The first set of lookups servers in Chain 1, the MAC address of the destination host is ff: ff: ff: ff: ff: ff, this address is expressed in hexadecimal, f conversion is the binary is 1111, all 1 It is the broadcast address. The so-called broadcast is to send information to each network device on this website. Each Ethernet interface on the cable should receive this data frame and process it. ARP sends a Ethernet data frame called ARP request to Ethernet. Each host. Each network card in the network has received such a message. "Who is the owner of the IP address of 192.168.1.98, please tell me your hardware address". On the second line, each machine in the same Ethernet will "receive" to this message, but in the normal state, other hosts outside the first machine should ignore this message, while the host of the 98 host ARP After this broadcast message, you recognize that this is the IP address of the sender to find its IP, and then send an ARP response. Inform yourself IP address and MAC address. Chapter 2 can clearly see the information of the first answer __ ourselves MAC address 00: 03: FF: 73: 20: 91. The second behavior response, when the system receives a destination for this ARP request message, it fills the hardware address, then replaces two sender addresses, and puts the action field. Set to 2, finally send it back. The second group establishes a connection
The core meaning of this three lines is the three handshakes of the TCP protocol. TCP's packet is transmitted by IP protocol. However, the IP protocol is only sent to the data, but it is not possible to ensure that IP data is successfully reached to destinations, ensuring reliable transmission of data is done by TCP protocol. When the receiving end receives information from the sender, the receiving end sends a response message, meaning: "I have received your information." The third group of data will be able to see this process. TCP is a connection-oriented protocol. No matter which direction sends data to the other party, it must first create a connection between the two sides. The process of establishing a connection is the process of three handshakes. 1)) Request-end WinXP machine sends an initial number (SEQ) 1865132352 to Win98 machine. 2)) After the WIN98 machine receives this serial number, the serial number is added to 1 value of 1865132353 as a response signal (ACK), while randomly generating an initial number (SEQ) 915071, the two signals simultaneously returns to the requested terminal Winxp machine, Message has been received, let our data stream start at 905071 this. "3)) Request-side Winxp machine Receive the confirmation number set to Win98 initial number (SEQ) 915071 plus 1 is 915072 as a response signal. The header information has more ARP, TCP, the following process also does not participate in ARP, which can be understood that in the LAN, ARP is responsible for finding a computer you need to find in many networking computers. It is found.
4 version: Represents the current protocol version number, value is 4 indicates 4, so IP is sometimes referred to as IPv4; 4-position length: The head is the length, its unit is 32-bit (4 bytes) The value is 5 indicates that the IP head length is 20 bytes. 8-bit Service Type (TOS): 00, this 8-bit field consists of 3-bit priority list, and now has been ignored, 4-bit TOS subfields and 1 bit unused fields (now 0). The 4-bit TOS subfield contains: minimum delay, maximum throughput, maximum reliability, and minimum cost, these four 1 digits can only have one to 1, this example is 0, indicating that is general service. 16-bit total length (byte): The total length field refers to the length of the entire IP datagram, in bytes. The value is 00 30, the conversion is a TCP header of the IP head 28 byte of the decimal 48 bytes, 48 bytes = 20 bytes, this datagram is just the control information transmitted, and the real data is not transmitted, so it is currently watching The total length of the head is the length of the header. 16-bit Identification: Identifier field uniquely identifies each datastist sent by the host. Usually, each of its values will be added to 1, and the third behavior is 30 21, and the 5th act 30 22, the seventh behavior 30 23. Divide the logo field and the slice offset field when fragmentation, this article does not discuss these two fields. 8-bit survival time (TTL): TTL (TIME-to-Live) Survival Time field Set the maximum number of routers that the datagram can pass. It specifies the time of life of the datagram. The initial value of the TTL is set by the source host. Once there is a router that handles it, it minus 1. It can determine the system and the router that the server is system and the router according to the TTL value. This example is 80, converted into a deciminary 128, the Windows operating system TTL initial value is generally 128, the Unix operating system initial value is 255, this example indicates that the two machines are in the same network segment and the operating system is Windows. 8-digit protocol: Represents the protocol type, 6 indicates that the transport layer is a TCP protocol. 16 first inspection and: After receiving an IP datagram, the first 16-bit in the first part is summed. Since the recipient contains the inspection in the first part of the sender during the calculation, if the header does not have any errors during the transmission process, the result of the recipient calculation should be all 1. If the result is not all 1, that is, the inspection and error, then IP will discard the received datagram. However, do not generate an error message, and the lost datagram is discovered and retransmitted. 32-bit source IP address and 32-bit IP address: actually this is part of the core in the IP protocol, but introduces a lot of articles in this area, this article is also a simplest network structure, not involving routing, this article Only for brief introduction, please refer to other articles. The 32-bit IP address consists of a network ID and a host ID. This source IP address is C0 A8 71 D0, converted to decimal: 192.168.113.208; Destination IP address is C0 A8 71 01, converted to decimal: 192.168.113.1. The network address is 192.168.113, and the host addresses are 1 and 208, respectively, and their network addresses are the same, so that data can be directly reached during transmission.
Port number: Always say that FTP accounts for 21 ports, HTTP accounts for 80 ports, Telnet accounts for 23 ports, the port here is the port of TCP or UDP, like the door on both ends of the channel, when the communication time of the two machines must be opened. Source ports and destination ports each account for 16 bits, 2, equal to 65536, this is the "door" that each computer is connected to other computers. Generally, the port number of each service as a service is fixed. This example destination port number is 00 15, converted into a deciminary 21, which is the default port of FTP, which needs to be pointed out that this is the FTP control port, the data transfer is used in the other port, the third group of analysis can be seen at this point. When the client contacts the server, the port is randomly opens a port greater than 1024, and this example is 04 28, and the conversion is 1064. The Trojan in your computer will open a service port. The observation port is very important, not only can it see the normal service provided by this unit, but also see an abnormal connection. NetStat when the Windows looks at the port command. 32-bit serial number: Sequence Number, shortly called SEQ, from above three handshake analysis, when one party is to contact another party, send an initial number to each other, meaning: "Let us Establish contact? ", After receiving a separate serial number, send a separate serial number to send a party, meaning" message received, the data stream will start with this number. "It can be seen that the TCP connection is completely two-way, That is, the data flow of both parties can be transmitted simultaneously. During transmission, both sideways are independent, so each TCP connection must have two sequence numbers corresponding to data streams in different directions. 32-bit confirmation serial number: also known as a response number (Acknowledgment Number), is short-written as ACK. In the handshake phase, the confirmation sequence number plus the sender's serial number 1 as an answer, in the data transfer phase, the confirmation sequence number is an answer to the data size sent by the sender's serial number, indicating that it does receive this data. This process will be seen in the analysis of the third group. 4 top length:. This field accounts for 4 digits, and it is 32 digits (4 bytes). This example is 7, the head length of TCP is 28 bytes, equal to the normal length 2 0 byte plus the optional 8 bytes. The length of the TCP can be up to 60 bytes (binary 1111 converted to decimal 15, 15 * 4 bytes = 60 bytes). 6 sign bits. URG emergency pointer, telling the receiving the TCP module to refer to the needle domain to indicate the confirmation number (for legality, 0) indicate the confirmation number (for legality, 0, indicating that the confirmation number is ignored. PSH requests the data requested when 1 The segment can be sent directly to the application after the receiver is obtained, without having to transfer when the buffer is full. RST reconstructs the connection. If the RST bit is received, some errors are usually taken. SYN is set at 1 To initiate a connection. FIN set 1 indicates that the origination completes the send task. It is used to release the connection, indicating that the sender has no data transmission. 16-bit window size: TCP traffic control is provided by the declared window size The window size is the number of bytes, starts with the value indicated by the confirmation number field, this value is the byte that is expected to receive reception. The window size is a 16-byte field, so the window size is 65535 bytes. 16-bit inspection And: Test and cover the entire TCP report segment: TCP header and TCP data. This is a mandatory field that must be calculated and stored by the origination, and verified by the closer. 16-bit emergency pointer: only when URG The emergency pointer is valid when the flag is set. The emergency pointer is a positive offset, and the value in the serial number field adds the serial number of the last byte of the emergency data.
