Dissecting the TCP/IP Suite 33
Two mnemonics that I use to remember the order of layers are:
■ All People Seem To Need Data Processing which uses the first letter of each layer as the
first letter of each word in the sentence: Application, Presentation, Session, Transport,
Network, Data Link, Physical.■ Please Do Not Teach Stupid People Acronyms, which does the layers in the opposite
order—that is, from the ground up.Knowing the order and numbers of these layers will be useful during your exploration and
exam.
Using the OSI model as a basic framework will help you understand many
other CEH processes. Sniffing, scanning, and categorizing usable attacks
can all be traced back to the OSI model.Dissecting the TCP/IP Suite
Complementary to the OSI model is the TCP/IP protocol suite. TCP/IP is not necessarily
a direct offshoot, but it’s a progressive step from the standard OSI version of traffic flow.
Each layer of the TCP/IP suite maps to one or several layers of the OSI model. The TCP/
IP suite is important for protocol reference as well as aiding in tracking exactly where data
is in the traffic flow process. The right side of Figure 2.6 earlier in this chapter shows the
TCP/IP suite layers and how they map to the OSI model.
TCP is known as a connection-oriented protocol because it establishes a connection and
verifies that packets sent across that connection make it to their destination. The process
(see Figure 2.7) starts with what is called a SYN packet. This SYN packet starts the hand-
shake process by telling the receiving system that another system wants its attention (via
TCP of course). The receiving system then replies to the originating system with a SYN-
ACK response. A SYN-ACK response is an acknowledgment response to the original SYN
packet. Once the original sender receives the SYN-ACK response, it in turn responds with
an ACK packet to verify that it has received the SYN-ACK and is ready to communicate via
TCP. Wow! Really, it’s not that complicated.
TCP packet sequence numbers are important both for the exam and for understanding
attacks such as session hijacking and man-in-the-middle (MITM) exploits. You’ll see how
this comes into play in Chapter 12, “Session Hijacking.” For now keep in mind how TCP
works and how it uses sequence and acknowledgment numbers to guarantee data delivery.
For example, a SYN packet has a random beginning sequence number that will be sent
to the target host. Upon receipt of the SYN packet, the receiving host will respond with a
SYN-ACK that has its own randomized sequence number. The ACK response packet from
the first host will bump the sequence number up accordingly to signify the order of the
packets being transferred. Figure 2.8 shows the sequence numbers.