Technology sharing | packet capturing analysis TCP protocol

This article is excerpted from the internal textbook of Hogwarts testing and development society

TCP The protocol is in the transport layer , A connection oriented 、 reliable 、 Transport layer communication protocol based on byte stream .

Environmental preparation

Classify interface testing tools , It can be classified as follows ：

• Network sniffer tool ：tcpdump,wireshark
• Agent tools ：fiddler,charles,anyproxyburpsuite,mitmproxy
• Analysis tools ：curl,postman,chrome Devtool

Caught analysis TCP agreement

tcpdump

tcpdump Is a The of packets transmitted over a network “ head ” Completely intercepted to provide analysis Tools for . It supports for network layer 、 agreement 、 host 、 Network or port filtering , And provide and、or、not And other logical statements to remove useless information .

Give Way tcpdump Always monitor 443 port , If there is any difference, enter it into log In file

sudo tcpdump port 443 -v -w /tmp/tcp.log

Use this command , Will put the report in the directory /tmp/tcp.log in .

wireshark

wireshark It is also a network sniffing tool , In addition to having tcpdump function , There are more extensions , For example, analysis tools , But in interface testing , The process of capturing packets is often carried out on the server , Servers generally do not provide UI Interface , therefore wireshark Unable to work on server , Can only use tcpdump Grab bag generation log, And then log Import wireshark Use , There is UI Analysis on the client of the interface .

Caught analysis TCP agreement

Grab one http Of get request ：

1. Search on Baidu mp3 http://www.baidu.com/s?wd=mp3
2. use tcpdump Intercept this get request , And generate log
3. use wireshark open tcpdump Generated log

Use wireshark see log：

log The first few messages are three handshakes . Because the channel is unreliable , Before sending the data , It is necessary to ensure channel stability , And three handshakes are like the following operations ：

• The first handshake ： When establishing a connection , The client sends syn package （syn=j） To the server , And enter SYN_SENT state , Wait for server to confirm .
• The second handshake ： Server received syn package , Must confirm customer's SYN（ack=j+1）, At the same time, I also send a SYN package （seq=k）, namely SYN+ACK package , At this time, the server enters SYN_RECV state ;
• The third handshake ： Client receives server's SYN+ACK package , Send confirmation package to server ACK（ack=k+1）, This package has been sent , Client and server access ESTABLISHED（TCP Successful connection ） state , Complete three handshakes .

After three handshakes , Can further communicate , It looks like this ：

At the end of the communication , Four waves are also required ：

• First wave ： The client sends a... To the server FIN, Request to turn off data transfer .
• Second wave ： The server received... From the client FIN, Send a ACK, among ack The value is equal to the FIN+SEQ.
• Third wave ： The server sends a... To the client FIN, Tell client application to close .
• Fourth wave ： The client receives... From the server FIN, Reply to one ACK To the server . among ack The value is equal to the FIN+SEQ.

Be careful ： A request may be divided into multiple packets , So is a data , So in wireshark You'll see a lot of bags .