Something About TCP / IP
introduction
There may be many friends who have seen my small piece series (it seems to be more stinky, huh, but that series has been stagnant, have not written new, the reason may be a lot, but they are too lazy is also a the reason. But now I have done the sputum of the online version of ABP, I should use my job a little more, and write some things to everyone. Since I have always been dealing with the network-related stuff, I want to write some knowledge that I know, I will always have a little harvest.
This "Something About TCP / IP" Write the upper application agreement. However, I will not like the professional books, I will pick some interesting or valuable things as those who have their own ideas and ideas. So this series of articles will not speak very detailed, but each related topics always discussed in detail, and it will try to describe some valuable examples. Now I only have the first idea, that is, talk about ARP's stuff. In the future, come on a little bit, as long as I am a little inspiration, I will write a word.
Oh, there is still a form of a problem, I still prefer the form of dialogue in the small piece, so I do try to write in this way. However, this way maybe it is still difficult to write, after all, it is necessary to design some scenes, characters, specific events, etc. This, wait for everyone to start watching the first article, I will know. ^ _ ^
First, Something About ARP
Painting: Young has arrived in our group for a period of time, some basic things of C also learned almost, because we often have some network related projects, so I will give you a new task - self-study Basic knowledge, throwing his book, is the first volume of the three roll sets of Stevens. When you just got this book, the long-lost "innocent" eyes appeared again ...
"Really depressed, this program seems to have some small problems ..." I looked at the code of the screen, where a person belongs to myself, "Forget, let go, go to the cup of black tea."
So I picked up the cup and walked toward the water dispenser. When you have passed the young table, I found that this guy was actually chatting, giving her book stall on the table, as if I didn't look like it. Well, it should be a little whole.
I booled my black tea and returned to my own seat. "I have to plan a whole! I'm a little lesson." When I was considering this problem, my colleague kevin ran over, interrupted me. Thoughts.
"When did we start doing pressure test?" Kevin asked.
"This, etc. After the function test is completed, I will do it again." I replied. "Shot, what do you say 'pressure test'?" My inspiration came, haha.
"Yes, pressure test, is there any problem?" Kevin looks confused.
"Cough, no matter. Just confirm it. Well, I have a suggestion that before giving the development board, let's take a PC to take the same test, see how the PC is, this is good There is a comparison. "
"This idea is good, is it to do this. So how do we test it? Which machine is used to measure?" Kevin asked this question, while glance around, it seems to look for no one. Machine. "No need to find it, there is a machine there, I originally used Pisces, which she went on this day. No one was used, took her machine as a test object. This test can boot into the system. So don't need to know her password, just log in with our domain, you can prepare your test tool, I will go to the Pisces machine, I will call you again. "
After finishing these, I got to the machine to go to the Pisces. When I got up, I also pay more attention to young. This guy actually opened 5 MSN windows chat, really # $% @ $% ......
I follow the plan, ready to prepare, and let Kevin start testing. After seeing Kevin, I will know, I will not be punished for 10 minutes, young will be punished, 嘿嘿 ~~
About 5 minutes ...
"Hey, how do my machine so?" I heard young people who were there.
About 1 minute ...
"Weily, can you come over to help me see it?" Young seemed to solve the problem, and began to save me.
"Is there a problem? I am a little busy here, wait a little later." Hey, you will accept the lesson for a while.
Young seems to be less patient, and a little running to me, then I will not make it in my side, "Master, come and see, people's machines seem to have problems, can't move, hurry Come to save me. Why do you say that hero should save beauty ... "
"Well, okay, how to say, I am also a hero, see what you need help, even if you are not a beauty, you should help it, then I will see you." I know This guy is the most grind. It is basically a few people who can get it. I still have to go, save her trouble.
Before the machine, I didn't know what I put, press the keyboard, move the mouse, huh, ok, the machine card is very powerful, the reaction is very stunned, and it is obvious, then The five minimized MSN windows are flashing there, but it is not open, haha, my purpose is to reach.
"Your machine seems to have a problem, is it a Chinese virus?" I didn't know if I continued.
"No, I didn't have any stuff. I just became this, and I also called out the task manager for a while, there is no suspicious process, it is a common process." Youn The more innocent, look at her poor look, forget it, then let her, but before stopping, I will give her a lesson.
"You wait a moment, I went to my machine to grab a package." After finishing, I immediately returned to my machine, opened Ethereal, grabbed the package with mixed mode, and put it on, then Run to Kevin, greeted it, then go to Young. It's just a few minutes, everything is normal.
"Master, what is going on? How is it now?" Young is confused.
"In fact, this root cause is that your machine has fallen sharply due to the network load, it is a sharp drop, it is white, that is, your machine is attacked." "Ah? Will it? Even my machine will be hacked Look? "Young is even more unfunction.
"This is not necessarily a hacker, or maybe some program errors. From the situation I just captured, I found that many packets have been sent to your machine, and your machine constantly receives these messages. Then because the IP address of these packets is not yours, then discard these packets. It is these packets to slow down your machine. "
"咦? For the destination address is not the message of my IP address, will I send it to me?"
"Before answering your question, I will ask you a question first, how much have you gave you the book?"
"This ..." Young spitted his tongue, did a ghost face, "The first chapter has not finished reading ..."
"Then you have done today?" I have to be severely strict, torture.
"This is ... I am chatting with friends ..." Young seems to know that they are wrong, I don't know if I use innocent to describe it, or use sincerity to describe it.
"Forget it, see if you are still honest, I will give you such a lesson. In fact, the situation you have encountered today and the so-called 'ARP spoofed'. About the knowledge of the ARP protocol, giving you the book Chapter 4 has a detailed explanation. I simply tell you some basic things. "
"Okay, good! I can save it, heng!" Young heard a chance to be lazy, it is very happy.
"You don't have to be happy too early, wait for me to finish this class, will give you a task ..." Helping Young is also a great fun in my usual life, hehe!
"Master, what is arp?" Young seems to interrupt me when it is critical.
"The full name of ARP, is Address Resolution Protocol. In the TCP / IP protocol, this is the most basic protocol. From the name, it can be seen, it is used to make an address resolution."
"Address resolution? Are you saying IP address resolution? Isn't there a DNS to resolve the domain name to an IP address, but also do you want to do it?" Young didn't understand there.
"You are less than being shameful, listen to it."
"Follow!"
"Your network knowledge is really good. You have to know that under the IP address, there is a physical address, which is the MAC address of the usual network card. In the TCP / IP protocol stack, the IP layer is located The host-network layer, so the IP address is a logically address. When the actual network is transmitted, an actual physical address is required, which is the source address and destination address of the message that is truly transmitted. Just In our local area network, your IP address is 192.168.0.123, and your network card's MAC address is 00-0E-27-59-AD-46. This MAC address you can use IPConfig / All in Windows command line mode Come see. "
"Oh? It seems that it is quite interesting, let me try it." She opened the command line before rushing to her own machine, and then stupid there. "Master, how do you say that what you said?"
I am dizzy! "I-P-C-O-N-F-I-G, Space, slash, A-L-L" I reported to her a letter, when I reported, I heard a few colleagues were smile, huh, huh, it seems that I have already talked after the meal.
"Young, you will come over and continue to have the topic."
"Come! Mong!" Young said while running. "Well, we continue. I just spend the IP address and MAC address. In fact, when sending an IP packet, you must know the MAC address of the destination, so that you can send it correctly. For example, our Ethernet, all The packets are broadcast on the link, that is, as long as there is a message appearing on the link, each machine will be received. Therefore, when a machine receives a message, the network card first judges the destination MAC address. Isn't itself, if not, you will lose the message, otherwise, I will receive the packet. After some processing, I will hand it over to the IP layer to further handle it. This should know the importance of the MAC address. ? "
"Well. Understand. So ARP protocol is also parsing IP addresses to MAC addresses?" Young seems to understand what.
"Yes, simply, this is this role. When the IP layer is to send a message, it will be given to the link layer, the link layer calls the ARP to obtain the destination MAC address corresponding to the destination IP, and then configure a data frame. Send to the physical link. But the key here is that the ARP has the MAC address corresponding to the destination IP. "
"Yeah. And I think the ARP agreement must have a problem, otherwise, how do you just send it to me a machine?"
"Don't worry, let me first explain how ARP gets the MAC address. In fact, this process is divided into two steps. First, ARP first find the local ARP Cache table, if you find the MAC address corresponding to the destination IP in this table, then The MAC address is used as a destination MAC address. If you are not found in this table, you will send an ARP Request packet. The message is the broadcast of the link layer, and the machine that matches the destination IP receives this message. At the time, the corresponding ARP Reply packet will be sent to send its own MAC address to the source. After receiving the ARP Reply packet, the data contained therein is read, and the MAC is used as the destination MAC, and A new entry is created in the local ARP Cache so that it can be found directly when sending, saving the process / reply process. "
"I have a problem. After I have a new entry in ARP Cache, I will not send ARP Request packets for this purpose IP in the future. In case of the IP address of everyone, such as your machine Isn't that the original attack in front of my original IP? "
"Well, you are right, but you said this problem ARP designer has taken into account. Thearp requires that each ARP message reserved locally has a timeout time. If you have not updated this item for a while, this The table item will be deleted. This time is 2 to 10 minutes in the Windows system. "
"Oh? What happened to the problem I have just encountered?" YOUNG seems to be confused.
"You encountered ARP spoof. Here, there is a problem with ARP. When thearp protocol is designed, fully considering the efficiency problem, so when a machine receives an ARP message, whether it is REQUEST or Reply Text, will save the IP address of the IP address with the physical address to the local ARP Cache table. This is the advantage that the transmission of ARP packets can be reduced, improve efficiency. However, the problem is that if received ARP report The information in the text is wrong, then the wrong information is saved to the local ARP Cache table. "
"What do you mean, I have encountered this situation?" Young looked at me.
"Yes. In front of me, Kevin's machine is sending a lot of packets, the destination IP address of these packets is 192.168.0.125, while the destination MAC address is your machine's MAC address. Then I go I asked Kevin, which was originally tested by the Pisces's machine, quickly sent a lot of packets, and Pisces's IP is 192.168.0.125. Therefore, all packets that should be sent to the Pisces machine are sent to you. . Later, I told him to clear the arp cache table of his machine, just fine. "" Yes Kevin is in the ghost! I am going to find him accounting !! "" Young is like, it seems to take Kevin to tear half, I am still seeing this look.
"Don't listen to me first. In fact, kevin is innocent. He just opened that test tool, and he also depressed there. He didn't respond to the test newspaper. You should remember me just follow you. The effectiveness of the ARP entry, if that ARP information is HEVIN with windows ARP command, it will be invalid for a while. According to my judgment, it should be a machine. The program sends ARP Reply packets in a shorter time interval to Kevin, which is included in the information IP and your Mac. Therefore, the ARP entry on the Kevin machine is obtained before each failure. Updated, this is the reason why he always sent the message to you. As for that program, there may be a wrong program to run on a machine, so Kevin is innocent. "
"Oh, about the basic concept of ARP? I have understood it. I just don't know if anyone is deliberate, this makes me very depressed, let me catch it next time, I must not let go. He! "Young seems to have no breathable, it seems that I still have no innocent.
"Today, give you a class, just, but this is very summary, the format of specific ARP packets, and some other related network knowledge I want you to see it."
"Well, I will take a good look." Young sometimes is really very obvious, but I understand, these are surface phenomena ... so, I have to give her a little pressure.
"Slow down, you don't go, the class is over, after class homework yet. Go back, you will write the top 4 chapters of the book, write a report, give me early after tomorrow."
"Ah? Time is so tight? I am afraid that it is not too ..." Young started to install.
"You have time to chat, don't you read a book? If you can't make it, you will give you a little color next time." Yeah, I seem to have a mouth ...
"Next time? Today's things are you are engaged in ghost? You! You! You !!" Young's fire came up again. I am still going to the best ...
Note: 1. "That book" said here, that is, W. Richard. Stevens set "TCP / IP Illustrate" first volume "The Protocol", Chinese transcript "TCP / IP Details Volume 1: Agreement" . 2. In fact, you are also an attack in the article, and it is also an attack of DOS. 3. About the one mentioned in the text, I used the tool to send the ARP Reply packet of Young, I will have a detailed program when I write the WinPCAP tutorial, and everyone is looking forward to it. ^ _ ^
