The first part of the network monitoring: Yiming Gong http://security.zz.ha.cn stated: any form must retain the above excerpt of the http address and network monitoring, network security has always been on a sensitive topic, as a Developing more mature technologies, monitoring has an irreplaceable role in assisting network administrators monitoring network transmission data, excluding network failures, and has been favored by network administrators. However, on the other hand, network monitors also bring great security hazards to Ethernet security. We can see that the usual network invasion will often follow the online monitoring behavior in subsequent Ethernet, causing Ethernet. Password stolen, sensitive data interception, etc. Network monitoring causes people to pay attention to the beginning of 94 years, in 94 years, several major safety incidents have occurred. We can see in a security guide in the Navy: In February 1994, an unknown person installed online monitoring software in many hosts and backbone network equipment, using it to steal more than 100 for the Internet and military network , 000 valid user names and passwords. See: www.chips.navy.mil/archives/94_jul/file14.html The above event may be the earliest number of online listening events on the Internet, which makes early network monitoring from "underground" to open, and gradually The popularity is popular among. About online monitors often have some interesting questions, such as: "I have a computer that is in the online online, I also have the eavesdropped software, then I can hear Microsoft (or the US Department of Defense, Sina.com, etc.) Password? Another example: I am an Ethernet administrator of the company, I know that hub is very unsafe, online structure uses hub to connect the company's calculation gauge, making network monitors very easy, then let's change Hub, use the switch, the switch is working in the second floor, then you can solve this security problem? This is two very interesting questions, before specific statement, we skip two questions first, introduce the network first How does the monitor have happen. Why is there a thing online monitoring that everyone is clear, a computer connected in the Ethernet to communicate with other hosts, on the hardware, the network card is required, and the driver is required on the software and TCP / IP kit. Each network card has a unique hardware address that does not repeat any of the world's NIC repetition, called the MAC address, which identifies the network card itself. At the same time, the network card and the network card TCP / IP communication implementation, you need to bind a unique IP address on each NIC. These believe that it is not too strange to most people, what is the relationship between them? We know, in Ether In the network system, all network devices hung on the network are relying on the physical address to send and receive data frames, the Ethernet network card device driver does not care about the IP address in the IP datagram. This is a very important Concept. Use the package analysis software to observe the IP datagram of the network layer, you can see that its destination address is the IP address of the target system, and the data frame structure of the link layer under the network layer is not difficult to find, it is in IP The layer's datagram adds a link to the head, and the destination address in this header is the hardware address of the 48BITS target system. How is this hardware address? Rely on ARP.
About this, one end in TCP / IP illustrate in Richard Stevens: "The Fundamental Concept Behind ARP IS That The Network Interface Has A Hardware Address (a 48-bit value for an etcher". Frames exchanged at the hardware level must be addressed to the correct interface But TCP / IP works with its own addresses:.. 32-bit IP addresses Knowing a host's IP address does not let the kernel send a frame to that host The kernel. (ie, the Ethernet driver) must know the destination's hardware address to send it data. The function of ARP is to provide a dynamic mapping between 32-bit IP addresses and the hardware addresses used by various network technologies. "this is a good Explanation, in order to avoid the number of repeated ARP packets, the currently a general network device will maintain an ARP cache, which is a known MAC address and the IP address of the corresponding table. If the communication is in its own ARP cache The physical address of the target can be found, and the ARP broadcast request message will be performed, and each device in the Ethernet will receive the ARP packet, but only the IP address is the same as the destination IP address in the ARP packet. The host sends an ARP answer frame and will fill in its own physical address in the answering frame, which is completed in an ARP address resolution and will be added to the ARP cache of the system. To clearly explain this problem, we may wish to take an example to see: We now have two hosts, connected in an Ethernet through hub, now a user on the plane wants to access the B-machine WWW service So when the user on the A machine typed B's IP address, when getting the web service provided by the B-machine, what happened from the perspective of the 7-layer structure? 1: First, when the user is typed in the browser, the user is typed in the browser, after the browsing request, the app is requested, requiring the access to the IP address B, 2: Application layer will send the request to the request The next layer of transport layer in the 7-layer structure is implemented by the transport layer using TCP to establish an IP. 3: The transport layer is reported to the next layer of network layer, from the network layer to line 4: Due to the A and B two machines in a shared network, IP routing is very simple: IP datagram is directly sent by the source host Destination host. 5: Due to the two machines A, B in a shared network, the A machine must convert the 32bit IP address to 48bit Ethernet address, please note that this work is done by ARP. 6: The ARP of the link layer sends a Ethernet data frame containing the IP address of the destination by working on each host of the physical layer to the Ethernet, in which the request message is declared: Who is B-machine IP The owner of the address, please tell me your hardware address.
