Analysis of TCP packet capturing using Wireshark

One 、 Process carding

My machine 192.168.1.131 abbreviation A With the server 223.166.138.30 abbreviation B Shake hands three times first TCP Connect , Proceed again HTTP request , The last four waves to disconnect TCP Connect
1. Three handshakes ：

A First give B Send out a SYN The package requests a connection
B to A Send back a ACK SYN The package is for the previous SYN Request and send a request to establish a connection
A Give again B Send back a ACK The package is for the previous SYN request

2.PSH

TCP segment of a reassembled PDU, It literally means the protocol data unit to be reorganized （PDU：Protocol Data Unit） Of TCP paragraph . For example, it is composed of multiple data packets HTTP Reply packet of the Protocol , as follows

The subsection here refers to ： Top level agreement HTTP The response of consists of multiple segments , Each segment is TCP Agreed .TCP There is no concept of segmentation , its sequence number and acknowledge number Is to make TCP It is the support of flow based protocols ,TCP segment of a reassembled PDU Because Wireshark Analyzed its upper HTTP Summary of the agreement , If configured Wireshark I won't support it HTTP Protocol analysis

Reference resources ：https://blog.csdn.net/weixin_30439067/article/details/97999147?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1-97999147-blog-103210932.pc_relevant_multi_platform_whitelistv3&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1-97999147-blog-103210932.pc_relevant_multi_platform_whitelistv3&utm_relevant_index=2

PSH（Push）： Tell the other party whether to push the data to the upper layer immediately after receiving the message segment . If the value is 1, Indicates that the data should be submitted to the upper level immediately , Instead of caching .

3.HTTP Your request corresponds to

HTTP The working mode of is that the client sends a request to the server first , Then the server replies with a corresponding , According to different needs , The request sent by the customer service end will use different methods , Yes GET、POST、PUT etc. ,
It's used here POST Method , It is mostly used for login accounts on websites , The body used to transmit the entity
/cloudquery.php To express a request URI
HTTP/1.1 Indicates agreement version
about POST The corresponding method is the processing result of the server receiving the main body
200OK It means that the request sent from the customer service side is normally processed on the server side

4.TCP Four waves

because TCP It's a full duplex connection , Both parties need to notify each other to disconnect , Then the peer responds to this notification
The sequence of examples here is different from that in the book
A The host sends a disconnect request first
B The host then sends a disconnect request
B Host corresponding A Host disconnect request
A Host response B Host disconnect request

Two 、 Read the network package

Now open B Host response A The host establishes the connection request 80 Bag No ：

The bottom one is for the whole packet 16 Base form , Because it is the corresponding package for the connection request , So I didn't carry the information to be transmitted , Only the data headers of each layer

first line ： Because this package was caught on the host , So the outermost layer is encapsulated through the data link layer , The data link layer encapsulates data packets into frames (Frame), The sequence number of the frame is the sequence number of the package , This package contains 64 byte
The second line ： Data link layer , You can see the... Of two adjacent devices MAC Address , Source MAC The address can also see the model of the router , Therefore, the network packet can be delivered to the destination address by relay
The third line ： The network layer , In this data package, the main task of this layer is to put TCP The data passed from the layer plus the destination address, source address and port number
In the fourth row ： Transport layer , Used TCP agreement
The fifth row ： application layer

Click on the network layer , Click on the source IP Address :

223 Corresponding df,166 Corresponding a6,138 Corresponding 8a,30 Corresponding 1e
1e：16+14=30
Click on the transport layer ：

You can see that the source port number is 80, The target port number is 55469
Serial number for 11769945
Confirm that the response number is 1205542292
Data migration , Retain , The control bits are recorded together in flags in ：

16 Base number 70 Change to binary ：0111 1110
The length of the first 0111 Convert decimal to zero 7,TCP The unit of head length is 4 byte , namely 28 byte
Keep a 1110, Mainly for future expansion , Temporary neglect
16 Base number 12 Change to binary ：0001 0010
There is only SYN And ACK Set up 1, True coincidence

Window size 14600
The checksum 0x0376
Pointer to an emergency 0
Options ： The option field is mainly used to improve TCP The transmission performance of

Yes TCP The first part is a more intuitive display ：

3、 ... and 、 About TCP Three handshakes and four waves

A And B Maintain the serial number of its sent spell network packet separately
A The serial number of the network packet sent to indicate the establishment of the connection is 1205542291
B Also send a network packet indicating the establishment of a connection , Its serial number is 117691945, The confirmation number is 1205542292, Sent when the connection is established and disconnected SYN Bao He FIN The bag doesn't carry data , But it also adds the corresponding sequence number as a byte , Otherwise, its serial number is the serial number of the previous packet plus its length , This confirmation number indicates that the previous packet has been received , It also indicates the starting sequence number of the next packet sent by the other party
A in the light of B The connection establishment request sent sends a confirmation , Its serial number is 1205542292, The confirmation number is 117691946

Most of them are similar to shaking hands , Points of attention ：
TCP Before the connection is disconnected HTTP Response , The serial number of the response 117691946, The length is 482, Add up to 117692428, That is to say B The serial number of the next packet
The penultimate package is neither syn Bag is not fin package , There's no data , therefore B Terminal syn The count will not be increased 1

Four 、 About the change of window size

MSS:maximum segment size Maximum message length
The send window determines how many bytes can be sent at a time , and MSS Determines how many segments these bytes should be sent
If the sending window is 16000 Byte time ,MSS yes 1000 byte , It will be divided into 16 Send segments

In establishment TCP When the connection , Both ends send each other MSS Then take the smallest MSS Put into use

It's a coincidence here , Two MSS equally

flow control ：TCP A mechanism is provided to allow the sender to control the amount of data sent according to the actual receiving capacity of the receiver , Specific operation ： The receiving host notifies the sending host of the size of data that the host can receive , So the sender will send no more than this limit of data , When the buffer at the receiving end overflows , Window size The value will then be set to a smaller value, and the notification will be sent to the sender , So as to control the amount of data sent .
Be careful window size Not referring to the sending window , Instead, tell the other party your acceptance window