Learn TCPIP (2) with Sniffer Pro (2)

xiaoxiao2021-03-06  137

The structure of the data packet is started below:

Select NO.12, you can see the details of the SYN segment, see the middle (HE, I don't know what the name of this name) protocol analysis, from TCP to Datalink's package, you can find three items (you can find three items) Seek it will be seen in Tree): (1) DLC: ethertype = 0800, size = 62 bytes

(2) IP: D = [192.168.1.81] s = [192.168.1.36] len = 28 id = 26052

(3) TCP: D = 6666 s = 2970 SYN SEQ = 3614407631 LEN = 0 WIN = 64240.

These three correspondence are data, network layers of data, data of the network layer, data of the transport layer, which is the prompt information displayed by the SNIFFER analysis. The data is from the transportation layer -> network layer -> link layer, we start from the transportation layer.

From << Detailed >>, we can know that TCP is requested by 20 bytes of head option (optional) data (optional), as SYN requests, no data items. Control the data of the Sniffer (expand the TCP item in the SNIFFER).

Note: Click on each item of TCP data to display Hex and ASCII data in the detailed data bar below.

As shown in the figure above, the 16-bit source port number is 2970, the 16-bit destination port number is 6666, open << Detailed >> The drawings (or open P171), one by one, it is easy to know the meaning of the data representatives. Note that one of the 6 bits is retained, and the URG, ACK, PSH, RST, SYN, FIN, and data are determined by the flag bit, respectively, as shown above, is only 1, indicating This is a SYN request. If it is SYN's answer, SYN, ACK is set to 1. See the option, Maximum Segment size is 1460, which is the maximum message size, and each connector usually specifies this option (P173) when SYN requests (P173). So split the message when the data of Send 2000 bytes in my program.

Next is the network layer

Corresponding to the IP header of the drawing of the above picture and << Details >>, we see the version number is 4, that is, this is the IPv4 protocol (HE, not an advanced IPv6), the first total length is 20, that is, there is no option option parameter. The total length is 48bytes, that is, the 20-bit IP length plus 28-bit TCP length, when the data reaches the IP layer, the TCP data package has been encapsulated. The 8-bit protocol is 06, i.e., the package is TCP data (by << detailed >> P7 we know, 1 means ICMP, 2 means IGMP, 6 means TCP, 17 represents UDP). Specific analysis can see << Experial >> P25. (My purpose is not analyzing data, that's a few books can't finish, I just tell you how to use Sniffer to learn TCP / IP)

See the data chain layer again

Controls to << Details >> P16, which is an Ethernet frame format, rather than 802 standard defined frame format, so corresponding to P16's Ethernet package. Ethernet packages consist of destination addresses, source addresses, types, and data. The address here is already a MAC address. For the NIC, it only recognizes the MAC (if you don't know the other Mac when sending data, then send the ARP request to get the Mac, the same network segment is in the cache There is, if the same network segment host modifies IP, broadcast out, then the cache will be updated, huh, this is also involved in ARP, if you want to unwind, you can use Sniffer to capture related data, so Sniffer It is a very good tool for learning TCP / IP, which is far away). Here, two bytes of type description, here is 0800, that is, the package is an IP datagram (0806 is ARP, 8035 is RARP). In << Detailed >> P16 We know that there must be at least 46 bytes for the Ethernet data part, and it is not enough to make up the pad byte. (HE, there is also the maximum transmission unit MTU in P21, you read), remember that the total length of the TCP is 48bytes? This is the Ethernet data (excluding Ethernet head), has exceeded 46, so you can see the last ACK segment of three handshakes, namely No.14, and only 40 bytes here. So the back PAD has 6 bytes.

To this, the data package process we have understood. (In fact, when I analyzed the data, I found a lot of problems. I kept turning the << detailed >>, constantly trying the different data of Sniffer to analyze)

to be continued!

转载请注明原文地址:https://www.9cbs.com/read-127179.html

New Post(0)