1565  Packet Analysis: Protocol Layers and Filtering

1565.1 Learning Objectives

By the end of this chapter, you will be able to:

• Understand network protocol layers: Identify the role of Application, Transport, Network, and Link layers
• Read protocol encapsulation: Trace how data flows through the OSI model
• Apply display filters: Use filter expressions to isolate specific network traffic
• Match protocols to layers: Correctly associate IoT protocols with their network layers

1565.2 Introduction

Packet capture analysis requires understanding how network communication is organized into layers. Each layer serves a specific purpose, and examining packets at each layer reveals different aspects of the communication. This chapter explains the layered model and introduces display filters for focusing on traffic of interest.

1565.3 Protocol Layers

Network communication follows a layered model. Each layer encapsulates data from the layer above, adding its own headers and control information:

Layer	Example Protocols	Purpose
Application	MQTT, CoAP, HTTP	Application-specific data exchange
Transport	TCP, UDP	End-to-end delivery, reliability
Network	IPv4, IPv6	Addressing and routing
Link	Ethernet, 802.15.4, BLE LL	Local network transmission

%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#2C3E50', 'primaryTextColor': '#FFFFFF', 'lineColor': '#16A085'}}}%%
flowchart TB
    subgraph Application["Application Layer"]
        MQTT["MQTT<br/>Pub/Sub Messaging"]
        CoAP["CoAP<br/>RESTful IoT"]
        HTTP["HTTP<br/>Web Protocol"]
    end

    subgraph Transport["Transport Layer"]
        TCP["TCP<br/>Reliable Stream"]
        UDP["UDP<br/>Datagram"]
    end

    subgraph Network["Network Layer"]
        IPv4["IPv4/IPv6<br/>Addressing"]
    end

    subgraph Link["Link Layer"]
        ETH["Ethernet"]
        BLE["BLE"]
        ZB["802.15.4"]
    end

    MQTT --> TCP
    CoAP --> UDP
    HTTP --> TCP
    TCP --> IPv4
    UDP --> IPv4
    IPv4 --> ETH
    IPv4 --> BLE
    IPv4 --> ZB

    style MQTT fill:#9B59B6,color:#FFFFFF
    style CoAP fill:#16A085,color:#FFFFFF
    style HTTP fill:#3498DB,color:#FFFFFF
    style TCP fill:#E67E22,color:#FFFFFF
    style UDP fill:#8BC34A,color:#FFFFFF
    style IPv4 fill:#2C3E50,color:#FFFFFF
    style ETH fill:#7F8C8D,color:#FFFFFF
    style BLE fill:#00BCD4,color:#FFFFFF
    style ZB fill:#27AE60,color:#FFFFFF

1565.3.1 Application Layer

The application layer contains the actual IoT protocol data:

• MQTT (Message Queuing Telemetry Transport): Lightweight publish/subscribe messaging, ideal for IoT sensors and actuators
• CoAP (Constrained Application Protocol): RESTful protocol designed for constrained devices, uses UDP
• HTTP (Hypertext Transfer Protocol): Standard web protocol, commonly used for IoT cloud APIs

1565.3.2 Transport Layer

The transport layer provides end-to-end communication:

• TCP (Transmission Control Protocol): Reliable, ordered delivery with connection establishment
• UDP (User Datagram Protocol): Best-effort delivery without connection overhead

TipTCP vs UDP for IoT

• TCP is used by MQTT for guaranteed message delivery
• UDP is preferred by CoAP for lower latency and overhead
• Choose based on your reliability vs. efficiency requirements

1565.3.3 Network Layer

The network layer handles addressing and routing:

• IPv4: 32-bit addresses (e.g., 192.168.1.100)
• IPv6: 128-bit addresses, essential for large IoT deployments
• 6LoWPAN: IPv6 adaptation for low-power wireless networks

1565.3.4 Link Layer

The link layer manages physical transmission:

• Ethernet: Wired networks (MAC addresses)
• 802.15.4: Low-power wireless (Zigbee, Thread)
• BLE Link Layer: Bluetooth Low Energy advertising and connections

1565.4 Understanding Encapsulation

When an MQTT message is sent, it passes through each layer:

%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#2C3E50', 'primaryTextColor': '#FFFFFF', 'lineColor': '#16A085'}}}%%
flowchart LR
    subgraph App["Application"]
        A1["MQTT Payload<br/>{'temp': 23.5}"]
    end

    subgraph Trans["Transport"]
        T1["TCP Header + MQTT Data"]
    end

    subgraph Net["Network"]
        N1["IP Header + TCP Segment"]
    end

    subgraph Link["Link"]
        L1["Ethernet Header + IP Packet + FCS"]
    end

    App --> Trans --> Net --> Link

    style A1 fill:#9B59B6,color:#FFFFFF
    style T1 fill:#E67E22,color:#FFFFFF
    style N1 fill:#2C3E50,color:#FFFFFF
    style L1 fill:#7F8C8D,color:#FFFFFF

Each layer adds overhead but provides essential services:

Layer	Typical Header Size	Information Added
Ethernet	14 bytes	Source/destination MAC
IPv4	20 bytes	Source/destination IP
TCP	20+ bytes	Ports, sequence numbers
MQTT	2+ bytes	Packet type, flags

1565.5 Display Filters

Display filters allow you to isolate specific traffic in a capture. They are essential for analyzing IoT deployments with mixed protocols.

1565.5.1 Basic Filter Syntax

Filter Expression	Description
mqtt	Show only MQTT packets
coap	Show only CoAP packets
http	Show only HTTP packets
ble	Show only BLE packets
zigbee	Show only Zigbee packets

1565.5.2 IP Address Filters

Filter Expression	Description
ip.src==192.168.1.100	Packets from specific source
ip.dst==192.168.1.1	Packets to specific destination
ip.addr==192.168.1.100	Any packet involving this IP

1565.5.3 Port Filters

Filter Expression	Description
tcp.port==1883	MQTT default port
tcp.port==8883	MQTT over TLS
udp.port==5683	CoAP default port
tcp.port==80	HTTP default port

1565.5.4 Protocol-Specific Filters

Filter Expression	Description
mqtt.msgtype==3	MQTT PUBLISH messages
coap.type==0	CoAP confirmable messages
http.request.method==GET	HTTP GET requests

1565.5.5 Combining Filters

Use logical operators to create complex filters:

Operator	Example	Description
&&	mqtt && ip.src==192.168.1.100	Both conditions
||	mqtt || coap	Either condition
!	!mqtt	Exclude MQTT

TipFilter Best Practices

1. Start broad, then narrow down: Begin with protocol filters, then add IP filters
2. Use protocol filters first: They’re faster than field comparisons
3. Save common filters: Create filter buttons for frequently used expressions
4. Watch packet counts: The status bar shows how many packets match

1565.6 Practice Exercise: Filter Construction

Given this scenario: You need to find all MQTT messages from sensor device 192.168.1.100 to the broker at 192.168.1.1.

NoteSolution

The filter would be:

mqtt && ip.src==192.168.1.100 && ip.dst==192.168.1.1

Or to see both directions:

mqtt && ip.addr==192.168.1.100 && ip.addr==192.168.1.1

1565.7 Summary

ImportantKey Takeaways

1. Network communication uses layers: Application, Transport, Network, and Link layers each serve specific purposes
2. Each layer adds headers: Encapsulation creates overhead but provides essential services
3. IoT protocols span multiple layers: MQTT uses TCP, CoAP uses UDP, both use IP
4. Display filters isolate traffic: Use protocol, IP, port, and combined filters
5. Effective filtering is essential: Start broad and narrow down systematically

1565.8 What’s Next

• Packet Analysis: IoT Protocol Scenarios - Analyze MQTT, CoAP, BLE, and Zigbee captures
• Packet Analysis: Advanced Techniques - Hex dump analysis and statistics interpretation
• Interactive Packet Capture Analyzer - Practice with the interactive tool