I. Introduction
At present, the speed of the network is very fast, more and more people who learn the network, people who have a little more common sense know that the TCP / IP protocol is the foundation of the network, which is the language of the Internet, which can be said that there is no TCP / IP protocol. Internet today. There are a lot of people who have called online, many people are from a clipper pliers, a grease is started to contact the network. If only the network play, you know the commands such as ping, if you want to be in the network There is more development, whether it is a black or red road, you must understand TCP / IP protocol very well.
There is a feeling of learning TCP / IP protocol, this thing is too abstract, there is no data instance, I will forget it for forgetting. This article will introduce an intuitive learning method that uses protocol analysis tools to learn TCP / IP, and can see the specific transmission process of data in the process of learning.
For beginners, it is easier to understand. This article will build a simplest network environment and does not include subnets. For beginners, it is easier to understand. This article will build a simplest network environment and does not include subnets.
Second, the test environment
1, network environment
As shown in Figure 1
figure 1
For the convenience of expression, the address is 192.168.113.208, which is 192.168.113.208 below. The address is 192.168.113.1
Computer.
2, operating system
Both machines are Windows 2000, 1 machine machine as a server, install FTP service
3, protocol analysis tool
Tools commonly used in Windows Environments include: Sniffer Pro, NATXRAY, IRIS, and Windows 2000 combo network monitors, etc.
. This article uses IRIS as a protocol analysis tool.
Install IRIS software on the 208 machine.
Third, the test process
1. Test example: Download a file in the No. 1 computer to the 208 machine.
2, IRIS settings.
Since IRIS has a network listening function, if there are other machines in the network environment, there will be many other packets, which
It's more inconvenient. In order to clearly see the transmission process of the above example, IRIS is set to only the data packets between the 208 machine and No. 1.
. The setting process is as follows:
1) Use the hotkey Ctrl b to pop up the address table shown in the figure, fill in the IP address of the machine in the table, and see more clearly to the captured package.
The name of the host (Name) is set to close this window.
figure 2
2) Use the hotkey Ctrl E to pop up the settings as shown, select the left column "IP address", and the right column will follow the address book in the address book.
The site is 拽 below, set up and then determine, so that this will grab the package between the two computers.
Figure 33, captain
Press the Start button in the IRIS toolbar. Enter: ftp: //192.168.113.1, find the file you want to download, mouse
Right-click this file, select "Copy to Folder" in the pop-up menu to start downloading, then press button in the IRIS toolbar after downloading.
package. Figure 4 shows the entire process of FTP, and we will analyze this process in detail.
Figure 4
Description: In order to catch the package of the ARP protocol, the ARP -D clear ARP cache is run in Windows 2000.
Fourth, process analysis
1, the basic principle of TCP / IP
Although the focus of this article is based on the example to parse TCP / IP, it is necessary to understand the following process must briefly tell the basic principle of TCP / IP.
.
A. The network is hierarchical, each of which is responsible for different communication functions.
TCP / IP is often considered to be a four-layer protocol system, and the TCP / IP protocol is a set of protocols that are combined with different protocols.
Although the protocol is usually called TCP / IP, TCP and IP are only two protocols, as shown in Table 1. Every layer is responsible for different features:
Table 1
The hierarchical concept is very simple, but in practical applications, it is very important in the application and troubleshooting the network level, which will have a great help to work. For example: Setting the route is a network layer IP protocol. To find a MAC address is something that the link layer ARP is, the commonly used ping command is made by the ICMP protocol.
Figure 5 shows the relationship of each layer protocol, understanding the relationship between them is very important to the following protocol analysis.
Figure 5
b. Data transmission is from top to bottom, layer encodes; data reception is from bottom to bottom, layer decoding.
When the application is transmitted with TCP, the data is sent to the protocol stack, then pass each layer by one by one to the bits.
Enter the network. Each layer of each layer adds some of the first information (sometimes adding the tail information), which is shown in Figure 6.
. The data unit transmitted to the IP is referred to as a TCP message segment or is referred to as a TCP segment. The data unit that I P is transmitted to the network interface layer is called an IP datagram.
Bit streams transmitted by Ethernet are called frames.
The data transmission is from top to bottom, layer encoding, and the data reception is from bottom to, and layer decoding is decoded.
Figure 6
c. Logical communication is completed at the same level
The structural hierarchy of the vertical direction is the functional flow of today's universally approved data processing. Each layer has an interface with its adjacent layers. In order to pass
Letter, two systems must pass data, instructions, addresses, etc. between the layers, and the logical flow of communication and the true data stream are different. although
However, the communication process is perpendicular to each level, but each layer is logically communicating directly with the corresponding layer of the remote computer system.
As can be seen from Figure 7, communication is actually performed in a vertical direction, but logically communicating is performed in the same level.
Figure 7
2, process description
In order to better analyze the protocol, let's first describe the transmission steps of the above example data. As shown in Figure 8:
1) The FTP client requests the TCP to establish a connection with the IP address of the server.
2) TCP sends a connection request segment to the remote, that is, send a IP datagram with the above IP address.
3) If the destination host is on the local network, the IP datagram can be sent directly to the destination host. If the destination host is in a remote network
Then, then the next router address located on the local network is determined by the IP routing function and let it forward the IP datagram. In these two
In the case, the IP datagram is sent to a host or router located on the local network.
4) This example is an Ethernet, then the sender host must transform 32-bit IP addresses into 48-bit Ethernet addresses, which is also known as Mac.
Address, it is the world's unique hardware address written to the network card. Translation of the IP address to the corresponding MAC address is done by the ARP protocol
.
5) As shown by the figure, the ARP sends a Ethernet data frame called the ARP request to Ethernet to Ethernet, which is called wide.
broadcast. ARP requests the IP address of the destination host in the data frame, which means "If you are the owner of this IP address, please answer your hard
Part address. "
6) After the ARP layer of the destination host receives this broadcast, you recognize that this is the sender to find its IP address, so send an ARP response. This
A ARP response includes the I P address and the corresponding hardware address.
7) After receiving the ARP response, make the ARP request - the IP packet of the response exchange can now be transmitted.
8) Send IP data to report to the destination host.
Figure 8
3, instance analysis
The following is analyzed by analyzing the package captured by IRIS to analyze the working process of TCP / IP, for clearer interpretation of data
The process of transfer, we grasp four sets of data according to the different phases of transmission, namely the search server, establish a connection, data
Transfer and terminate connections. Each set of data is explained in three steps below.
Display packet
Explain the packet
Analyze the header information of the package by layer to find the first set of servers
1) The following figure shows the data of 1, 2 lines.
2) Explain the packet
These two lines of data are the process of finding the server and server response.
In the first line, the MAC address of the source host is 00: 50: Fc: 22: C7: BE. The MAC address of the destination host is
Ff: ff: ff: ff: ff: ff, this address is a hexadecimal representation, f conversion is the binary is 1111, all 1 address
Is a broadcast address. The so-called broadcast is to send information to each network device on this website, each Ethernet interface on the cable
It is necessary to receive this data frame and process it. This line reflects the content of step 5), and the ARP is called a copy.
ARP request Ethernet data frames give each host on Ethernet. Each network card in the net is received such information "Who is
192.168.113.1 of the owner of the IP address, please tell me your hardware address "."
The second line reflects the content of step 6). Each machine in the same Ethernet will "receive" to this message
However, in normal state, other hosts outside the first machine should ignore this message, and the ARP layer of the No. 1 host receives this
After broadcasting the message, you recognize that this is the IP address of the sender to see its IP, so I send an ARP response. Tell your IP
Address and MAC addresses. Chapter 2 can clearly see the information of the 1 answer __ ourselves 00: 50: FC: 22: C7: BE
.
The two lines reflect the communication process of one question between the data link layer. This process is like I want to be full.
The people 's classroom finds a person called "Zhang San", shouted "Zhang San" at the door, this sound everyone heard, this
Call broadcast. Zhang San he responded to the response, others heard that there was no response so that I got connected with Zhang San.
3) Head information analysis
As shown below, the first packet contains two headers: Ethernet and ARP.
Figure 10
Hereinafter, Table 2 is the header information of the Ethernet. The number of parentheses is the number of bytes of this field, the first two words in the Ethernet header.
The section is the source address and destination address of the Ethernet. The destination address is a special address of all 1 is a broadcast address. All of the cables
The Taiwanese interface should receive the broadcast data frame. Two bytes long Ethernet frame type indicates the type of the back data. for
ARP request or response, the value of this field is 0806.
On the second line, it can be seen that although the ARP request is broadcast, the destination address of the ARP response is No. 1 machine (00
50 FC 22 C7 BE). The ARP response is sent directly to the requesting terminal.
Table 2
The following Table 3 is the header information of the ARP protocol. The hardware type field represents the type of hardware address. Its value is 1 means Ethernet
site. The protocol type field represents the type of protocol address to be mapped. Its value is 0,800 to represent an IP address. Its value and package
The value of the type field in the Ethernet data frame containing the I p datagram is the same. The next two 1 bytes of fields, hardware
The length of the site and the protocol address indicates the length of the hardware address and the protocol address, in bytes. For Ethernet
The ARP request or response to the IP address is 6 and 4, respectively. OP is OPOPERATION, 1 is
ARP request, 2 is the ARP response, 3 is RARP request and 4 for the RARP response, and this field value is 2 reply in the second line. Pick up
The down four fields are the hardware address of the sender, the IP address of the sender, the hardware address of the destination, and the destination IP.
site. Note that there are some duplicate information here: there is a sender in the Ethernet data frame report head and the ARP request data frame.
Hardware address. For an ARP request, all other fields except the end hardware address are filled.
The second behavior of Table 3 responds, when the system receives a destination for this ARP request message, it puts the hardware address
Fill in, then replace two sending end addresses with two destination ends, and set the operation field to 2, and finally send it back.
table 3
The second group establishes a connection
1) The following figure shows the data of 3-5 lines.
2) Explain the packet
This three-line data is the process of establishing a connection in both machines.
The core meaning of this three lines is the three handshakes of the TCP protocol. TCP's packet is transmitted by IP protocol. But IP
The agreement is only sent to the data, but cannot guarantee the IP data report to successfully reach the destination, to ensure the reliability of the data.
Transmission is done by TCP protocol. When the receiving end receives information from the sender, accept a short send a short send
Response information, meaning: "I have received your information." The third group of data will be able to see this process. TCP is a
Connected protocol. No matter which direction sends data to the other party, you must build a connection between both sides.
. The process of establishing a connection is the process of three handshakes.
This process is like I have to find Zhang San to borrow a few books to him. The first step: "Hello, I am a burden",
Step 2: Zhang San said: "Hello, I am Zhang San", the third step: I said, "I am looking for a few books."
The question and answer confirms the other party identity and established contact.
Let's analyze the three handshake processes of this example.
1)) The request terminal 208 sends an initial number (SEQ) 987694419 to the 1st.
2) After receiving this serial number, the server level 1 is added to the 1 value of 987694419 as a response signal (ACK),
Randomly generate an initial number (SEQ) 1773195208, these two signals simultaneously send back to the request end 208 machine, meaning
To: "The news has been received, let our data stream begin with the number of 1773195208."
3)) The requested terminal is set to the initial number (SEQ) 1773195208 plus 1 for the request end 208.
1773195209 As a response signal.
The above three steps have completed three handshakes, and the two sides have established a channel, and then the data can be transmitted.
The following analysis of the TCP header information can be seen that the relevant fields of the TCP header have changed in the handshake.
3) Head information analysis
As shown in Figure 12, the third data package includes three-headed information: Ethernet and IP and TCP.
The header information has less ARP, TCP, the following process does not participate in ARP, which can be understood, in LAN
Inside, ARP is responsible for finding a computer you need to find in many networking computers.
The Ethernet's header information is different from the first, 2 lines. The frame type is 0800, indicating that the frame type is IP.
Figure 12
IP protocol header information
IP is the most core protocol in the TCP / IP protocol. From Figure 5, you can see all TCP, UDP, ICMP and IGMP number
According to IP datagram, there is a metaphor IP protocol is like the truck of the ship, transport the cargo car of a car.
To the destination. The main goods are TCP or UDP assignment to it. It is necessary to point out that IP provides unreliable, no connection
The data report is transmitted, that is, I P only provides the best transfer service but does not guarantee that IP data is successfully reached.
. Seeing this, will you worry about your e_mail will not send a friend, actually don't worry, mentioned above
According to the correct arrival of the TCP, we will explain in detail later.
Table 4 is the header information of the IP protocol.
Table 4 IP datagram format and all fields in the first part
45 00-71 01 is the header information of IP in Figure 12. These numbers are hexadecimal representations. A number of 4 digits, examples
Such as: 4 binary is 0100
4 version: Represents the current protocol version number, value is 4 indicates 4, so IP is sometimes referred to as IPv4; 4-position length: The head is the length, its unit is 32-bit (4 bytes) , The value is 5 indicates that the length of IP head is
20 bytes.
8-bit service type (TOS): 00, this 8-bit field is now ignored, 4 digits are now overlooked.
The TOS subfield and 1 bit unused field (now 0) constitute. 4-bit TOS subfields include: minimum delay, maximum
Throughput, maximum reliability, and minimum cost, these four 1 digits can only have one for 1, this example is 0, table
It is a general service.
16-bit total length (byte): The total length field refers to the length of the entire IP datagram, in bytes. Value
00 30, converted into a TCP header of IP head 28 bytes of decimal 48 bytes, 48 bytes = 20 bytes, this data is just
The transmitted control information has not yet transmitted true data, so the total length of the currently seen is the length of the header.
16-bit Identification: Identifier field uniquely identifies each datastist sent by the host. Usually a message is sent
The value will be added 1, the third behavior is 30 21, and the 5th act 30 22, the 7th act 30 23. Divide the logo field when fragmentation
And the slice offset field, this article does not discuss these two fields.
8-bit Survival Time (TTL): TTL (TIME-to-Live) Survival Field Set the most data report
Multiple router number. It specifies the time of life of the datagram. The initial value of the TTL is set by the source host, once it is handled
Its router, its value minus 1. It can determine the system and the router that the server is system and the router according to the TTL value. This example
For 80, converted into a deciminary 128, Windows operating system TTL initial value is generally 128, UNIX operating system initial value
For 255, this example represents two machines in the same network segment and the operating system is Windows.
8-digit protocol: Represents the protocol type, 6 indicates that the transport layer is a TCP protocol.
16 first inspection and: After receiving an IP datagram, the first 16-bit in the first part
Seeking. Since the recipient contains the inspection and the presence of the sender in the calculation process, if the head is
No errors occur during the transmission, then the result of the recipient calculation should be 1. If the result is not all 1, ie
Inspection and errors, then IP discards the received datagram. But do not generate an error message, and the number of lost numbers is discovered by the upper layer.
It is reported and retransmitted.
32-bit source IP address and 32-bit IP address: actually is part of the core in the IP protocol, but introduces this
There are a lot of chapters, and this paper is also a simplest network structure, not involving routing, this article is only a brief introduction to this
See other articles, please refer to other articles. The 32-bit IP address consists of a network ID and a host ID. This case source IP
The address is c0 a8 71 d0, and the conversion is decimal: 192.168.113.208; Destination IP address is C0 A8 71 01, conversion
For decimalization: 192.168.113.1. The network address is 192.168.113, the host address is 1 and 208, they
The network address is the same, so in a network segment, such data can be directly reached during the transfer.
TCP protocol header information
Table 5 is the header information of the ICP protocol.
The third line of TCP's header information is: 04 28 00 15 3A DF 05 53 00 00 00 70 02 40 00 9A 8D 00
00 02 04 05 B4 01 01 04 02 Port number: often said that FTP accounts for 21 ports, HTTP accounts for 80 ports, Telnet accounts for 23 ports, etc., the port refers to the port is
TCP or UDP ports, ports like both ends of the channel, when the communication time of the two machines must be open. Source
The port and destination ports accounted for 16 bits, 2 of 16 square equal to 65536, which is that each computer is connected to other computers.
"door". Generally, the port number of each service as a service is fixed. This example destination port number is 00 15, converted into
Ten into 21, this is the default port of FTP, it needs to be pointed out that this is the FTP control port, and the data is transmitted
One port, the analysis of the third group can see this. The client is randomly opens a port greater than 1024 when contacting the server.
This example is 04 28, converted into a decimal 1064. The Trojan in your computer will open a service port. Observe the port
It is very important that it can not only see the normal service provided by this unit, but also see an abnormal connection. Windows looks at the port
Netstat when command.
32-bit serial number: also known as sequence number, short-handed SEQ, from above three handshake analysis
It can be seen that when one party is to contact another party, send an initial number to each other, meaning: "Let us build
Contact? ", The service party has received an independent serial number to send the sender, meaning" the message received, the data stream will be
This number starts. "From this, it can be seen that the TCP connection is completely two-way, that is, the data flow of both parties can be transmitted simultaneously.
In the process, the data between the two sides is independent, so each TCP connection must have two sequence numbers corresponding to data streams in different directions.
.
32-bit confirmation serial number: also known as a response number (Acknowledgment Number), is short-written as ACK. In the handshake stage
, Confirm that the serial number plus the sender's serial number plus 1 as an answer, in the data transmission phase, confirm the serial number to add the sequence number of the sender
The amount of data sent is an answer, indicating that it does receive this data. This process will be seen in the analysis of the third group.
4 top length:. This field accounts for 4 digits, and it is 32 digits (4 bytes). This example is 7, the head of TCP
The length is 28 bytes, equal to the normal length 2 0 byte plus the optional 8 bytes. , TCP's head length can be 60 words
The section (binary 1111 is converted to decimal 15, 15 * 4 bytes = 60 bytes).
6 sign bits.
URG emergency pointer, telling the receiving TCP module tight pointer domain pointing at it
ACK sets 1 indicates the confirmation number (for legal, when 0 is 0, the data segment does not include confirmation information, the confirmation number is suddenly
slightly.
The data segment requested when the PSH is set, and the receiver can be sent directly to the application without having to wait until the buffer is full.
Tasting.
RST is set to reconstruct the connection. If you receive an RST bit, some errors have occurred.
SYN is set to initiate a connection.
FIN sets 1 indicates that the origination completes the send task. Used to release the connection, indicating that the sender has not been sent.
Figure 13 of the three diagrams of the 3-5 line TCP protocol, this three lines are the process of shaking hands three times, let's take a look at the handshake
What happened to the process sign?
As shown in Figure 13-1, the request end 208 sends an initial number (SEQ) 987694419 to the No. 1 machine. Sign bit SYN is set
1.
As shown in Figure 13-2 After receiving this serial number, a response signal (ACK) and random generate an initial number
(SEQ) 1773195208 Send it back to the requesting end 208, because there is a response signal and the initial number, so the flag ACK and SYN are set to 1.
As shown in Figure 13-3 Request end 208, after receiving the signal of the No. 1, the information is sent back to the first machine. The flag is set to 1,
It is worth 0. Note that the SYN value is 0, SYN is launched, and the upper two connections have been completed.
16-bit window size: TCP traffic control is provided by the declared window size by each end of the connection. The window size is byte, starting the value indicated by the confirmation serial number field, this value is byte that the receiving is expected to receive. Window size is a 16-byte field, so the window size is up to 65535 bytes.
16-bit inspection and: Test and cover the entire TCP report segment: TCP header and TCP data. This is a mandatory field that must be calculated and stored, and verified by the closure.
16 emergency pointers: only the emergency pointer is valid only when the U R G flag is set. The emergency pointer is a positive offset, and the value in the serial number field adds the serial number of the last byte of the emergency data.
Options: Figure 13-1 and Figure 13-2 have 8 bytes options, Figure 13-3 No option. The most common optional field is the maximum message size, also known as MSS (Maximum Segment Size). Each connection is usually indicated in the first step of the handshake. It indicates a report segment of the maximum length that can be received at this end. Figure 13-1 It can be seen that the maximum number of bytes that the 208 can accept is 1460 bytes, and 1460 is also the default size of the Ethernet, and the data transfer can be seen in the data analysis of the third group. of.
Handshake
Above we led three handshakes, looking at a bit of scattered, now in a summary.
The fourth group termination connection 1) The following figure shows the data of 93-96 lines.
Figure 14
2) Explain the packet
These four lines of data are a process of sending a reception during the data transfer process.
The foregoing said that TCP provides a connection-oriented, reliable byte stream service. When the receiving end receives from the sender
When the information, the receiving end should send a response message, indicating that this information is received. Data transfer is divided by TCP to think that the most appropriate
The transmitted data block. General Ethernet is divided into 1460 bytes when the Ethernet is transmitted. In other words, the data is in the sender
It is divided into a piece of transmission, and the receiving end is partially combined.
57 lines show data for the No. 208 to send a size of 1514 bytes, pay attention to the data in the previous article
When sending, the layer plus protocol head, 1514 bytes = 14 bytes Ethernet head 20 bytes IP head 20 bytes TCP head
1460 byte data
58 rows of response signals ACK is: 1781514222, this number is 57 line SEQ serial number 1781512762 plus
The data sent by the data 1460, 208 will send this response signal to the first machine to explain the received data.
59, 60 lines show the process of continuing data.
This process is like I borrowed book to Zhang San, lending me a few, I have to say: "I have borrowed you a few." He said:
"understood".
3) Head information
Figure 15-1 and Figure 15-2 are header information of 57 rows and 58 rows, respectively, and explain the reference second group.
Figure 15
The fourth group termination connection 1) The following figure shows the data of 93-96 lines.
Figure 16
2) Interpretation The data packets 93-96 are the process of closing the two machines.
Establishing a connection requires three handshakes, and termination of a connection to have a handshake. This is because a TCP connection
It is a full-duplex (ie, data can be passed in both directions), each direction must be closed separately. 4 times handshake
Alternatively the process of separating the two sides alone.
After the file is downloaded, close the browser to terminate the 93-96 line of the server's connection diagram 16 is the termination.
The connection has four handshake processes.
93 lines of data show that after closing the browser, as shown in Figure 17-1, set the FIN to 1 along with the serial number (SEQ)
987695574 Sending the No. 1 machine to terminate the connection.
94 lines of data and Figure 17-2 Displaying a confirmation after receiving the FIN close request, and set the response signal settings
To receive the serial number 1, this is terminated the transmission of this direction.
95 lines of data and Figure 17-3 Display the No. 1 machine 1 Contains 1 along with the serial number (SEQ) 1773196056 to the 208 machine request termination
connection.
96 lines of data and Figure 17-4 Displaying the 208 machine after receiving the FIN close request, send a confirmation and set the answer signal
It is set to receive the serial number 1, and the TCP connection is completely closed.
3) Head information
Figure 17
6. Scan instance
Below we will give a ping instance, test whether a computer is passing, the most common command is the ping command. Ping a computer, the interface shown in Figure 18 is that the interface as shown in Figure 19 is not passing, there is no two cases, one is that the computer does not exist or does not connect the network cable, and the other is that the computer is installed and the firewall is installed. Set to not allow PING. How to distinguish these two cases? Below or use IRIs to track the above situation.
Figure 18
Figure 19
As is the case of PING communication as shown in Fig. 20.
As shown in Figure 21, ping is not present in the computer. It can be seen from the figure that the ARP request has not responded.
As shown in Figure 22, the case where the computer is present but the firewall is installed. As can be seen from the figure, the ARP request has a return
should. But ICMP requests have not responded.
From the analysis, it can be seen that although the surface phenomenon of the latter case is the same, it is essentially trivial. by
The header information can be clearly seen that ping is
If the ICMP protocol is completed, the communication process is completed in the third layer, and does not use the fourth layer.
Figure 20
Figure 21
Figure 22
Seven, the following article is not a tutorial, many problems have not been involved, such as TCP reissue, IP decomposition, route, etc., just propose a learning idea, hoping to play the role of tiles. The TCP / IP protocol is very complicated, but it is not difficult to learn. Finally, I will have a problem with my friends who are interested: three machines, one normal 23, open, one network is passing but the 23-port is not open, and the other is not existed. Track it with the methods we have learned, compare three different. In fact, this is a method of judging whether the other machine is online with TCP.
