routers === Differentiated Services (replaces Type of Service) ===

  • RFC2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers

  • RFC2475 An Architecture for Differentiated Services

Discussion

Internet_Protocol (last edited 2018-10-09 12:21:34 by AlexHammer)