当前位置:网站首页>Technology sharing | packet capturing analysis TCP protocol

Technology sharing | packet capturing analysis TCP protocol

2022-07-06 21:18:00 Hogwarts_ test

This article is excerpted from the internal textbook of Hogwarts testing and development society

TCP The protocol is in the transport layer , A connection oriented 、 reliable 、 Transport layer communication protocol based on byte stream .

Environmental preparation

Classify interface testing tools , It can be classified as follows :

  • Network sniffer tool :tcpdump,wireshark
  • Agent tools :fiddler,charles,anyproxyburpsuite,mitmproxy
  • Analysis tools :curl,postman,chrome Devtool

Caught analysis TCP agreement

tcpdump

tcpdump Is a The of packets transmitted over a network “ head ” Completely intercepted to provide analysis Tools for . It supports for network layer 、 agreement 、 host 、 Network or port filtering , And provide and、or、not And other logical statements to remove useless information .

Give Way tcpdump Always monitor 443 port , If there is any difference, enter it into log In file

sudo tcpdump port 443 -v -w /tmp/tcp.log

Use this command , Will put the report in the directory /tmp/tcp.log in .

Common parameters

meaning

port 443

monitor 443 port

-v

Output more detailed information

-w

Write data to log in

wireshark

wireshark It is also a network sniffing tool , In addition to having tcpdump function , There are more extensions , For example, analysis tools , But in interface testing , The process of capturing packets is often carried out on the server , Servers generally do not provide UI Interface , therefore wireshark Unable to work on server , Can only use tcpdump Grab bag generation log, And then log Import wireshark Use , There is UI Analysis on the client of the interface .

Caught analysis TCP agreement

Grab one http Of get request :

  1. Search on Baidu mp3 http://www.baidu.com/s?wd=mp3
  2. use tcpdump Intercept this get request , And generate log
  3. use wireshark open tcpdump Generated log

Use wireshark see log:

image.png

log The first few messages are three handshakes . Because the channel is unreliable , Before sending the data , It is necessary to ensure channel stability , And three handshakes are like the following operations :

  • The first handshake : When establishing a connection , The client sends syn package (syn=j) To the server , And enter SYN_SENT state , Wait for server to confirm .
  • The second handshake : Server received syn package , Must confirm customer's SYN(ack=j+1), At the same time, I also send a SYN package (seq=k), namely SYN+ACK package , At this time, the server enters SYN_RECV state ;
  • The third handshake : Client receives server's SYN+ACK package , Send confirmation package to server ACK(ack=k+1), This package has been sent , Client and server access ESTABLISHED(TCP Successful connection ) state , Complete three handshakes .

After three handshakes , Can further communicate , It looks like this :

image.png

At the end of the communication , Four waves are also required :

image.png
  • First wave : The client sends a... To the server FIN, Request to turn off data transfer .
  • Second wave : The server received... From the client FIN, Send a ACK, among ack The value is equal to the FIN+SEQ.
  • Third wave : The server sends a... To the client FIN, Tell client application to close .
  • Fourth wave : The client receives... From the server FIN, Reply to one ACK To the server . among ack The value is equal to the FIN+SEQ.

Be careful : A request may be divided into multiple packets , So is a data , So in wireshark You'll see a lot of bags .

原网站

版权声明
本文为[Hogwarts_ test]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/187/202207061255089968.html