In order to build a packet, we need information at the ethernet layer (MAC Address), we need information at the Newtork layer (IP Address), and then we need upper layer information like the source and destination ports that the data is to be sent to and from (Port 45454 -> Port 80 for HTTP).

TCP-get port numbers. How does the computer know which port to use? The OS has a configuration file that has specifications on which port to use for which protocol (Windows: host file; *nix: xyz_config file). You can modify this file to make the OS do something in a different way (malicious/system control). Unique numbers assigned to a particular process is a nice way to make things difficult for the bad guys.

IP-get IP addresses. How do we get the host’s IP Address? It is going to be in the Host Cache, Host File, or found on the Network via and ICMP packet.

Then we are going to see if this is a remote destination. We can compare the mask of the destination and the source and see if this is on our LAN or not.

Ethernet-local or remote? How do we get the MAC Address(ARP)? If the destination is on the LAN, then it will be in the ARP cache or found on the network via an ARP packet. The ARP cache has a vulnerability: Man-In-The-Middle attack. One of the ways of doing a Man-In-The-Middle attacks is by sending ARP responses that have not been asked for, known as ARP Cache poisoning. Then the packets that where supposed to go to the real router, go to the evil router. Typical reactions are a Denial of Service, Relay Packets, or Packet Modification.

If the destination is remote, we look up the route information. The router says to send it to them because they have a path to a DNS Server that can locate it. They check their hosts, networks, or gateways. Once it reaches its destination, it gets the MAC address (ARP) from the cache or the network. Once we have populated the information for the MAC Address, the IP Address, and the port numbers for the source and destination, we completed the packet.

Where can things go wrong? Maybe that host file is damaged or gone so we don’t know the port number to use. Maybe the host file has been modified to use a different port number, but we select the incorrect port number. Maybe we don’t have our IP Address in the cache file, missing or wrong in the host file. Maybe we are not able to get a response back on the network.