A. Protocol Header Reference

The protocol headers presented in this appendix are frequently encountered when analyzing TCP/IP traffic. An excellent online reference not mentioned elsewhere is the Network Sorcery site (http://www.networksorcery.com). This site clearly breaks down protocols by network, transport, and application layers by noting the following.

• Network-layer protocols are assigned EtherTypes, like 0x0806 for ARP, 0x0800 for IP version 4, and 0x86DD for IP version 6.

• Transport-layer protocols are assigned IP protocol values, like 1 for ICMP, 6 for TCP, 17 for UDP, 132 for Stream Control Transmission Protocol (SCTP), and so on.

• Application-layer protocols are assigned one or more SCTP, TCP, or UDP port numbers, like 23 for Telnet, ...

Get The Tao of Network Security Monitoring Beyond Intrusion Detection now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.