Common packet requests and responses
Any traffic observed on a network can lend itself to interpretation and assumption of the events that created it. Some might not find it interesting while others might be intrigued by it, to see how much you can really learn from packet analysis have a look at Jogn Kristoff’s blog at Team Cymru on Deep Darknet Inspection.
Below is a small list of common packet requests and responses that might be useful.
- [ REQUEST => RESPONSE ]
- TCP SYN (to open port) => TCP SYN/ACK
- TCP SYN (to closed port) => TCP RST (ACK)
- TCP ACK => TCP RST (ACK)
- TCP RST => No response
- TCP NULL => TCP RST (ACK)
- ICMP ECHO request => ICMP Echo reply
- ICMP TS request => ICMP TS reply
- UDP pkt (to open port) => Protocol dependant
- UDP pkt (to closed port) => ICMP Port Unreachable
There is actually a wealth of information that can be learned from the inspection of packet responses, @barryirwin did a presentation at Zacon 1 that he dubbed Packet Sorcery, in it he explained how certain operating systems respond differently to specially crafted packets thus enabling single packet OS fingerprinting (sometimes).