Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark

Introduction to the Internet Protocol

The Internet Protocol (IP) is the most widely-used network-level protocol. Common transport-level protocols, the Transport Control Protocol (TCP) and the User Datagram Protocol (UDP), are encapsulated within IP packets.

The purpose of IP is to make networks like the internet possible. Within a subnet, it is possible to route traffic at the physical layer using MAC addressing; however, this approach doesn’t scale. As a result, the internet works using IP addresses, which uniquely identify computers on the internet. The Internet Protocol layer contains these addresses and is used to route traffic through the internet.

IP in Wireshark

IP is unusual in that there isn’t only one version of IP traffic headers. Most of the internet operates based off of IP version 4 or IPv4. This form of traffic header uses IP addresses in the range of 0.0.0.0 to 255.255.255.255 .

However, IPv4 isn’t the most recent version of the IP protocol. In 1995, RFC 1883 was published, officially specifying the current version of the IP version 6 (IPv6) protocol. IPv6 was designed to solve the problem of IPv4 address exhaustion, which was the concern that there would be more computers on the internet than there were possible IP addresses. This concern was valid, especially since there are at least 4,536,248,808 internet users and only 4,294,967,296 possible IPv4 addresses (not taking into account the private IPv4 address ranges that cannot be allocated to a specific user).

Sponsorships Available

Sponsorships Available

Sponsorships Available

The planned switchover from IPv4 to IPv6 never happened due to the widespread usage of Network Address Translation (NAT). With NAT, an entire organization’s network can have a single IP address on the public internet and be uniquely addressed internally using private IP address ranges (10.0.0.0/8,172.16.0.0/12 and 192.168. (Read more...)