系列文章
简单网络协议解析
防火墙及VPN应用部署
1、掌握WireShark软件,通过监测网络流量理解计算机网络体系结构的分层原理。
2、掌握TCP、IP、ETHERNET II协议内容。
1、通过浏览器访问www.xjtu.edu.cn,使用WireShark监测应用层、传输层、网络层、数据链路层协议数据单元的内容。
2、在WireShark中捕获某一应用层协议信息,分析数据中每层协议同网络体系结构的对应分层。
3、在WireShark中捕获某一HTTP协议信息,分析数据中TCP、IP、ETHERNET II协议数据单元内容。
在WireShark软件点击“Start”按钮,打开浏览器,在URL输入www.xjtu.edu.cn打开网址,回到WireShark软件点击“Stop”键,得到抓包数据
保存网络数据捕获结果
然后通过DNS协议单元分析网络体系结构的分层原理,通过HTTP协议单元分析TCP、IP、ETHERNET II协议数据单元内容
Frame 1979: 75 bytes on wire (600 bits), 75 bytes captured (600 bits) on interface \Device\NPF_{FE613A3D-CF09-4F56-8874-7B22D3B71713}, id 0
Interface id: 0 (\Device\NPF_{FE613A3D-CF09-4F56-8874-7B22D3B71713})
Interfacename:\Device\NPF_{FE613A3D-CF09-4F56-8874-7B22D3B71713}
Interface description: 本地连接
Encapsulation type: Ethernet (1)
Arrival Time: May 15, 2020 23:55:02.757500000 中国标准时间#捕获时间
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1590162902.757500000 seconds
[Time delta from previous captured frame: 0.151635000 seconds]#此包与前一包的时间间隔
[Time delta from previous displayed frame: 0.151635000 seconds]
[Time since reference or first frame: 8.383626000 seconds]#此包与第一帧的时间间隔
Frame Number: 1979
Frame Length: 75 bytes (600 bits)
Capture Length: 75 bytes (600 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]#帧内封装的协议层次结构
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II是数据链路层以太网帧头部信息:
Ethernet II, Src: ASUSTekC_95:76:c9 (d0:17:c2:95:76:c9), Dst: Tp-LinkT_16:47:c8 (28:2c:b2:16:47:c8)
其中,源MAC地址是本地连接下所使用电脑MAC地址,目的地址是路由器的MAC地址,如下图对照验证,左图为本地连接信息,右图为路由器信息
IPv4是互联网层IP包头部信息:
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 211.137.191.26
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 61
Identification: 0x0fd5 (4053)
Flags: 0x0000
Fragment offset: 0
Time to live: 128 #TTL,单位是秒
Protocol: UDP (17) #此包内封装的上层协议为UDP
Header checksum: 0x0000 [validation disabled] #头部数据校验和
[Header checksum status: Unverified]
Source: 192.168.1.100 #源IP地址,即主机地址,具体可参考物理层部分截图
Destination: 211.137.191.26 #目的IP地址
传输层UDP数据段头部信息:
User Datagram Protocol, Src Port: 57527, Dst Port: 53
Source Port: 57527 #源端口号,端口号取值为0-65535
Destination Port: 53 #目的端口号
Length: 41
Checksum: 0x54eb [unverified]
[Checksum Status: Unverified]
[Stream index: 56]
[Timestamps]
Domain Name System (query)
Transaction ID: 0x4360
Flags: 0x0100 Standard query#Flags表示请求信息,16位
0... .... .... .... = Response: Message is a query#QR位,0为请求1为响应
.000 0... .... .... = Opcode: Standard query (0)#4bit,0表标准,1表反向,2表服务器状态请求
.... ..0. .... .... = Truncated: Message is not truncated#截断标志位,1表示响应超过512字节并被截断。在这里前一位(AA授权回答位)没有指明,因为该位在响应报文中有效
.... ...1 .... .... = Recursion desired: Do query recursively#该位为1表示客户端希望得到递归回答,在此后的1位没有指明,因为是recursion available仅在响应报文中有效且置1时表示可以得到递归响应
.... .... .0.. .... = Z: reserved (0)#保留位,3bit
.... .... ...0 .... = Non-authenticated data: Unacceptable#仍是保留位的一部分,此后4bit属于响应信息
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
www.xjtu.edu.cn: type A, class IN#资源记录类型A表示主机采用IPv4,对于Internet信息class总是IN。
[Response In: 1980]#指明响应信息在1980帧
由于遵从相同的协议,响应信息和请求信息基本相同,需要注意的是数据链路层、网络层、传输层源和目的方互换,表现为MAC地址、IP、端口号的对应,且DNS协议帧中,之前在请求信息中心缺省的标志位AA位、Recursion available、rcode都出现了。
Ethernet II协议定义了局域网中采用的电缆类型和信号处理方式,它由6个字节的目的MAC地址,6个字节的源MAC地址,2个字节的类型域(用于标示封装在这个Frame、里面的数据的类型)组成,接下来是46-1500字节的数据和4字节的帧校验。
Ethernet II, Src: ASUSTekC_95:76:c9 (d0:17:c2:95:76:c9), Dst: Tp-LinkT_16:47:c8 (28:2c:b2:16:47:c8)
Destination: Tp-LinkT_16:47:c8 (28:2c:b2:16:47:c8)#目的地址
Source: ASUSTekC_95:76:c9 (d0:17:c2:95:76:c9)#源地址
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 202.117.1.13
0100 .... = Version: 4#版本
.... 0101 = Header Length: 20 bytes (5)#首部长度
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)#服务类型,IPv4[RFC0791]的最初规范指定了一个服务类型(ToS)字段,由于他们从未被广泛使用,因此最终被分为两部分。DS:区分服务代码点(指预定义的具有特殊含义的位) ESN:显示拥塞通知
Total Length: 585#总长度
Identification: 0x0fe4 (4068)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set#DF=1,表示不允许分片
..0. .... .... .... = More fragments: Not set#这是若干数据报片中的最后一个。
Fragment offset: 0#由于不允许分片,偏移为0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x0000 [validation disabled]#首部校验和
[Header checksum status: Unverified]
Source: 192.168.1.100#源IP
Destination: 202.117.1.13#目的IP,即www.xjtu.edu.cn
TCP报文段:
Transmission Control Protocol, Src Port: 53430, Dst Port: 80, Seq: 1, Ack: 1, Len: 545
Source Port: 53430
Destination Port: 80
[Stream index: 48]
[TCP Segment Len: 545]
Sequence number: 1 (relative sequence number)
Sequence number (raw): 2476176986#序号
[Next sequence number: 546 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Acknowledgment number (raw): 913643810#确认号,期望收到对方的下一个
报文段的数据的第一个字节的序号。
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 258#窗口
[Calculated window size: 66048]
[Window size scaling factor: 256]
Checksum: 0x8fca [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0#紧急指针
[SEQ/ACK analysis]
[Timestamps]
TCP payload (545 bytes)
Ethernet II协议帧部分与请求过程只是源与目的互换身份;
IP数据报部分:
Internet Protocol Version 4, Src: 202.117.1.13, Dst: 192.168.1.100
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 420
Identification: 0x0b7e (2942)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
Fragment offset: 0
Time to live: 41#响应的TTL比请求过程要短
Protocol: TCP (6)
Header checksum: 0xb747 [validation disabled]
[Header checksum status: Unverified]
Source: 202.117.1.13
Destination: 192.168.1.100
TCP报文段:
Transmission Control Protocol, Src Port: 80, Dst Port: 53430, Seq: 1, Ack: 546, Len: 380
Source Port: 80
Destination Port: 53430#同样,端口也互换身份
[Stream index: 48]
[TCP Segment Len: 380]
Sequence number: 1 (relative sequence number)
Sequence number (raw): 913643810
[Next sequence number: 381 (relative sequence number)]
Acknowledgment number: 546 (relative ack number)
Acknowledgment number (raw): 2476177531
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 123
[Calculated window size: 15744]
[Window size scaling factor: 128]
Checksum: 0xeb4a [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[Timestamps]
TCP payload (380 bytes)
这里对文章进行总结:
本次实验使我更深刻、清晰、具体地了解了网络通信的具体流程,通过监测网络流量加深了对EthernetV2、TCP/IP协议的实现的认识以及计算机网络体系结构分层的理解,对“计算机网络本质是依赖协议”深有感触;此外本次实验让我联想到一些页游的外挂(辅助)里面的封包选项:
基本操作和本次实验抓取数据包的过程相同,游戏的原理是玩家预先以展示的形式设定好对战出招顺序,由外挂抓取封包,将玩家的操作编码后上传到服务器,相当于取代了人工傻瓜操作,这对于一些有固定的解法的游戏既可以解放玩家的时间也不容易被侦察到使用第三方软件。下图是截取的封包txt文件局部。