This second chapter on examining header fields discusses the fields in the headers found after the IP header, namely the TCP, UDP, and ICMP headers. As we discovered in the previous chapter, it is imperative that anyone performing traffic analysis be familiar with the purpose of the fields and expected values. This is the only way to unearth values that are not normal and might be a reflection of some kind of malicious activity.

Because this is a fairly extensive topic, the chapter addresses fields in each of the protocols individually. Hopefully, this will partition the protocols into more manageable ...