介绍
主要演示了tcpdump捕捉icmp报文以及用ping命令指定icmp长度后ip分组的查看。
A发起正常包ping
C:\Users\yaxia>ping 10.70.30.60
正在 Ping 10.70.30.60 具有 32 字节的数据:
来自 10.70.30.60 的回复: 字节=32 时间<1ms TTL=64
来自 10.70.30.60 的回复: 字节=32 时间<1ms TTL=64
来自 10.70.30.60 的回复: 字节=32 时间<1ms TTL=64
来自 10.70.30.60 的回复: 字节=32 时间<1ms TTL=64
10.70.30.60 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
B 端查看结果
root@php56:/home/tb# tcpdump -ntv -i enp0s3 icmp
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
IP (tos 0x0, ttl 128, id 27746, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4795, length 40
IP (tos 0x0, ttl 64, id 30075, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4795, length 40
IP (tos 0x0, ttl 128, id 27748, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4796, length 40
IP (tos 0x0, ttl 64, id 30127, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4796, length 40
IP (tos 0x0, ttl 128, id 27750, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4797, length 40
IP (tos 0x0, ttl 64, id 30365, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4797, length 40
IP (tos 0x0, ttl 128, id 27752, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4798, length 40
IP (tos 0x0, ttl 64, id 30534, offset 0, flags [none], proto ICMP (1), length 60)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4798, length 40
A发送大于MTU的数据包
C:\Users\yaxia>ping 10.70.30.60 -l 1473
正在 Ping 10.70.30.60 具有 1473 字节的数据:
来自 10.70.30.60 的回复: 字节=1473 时间<1ms TTL=64
来自 10.70.30.60 的回复: 字节=1473 时间<1ms TTL=64
来自 10.70.30.60 的回复: 字节=1473 时间<1ms TTL=64
来自 10.70.30.60 的回复: 字节=1473 时间<1ms TTL=64
10.70.30.60 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
B接收结果(可以看到ip包多了一倍)
P (tos 0x0, ttl 128, id 27801, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4799, length 1480
IP (tos 0x0, ttl 128, id 27801, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.47 > 10.70.30.60: ip-proto-1
IP (tos 0x0, ttl 64, id 10022, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4799, length 1480
IP (tos 0x0, ttl 64, id 10022, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.60 > 10.70.30.47: ip-proto-1
IP (tos 0x0, ttl 128, id 27803, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4800, length 1480
IP (tos 0x0, ttl 128, id 27803, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.47 > 10.70.30.60: ip-proto-1
IP (tos 0x0, ttl 64, id 10189, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4800, length 1480
IP (tos 0x0, ttl 64, id 10189, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.60 > 10.70.30.47: ip-proto-1
IP (tos 0x0, ttl 128, id 27805, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4801, length 1480
IP (tos 0x0, ttl 128, id 27805, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.47 > 10.70.30.60: ip-proto-1
IP (tos 0x0, ttl 64, id 10418, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4801, length 1480
IP (tos 0x0, ttl 64, id 10418, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.60 > 10.70.30.47: ip-proto-1
IP (tos 0x0, ttl 128, id 27807, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4802, length 1480
IP (tos 0x0, ttl 128, id 27807, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.47 > 10.70.30.60: ip-proto-1
IP (tos 0x0, ttl 64, id 10429, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.60 > 10.70.30.47: ICMP echo reply, id 1, seq 4802, length 1480
IP (tos 0x0, ttl 64, id 10429, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.60 > 10.70.30.47: ip-proto-1
摘出来一个被分片的ip数据包
IP (tos 0x0, ttl 128, id 27801, offset 0, flags [+], proto ICMP (1), length 1500)
10.70.30.47 > 10.70.30.60: ICMP echo request, id 1, seq 4799, length 1480
IP (tos 0x0, ttl 128, id 27801, offset 1480, flags [none], proto ICMP (1), length 21)
10.70.30.47 > 10.70.30.60: ip-proto-1
简单解释
- id都为27081,说明为同一个ip数据报的分片。
- 第一个ip分组的offset 为0,第二个为1480.
- 第一个ip分组的flags为+,实则设置了MF标志,表示后续还有分片,第二个flag为none
- 第一个ip分组长度为1500,第二个为21
-l 1473字节的由来
-
win下查看A端mtu
C:\Users\yaxia>netsh interface ipv4 show subinterfaces MTU MediaSenseState 传入字节 传出字节 接口 ------ --------------- --------- --------- ------------- 4294967295 1 31577369 21149 Loopback Pseudo-Interface 1 1500 1 10271737813 4348038074 以太网 1500 1 4944 9536968 VirtualBox Host-Only Network
-
B端mtu ifconfig
enp0s3 Link encap:Ethernet HWaddr 08:00:27:ce:14:39 inet addr:10.70.30.60 Bcast:10.70.31.255 Mask:255.255.254.0 inet6 addr: fe80::a00:27ff:fece:1439/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3130176 errors:0 dropped:0 overruns:0 frame:0 TX packets:171929 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:361713379 (361.7 MB) TX bytes:124807829 (124.8 MB)
- 一般ip头部通常20个字节(选项40个字节为0的情况,所以说最长ip头部60个字节),以太网的帧MTU最大为1500字节,所以承载的ip的数据部分最大为1480字节。icmp头部报文长度为8字节。如果我们用ip数据报封装一个长度为1480+1的icmp报文,那就需要1481-8=1473字节大小的icmp数据部分大小。所以 -l 为1473。如果是封装正常的ip报文,比如4000个字节,可以参考以下算法:4000字节中,正常20字节为ip包头,剩下3980字节为数据,需要分成3个ip片(假设链路层MTU为1500),那么第一个分片的片偏移offset就是0,表示该分片在3980的第0位开始,第1479位结束。第二个ip片的片偏移为185(1480/8),表示该分片开始的位置在原来ip的第1480位,结束在2959。第三片的片偏移为370(2960/8),表示开始的时候是2960位,结束的时候在3979位。也不难得出,ip数组分组的分片的单位是8个字节。