传输层协议报文信息分析
1
、浏览网页数据报文
截图如下:
No.
Time
Source
Destination
Protocol Info
351 199.346792
58.218.3.215
119.75.218.45
TCP
dectalk > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
Frame 351 (54 bytes on wire, 54 bytes captured)
Arrival Time: Dec 18, 2010 23:10:30.152304000
[Time delta from previous captured frame: 0.000065000 seconds]
[Time delta from previous displayed frame: 0.000065000 seconds]
[Time since reference or first frame: 199.346792000 seconds]
Frame Number: 351
Frame Length: 54 bytes
Capture Length: 54 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: CompalIn_29:bd:20 (70:5a:b6:29:bd:20), Dst: LinkageS_04:d6:00 (00:09:53:04:d6:00)
Destination: LinkageS_04:d6:00 (00:09:53:04:d6:00)
Address: LinkageS_04:d6:00 (00:09:53:04:d6:00)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Source: CompalIn_29:bd:20 (70:5a:b6:29:bd:20)
Address: CompalIn_29:bd:20 (70:5a:b6:29:bd:20)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 58.218.3.215 (58.218.3.215), Dst: 119.75.218.45 (119.75.218.45)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN-Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 40
Identification: 0x3486 (13446)
Flags: 0x02 (Don’t Fragment)
0.. = Reserved bit: Not Set
.1. = Don’t fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7620 [correct]
[Good: True]
[Bad : False]
Source: 58.218.3.215 (58.218.3.215)
Destination: 119.75.218.45 (119.75.218.45)
Transmission Control Protocol, Src Port: dectalk (2007), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
Source port: dectalk (2007)
Destination port: http (80)
[Stream index: 60]
Sequence number: 1
(relative sequence number)
Acknowledgement number: 1
(relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0… …. = Congestion Window Reduced (CWR): Not set
.0.. …. = ECN-Echo: Not set
..0. …. = Urgent: Not set
…1 …. = Acknowledgement: Set
…. 0… = Push: Not set
…. .0.. = Reset: Not set
…. ..0. = Syn: Not set
…. …0 = Fin: Not set
Window size: 65535
Checksum: 0xd1ed [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 350]
[The RTT to ACK the segment was: 0.000065000 seconds]
分析以上报文知:
以太帧格式部分:
终止地址是:
00:09:53:04:d6:00
源点地址是:
70:5a:b6:29:bd:20
帧格式类型码为:
0x0800
IP
数据报格式及首部各字段:
版本号:
4
首部长度:
20 bytes
服务类型:
0x00
总长度:
40
标识:
0x3486 (13446)
标志:
0x02
偏移:
0
生存期:
64
协议:
TCP (0x06)
首部校验和:
0x7620 [correct]
源
IP
:
58.218.3.215
目的
IP
:
119.75.218.45
传输层协议,
TCP
字段:
源端口:
2007
目的端口:
80
序列号:
1
确认序列号:
1
首部长度:
20 bytes
标志:
0x10
(
ACK
)
窗口大小:
65535
检验和:
0xd1ed
2
、即时通信
截图如下:
No.
Time
Source
Destination
Protocol Info
1198 1261.306972 58.218.3.215
121.233.61.180
TCP
down > 49383 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=3 TSV=0 TSER=0
Frame 1198 (78 bytes on wire, 78 bytes captured)
Arrival Time: Dec 18, 2010 23:28:12.112484000
[Time delta from previous captured frame: 0.000083000 seconds]
[Time delta from previous displayed frame: 0.000083000 seconds]
[Time since reference or first frame: 1261.306972000 seconds]
Frame Number: 1198
Frame Length: 78 bytes
Capture Length: 78 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: CompalIn_29:bd:20 (70:5a:b6:29:bd:20), Dst: LinkageS_04:d6:00 (00:09:53:04:d6:00)
Destination: LinkageS_04:d6:00 (00:09:53:04:d6:00)
Address: LinkageS_04:d6:00 (00:09:53:04:d6:00)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Source: CompalIn_29:bd:20 (70:5a:b6:29:bd:20)
Address: CompalIn_29:bd:20 (70:5a:b6:29:bd:20)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 58.218.3.215 (58.218.3.215), Dst: 121.233.61.180 (121.233.61.180)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN-Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 64
Identification: 0x35db (13787)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don’t fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x4e8f [correct]
[Good: True]
[Bad : False]
Source: 58.218.3.215 (58.218.3.215)
Destination: 121.233.61.180 (121.233.61.180)
Transmission Control Protocol, Src Port: down (2022), Dst Port: 49383 (49383), Seq: 0, Ack: 1, Len: 0
Source port: down (2022)
Destination port: 49383 (49383)
[Stream index: 116]
Sequence number: 0
(relative sequence number)
Acknowledgement number: 1
(relative ack number)
Header length: 44 bytes
Flags: 0x12 (SYN, ACK)
0… …. = Congestion Window Reduced (CWR): Not set
.0.. …. = ECN-Echo: Not set
..0. …. = Urgent: Not set
…1 …. = Acknowledgement: Set
…. 0… = Push: Not set
…. .0.. = Reset: Not set
…. ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port down]
[Message: Connection establish acknowledge (SYN+ACK): server port down]
[Severity level: Chat]
[Group: Sequence]
…. …0 = Fin: Not set
Window size: 65535
Checksum: 0xa7eb [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (24 bytes)
Maximum segment size: 1460 bytes
NOP
Window scale: 3 (multiply by 8)
NOP
NOP
Timestamps: TSval 0, TSecr 0
NOP
NOP
SACK permitted
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 1197]
[The RTT to ACK the segment was: 0.000083000 seconds]
分析以上报文知:
以太帧格式部分:
终止地址是:
00:09:53:04:d6:00
源点地址是:
70:5a:b6:29:bd:20
帧格式类型码为:
0x0800
IP
数据报格式及首部各字段:
版本号:
4
首部长度:
20 bytes
服务类型:
0x00
总长度:
64
标识:
0x35db (13787)
标志:
0x00
偏移:
0
生存期:
64
协议:
TCP (0x06)
首部校验和:
0x4e8f [correct]
源
IP
:
58.218.3.215
目的
IP
:
121.233.61.180
传输层协议,
TCP
字段:
源端口:
2022
目的端口:
49383
序列号:
0
确认序列号:
1
首部长度:
44 bytes
标志:
0x12
(
SYN
,
ACK
)
窗口大小:
65535
检验和:
0xa7eb
3
、
TCP
建立与断开连接
1)
三次握手截图如下:
第一次握手
:
请求端
(
客户端
)
会向服务端
(
被请求端
)
发送一个
tcp
报文,申请打开某一个端口。因为没有数据,所以这个报文仅包含一个
tcp
头。其中:
客户端发送一个
TCP
的
SYN
标志位置
1
的包指明客户打算连接的服务器的端口,以及初始序号
0,
保存在包头的序列号
(Sequence Number)
字段里。
序号用来标识从客户端向服务端发送的数据字节流。此时客户端进入
SYN_SENT
状态。
第二次握手:
服务端收到客户端的
SYN
包,也会发一个只包含
tcp
头的报文给客户端。
即:
SYN
标志位和
ACK
标志位均为
1
,同时将确认序号
(Acknowledgement Number)
设置为客户的
SYN
加
1
作为应答。
此时服务端进入
SYN_RECV
状态。
第三次握手:客户端再次发送确认包
(ACK) SYN
标志位为
0,ACK
标志位为
1
,并把服务器发来
ACK
的序号字段
+1,
放在确定字段中发送给对方。
ACK=1
;客户端确认收到信息,确认序号;服务端序号
+1
,作为应答。此时客户端进入
ESTABLISHED
状态,服务端收到
ACK
后也会进入此状态。
可见,客户端和服务端都保留了对方的序号,这三次握手缺少任何一步都无法实现这一目标。
2)
四次握手截图如下:
第一次握手
:
客户端发送一个
FIN
(这个客户端是主动发起关闭的一端,与建立连接时的客户端不一定是同一主机)
此时客户端进入
FIN_WAIT_1
状态;
第二次握手
:
服务端收到
FIN
,发回客户端一个
ACK
,确认序号为收到的序号加
1
(因为
FIN
和
SYN
一样,会占用一个序号);客户端收到
ACK
之后会进入
FIN_WAIT_2
状态,服务端会进入
CLOSE_WAIT
状态;
第三次握手
:
服务端发送给客户端一个
FIN
。服务端进入
LAST_ACK
状态;
第四次握手:
客户端收到
FIN
,发回服务端一个
ACK
,确认序号为收到的序号加
1
;客户端会进入
TIME_WAIT
状态,
2MSL
超时后进入
CLOSE
状态。服务端收到
ACK
后也会进入
CLOSE
状态。
分析两种握手:
之所以建立连接时时三次握手,而拆除连接时是四次握手时因为,建立连接时,服务端可以把应答
ACK
和同步
SYN
放在一个报文里进行发送;而关闭连接时,收到
FIN
通知仅仅表示对方没有数据发送过来了,并不表示自己的数据全部发送给了对方。所以
ACK
和
FIN
是分了两次进行发送。如果服务端收到
FIN
,恰恰自己也没有数据要发,这样就可以少一次数据流了。