Encapsulation Explained, AKA Ping doesn't work at layer 3, I promise :)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys just want to do a quick video on clarifying that ping I promise absolutely does not work at layer 3 of the OSI model it verifies reach ability between layer 3 devices and not even always that depending on what filters are doing just gonna make a quick video here to hopefully clarify what's happening with protocol headers and why I haven't seen anybody to describe it in a quick simple way if it's already out there I apologize bye hope this is useful for anybody interested first and foremost what's wrong with the world is I've seen a lot of technical books things like saying ping works at layer 3 I also just had a comment on the YouTube page at ESP works at layer 3 instead of trying to explain in a comment just want to use a video there is a tcp/ip model that exists I think it's the worst thing in the universe may be appropriate for like a project manager maybe a high-level developer but it doesn't really show at you what you want to see what you should be using is the OSI model from a developer perspective if you're going to want to be more familiar with layers 5 through 7 which we're going to shove off to the side for now and we're gonna focus on layer 4 layer 3 later to layer 1 and we want to figure out like what is encapsulation why do you need it what does it actually do for us let's start at the ground and work our way up layer 1 is a physical error so you've got computer a it wants to talk to computer B it's got to send it some bits now normally we could use copper right rj45 connectors maybe cat5 cat6 cable it's a good way to send ones and zeros we could use fiber we could use radio frequencies we can use infrared lights one of the neat things that I just learned about was a technique they're calling power hammer which allows you to do data exfiltration over power lines I was like well you can send things over power lines believe it or not you can send things a lot of different ways all you're doing is sending a signal it could be smoke signals it could be a blinking light through fiber it could be a blinking light with flashlights you there's even a standard honestly for avian carrier you could have a bird take a piece of paper from point A to point B check it out there's an RFC on it they've even got IV avian carrier with quality of service beyond that that you know there's standards for communicating industrial control systems there's communications standards for how to stream high-definition audio between different devices there's lots of different ethernet standards so when you hook up to a network whether it's wireless wired infrared doing crazy stuff over power lines or even stranger exfiltration methods it's really going to come down to your encapsulation an encapsulation says you know these different mechanisms the layer one layer one funny enough sends ones and zeroes it's just bits so there's different ways to send a one or a zero there's analog as well as digital we can do cool stuff with even amateur radio right even in Tampa we've got a Hamlin where you can use amateur radio to send ones and zeros from point A to point B once you do that we've got to figure out how do you organize these ones and zeroes I'm just going to talk about Ethernet now because it's what I've got easily available and I think it's what most of you are going to deal with that Ethernet header is supposed to be a simple way for two devices on a network to communicate you could think of it as an envelope the envelope has a source and destination and then most importantly it's got something called an ether type the ether type says this is what you do with the rest of the ones and zeros that you see this is how many contiguous ones and zeros are part of this message and at the end of it the next ones and zeros are part of the next message you've got to understand the ether type you've got to understand how big these layer 2 layer 3 headers are you've got to understand where the the header ends to be able to turn one header into the next so when we look at this we go okay well we've got source and destination and if it's Ethernet your source and destination or MAC address is right pop over to Wireshark real quick and we can actually see that I can take a look at my Ethernet interface and say I think it's this one yeah and it's a little busy because I'm streaming my desktop to another computer which is recording so we're gonna see a lot of packets but we can stop them right off the bat just in that half a second I already hit 1500 packets but we only need one right when looking at packets within Wireshark breaks it down real pretty that's our layer 2 layer 3 layer 4 header and then here's what I lumped together and call Paila this is SSL communication so that's all cypher text what we do want to look at just for now is starting off is Ethernet right my network card is set to an encapsulation of Ethernet which means when ones and zeros come across the wire I expect there to be a certain header size that the size exactly even Ethernet header and I know in the first 48 bits it's gonna have the destination so when I click on the destination MAC address it's showing me below the raw data if you're not familiar these are the packets that have come across the wire each packet has a unique ID here is the packet breakdown in a very pretty format here's a packet breakdown in a raw format this is what came off the wire if you were just looking at it this is what you'd see without actually decoding it the decoding happens above so again as soon as data comes in off the wire we can look at the first 48 bits and go is that my MAC address if not throw the packet away I don't have to even think about the rest of it but if that is my MAC address go ahead and process it I can consider who is it from and see how it highlighted that exact MAC address and then finally what's the ether type and they say it's IP version 4 that's cool cuz when we look at the OSI model this ether type is telling the receiving Network card here's how you decode the rest of the ones and zeros treat them like ipv4 opposed to ipv6 v6 header sizes at least twice as big as before it's twice as big before we get into extension headers that's why I say at least twice as big we've got to know how to decode things before we even get into v4 let's look at you through type you're either type is pretty well defined let's come over here and you know we think about Wireless and we think about Wired traffic and we're like okay Ethernet is everywhere that's that's all that there is right know when you're using VLANs and use VLAN tags we start modifying that Ethernet header by inserting additional fields called a VLAN tag additionally there's different types of traffic that can work across the network ipv4 is real common right we've also got our address resolution protocol turning IP addresses and MAC addresses it's its own ether type you know wake-on-lan for waking up computers it's its own either type true for later to connectivity's a lot of times between data centers again has its own ether type MPLS has it's an ether type what's interesting you see this list they have here there's the neat stuff in it we've got max ACK we've got home plug which is a standard for doing encapsulation over power this is not a complete list if you go to the I Triple E website now you see the complete list you going to see who reserved the ether type was at Xerox was at Cisco was it Intel was it Cointreau was it a different University well you start to find are there's a lot of ether types that are registered to a private organization that's not listed and the protocol that they built is unavailable now this could be something from decades ago there's a project that was a bad idea that never turned into anything and it could also be used for secret forms of communication that you're not aware of the thing is all ether types are organized through the I Triple E just like the first 24 bits of your MAC address come from the I Triple E so looking at ether type this is the way to say this is how you decode layer 3 ipv4 ipv6 this is what you or I are used to but once you start getting onto specialized network so really is bizarre esoteric configurations you can start using protocols other than IP but let's just leave it IP for a conversation today it's just another envelope source and destination IP addresses so Ethernet is fine it gets me from one network card to another network card in the same network but if I want to get somewhere off net that's where IP addressing comes in now I might go from you know floor one to floor two in my building or I might go from one continent to another across the Internet v4 gives us global reach ability when we look inside of it there's a bunch of fields we could spend 30 minutes talking about that but the one that is of real interest to us today is called protocol so let's go look at it real quick just like ethertype told us what was common at layer 3 see it says decode the rest of this as before you go into your IP header and you come down a protocol and it says this is gonna be a TCP header so your IP header is only so big see when I highlight that there's my layer 2 header there's layer 3 the rest of that is a layer 4 header followed by some payload see that so your layer 2 layer 3 layer 4 header come up to this particular point so that's got that's got the full header as you starts to break it down we see things like a source port and a destination port so I think that's probably enough to kind of answer your question you know when we look at layer 4 this is very much like an envelope again we have source and destination but it later - let me just grab a different pen later - we've looked at MAC addresses a source and destination later 3 IP addresses layer 4 port numbers know what got us into this was saying hey does ICMP work at layer 3 does Jiri work at layer 3 of this ESP for IPSec VPN s work at layer 3 and I said no but a lot of people say it does because there's tons of wrong content out there they write it somewhere I promise it's super duper doesn't work like that what's important to know is that TCP and UDP use port numbers not all other services do most your traffic is TCP EAP because that's how we easily allow applications to talk right you might send traffic you know as far as MAC addresses it's gonna get from your computer to your gateway you know maybe your router firewall whatever you got once you get there it's IP that's responsible from getting from your network to somewhere else across the internet global routing takes IP once you get to that particular server because each server has at least one IP once you get to the server there could be different services running so TCP port 80 is for HTTP TCP port 25 is for SMTP for mail delivery so this is a TCP socket that's bound to a service like send mail HTTP is bound to a service it might be Apache so it's almost like you know the IP address is almost like a physical address of a building I'm trying to get to you know 724 5th Avenue once I get to 724 5th Avenue there's a lot of things if there's a dentist office there's a bank there's a financial advisor there's a private investigator there's a dog grooming place there's a FedEx which of these offices am I trying to go to well it depends what type of service that I want to get so just like a building has sweet numbers servers have port numbers does that mean that all later for protocols have port numbers no they're not all made for connecting sockets between applications ICMP is a diagnostic protocol it tells us when things go wrong let's pop over here for one second looking at up up ICMP on Wikipedia ICMP is for error messages and for communications about what's happening and think of it as a diagnostic codes sure ping uses ICMP but it doesn't use port numbers it uses codes so a ping is an echo request which is type a it gets you knock reply which is type zero what's important to understand is that ICMP which is its own protocol this is the header format it rides on top of IP c-- the ICMP header starts after ipv4 header and is identified by protocol number one looking at Wireshark Wireshark told us inside of the IP header do your protocol for TCP is number six if I have ICMP traffic and I don't all right let's build some sweet come back here we'll stop we'll take a look at it Here I am paying for two - now let me show you how that's the layer four header here's your lighter - header source and destination mac layer three header source and destination IP you open it up we go to the protocol field ICMP is protocol number one it rides on top of IP they couldn't get there without it it would be useful useless that's why it's a layer for protocol see the type is eight it's a it's a ping request we start looking at these replies they're going to be a type zero it's a ping reply so that's why it's a layer for header if I had a VPN established VPNs again we're working we're still working here at layer 4 if I do a VPN using IPSec it uses a protocol called ESP ESP is a layer 4 header how do we know that we come in here we take a look at Wikipedia here's our list of IP protocol numbers ICMP is 1 i GM P first set up your multicast is 2 you can even put I P packets and IP packets that's going to be for TCP which is real commonly used as 6 UDP real commonly is 217 but there's all these other protocols we come down here you see GRE you get down to 50 ESP 51 is a H these are the numbers that you'd find in that protocol field and it tells the receiving device hey here's how you interpret the rest of those ones and zeros hopefully this this makes encapsulation make a little bit more sense what is it it's just taking an envelope and putting inside of an envelope and putting inside of another envelope looking at that as a raw dump you scratch your head and go how do I decode all well it starts with getting your encapsulation right if that's right and we can read the ethernet header it goes this is ipv4 this is ipv6 this is ARP whatever it may be then we look at the IP header sure source and destination but that protocol says well this is how you do the layer four part of it the layer four part gets decoded and then that's where we get to that actual payload so I hope that makes sense just want to say thanks for sending the question over YouTube gave me an excuse to jump in and make a video thanks for asking hope this was helpful
Info
Channel: Ryan Lindfield
Views: 2,617
Rating: undefined out of 5
Keywords: Encapsulation, Networking, ARP, Ethernet, IP, TCP, network hacking, explained, tutorial, whiteboard, network, ICMP, ESP, ping, ping layer 3, esp layer 3, what layer, TCP/IP, UDP, packet stunts, Ryan Lindfield
Id: 2shvrp0-yHw
Channel Id: undefined
Length: 16min 33sec (993 seconds)
Published: Wed Aug 15 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.