Wireshark basic tutorial Ethernet frame analysis.

First of all, we should understand , The Ethernet frame is encapsulated in OSI The second layer of the seven layer model , Data link layer ,wireshark You can grab the complete etheric frame , We can see clearly that . open wireshark Find yourself ip The corresponding network card , It opens at , Click any agreement , Here we use UDP Protocol as an example , The screenshot is as follows

above ：
Frame,
Ethernet II,
Internet Protocol Version 4,
User Datagram Protocol.
They correspond to each other ：
1： Total information of Ethernet frame ,
2： Ethernet frame header ,
3：IP Data packets ,
4：UDP Data packets .
They are connected , Let me explain below .
The first explanation ,Frame 2: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0, This sentence means the data frame number 2, Captured 54 byte . That is to say 435 position （ One byte is eight bits ）, stay interface 0 above , That is, in the network card 0 above （ A machine may have multiple network cards ）. It should be noted that , Ethernet frames work at the data link layer , At the data link layer, there is a MTU The concept of , That's the largest transmission unit , It's actually the picture below Data part , Note that it is not the total length of Ethernet frames . No Ethernet frame can exceed MTU Set the number of bytes （ It's usually 1500 byte ）, If you exceed , such as IP Datagrams are too big , You need to be right about IP Segment the datagram . To make a IP Datagram fragmentation becomes associated with multiple IP The datagram .

The second explanation , Header of Ethernet frame , When explaining the etheric frame , First of all, there are two formats of Ethernet frames ., The first format is Ethernet II The frame format , That is to say wireshark The easiest to see when grabbing a bag . The second is IEEE802.3 Format . Commonly used is the first Ethernet II Format . Now let's put Ethernet II Paste the byte structure of the format to have a look , Here's the picture ：

This picture clearly illustrates Ethernet II Structure information of . First post a picture to explain ：

It opens at Ethernet II You can clearly see that it contains three messages ,Destination, Source,Type In turn, it corresponds to DMAC SMAC TYPE type , And ours type The type is IPV4 That is, it is a ip package , The version is v4. This means that type The type corresponds to the high-level protocol of the Ethernet frame , The structure diagram also indicates that it can also correspond to APR agreement , in other words , Ethernet frames can be associated with the network layer （IP agreement ）, It can also be associated with the second data link layer （ARP agreement ）. However, here we correspond IP agreement . This shows that the etheric frame connects each layer .
Now let's talk about the third ,ip Contents of the agreement , Take the last one IP The format of the agreement is shown below ：

IP The content of the agreement is still relatively large , We just pick the key points and say them . First one IP Data package includes header and data part （ Light blue is the first , Yellow is the data part ）. The data part is the data to be transferred . such as TCP Protocol data ,UDP Protocol data , Let's not talk about , Let's start with the first , It is composed of immutable part and variable part . Immutable part , Fixed length ,20 Bytes , That is, the first five lines in the above figure , Every line from 0-31 common 32 position , That's four bytes .4X5=20 Bytes , this 20 A byte is fixed , Now let's focus on this 20 Key fields in bytes . Now let's post it wireshark Corresponding ip Structure diagram is as follows ：

The first red circle ,Header Length, That is, the length of the head , Be careful 0101 To convert to decimal is to 5, However, it does not mean 5 Is the length of the head , Because one of its units represents 32 position , That's four bytes . therefore 5X4=20 Is precisely 20 Bytes , Illustrate this UDP agreement （ How can I tell it is UDP agreement , Please see the explanation below .） There is only a fixed head , There are no redundant ones . Also need to know , Because the minimum unit of header length is four bytes , So when the protocol has optional fields , Will increase filling , Until it is 4 Integer times of bytes , That's why we have the picture above IP Filling diagram of package . And then again total length, That's it ip The total length of the packet , The length of the header plus the data part . The most important field is Protocol, That's it IP The high-level protocol contained in the packet , Transport layer protocol , We can know this by looking at the name IP The protocol contained in the packet is UDP. There are two more important fields, namely Source also Destnation, The source is encapsulated here ip The address is our local , And goals ip, That is, the one we are going to connect ip Address .
Now let's move to the fourth content UDP agreement . Take the last one wireshark Of UDP The graph is as follows ：

because udp The byte structure of is relatively simple , There are only four parts , As shown in the above figure, there are four red circles , So I won't post the structure diagram , Now let me explain , Each of these four fields occupies 16 position , That's two bytes , So you can be sure ,UDP The first fixed position of 8 Bytes , The first two bytes Source Port Represents the source port , That is, the of this machine UDP port .Destination Port Indicates the port of the target host . Then there is the length ,Length, It is also the first to add the length of the data part , Upper position 37,37 Subtract the length of the capital 8, That is to say 29, It means this udp Data packets （ Or called UDP The datagram ） The data part of is 29 byte . What is it , Please see the selected part below as shown below ：

The selected part is data, What I draw a red line to block is the target of the etheric frame mac With the source mac Address . Now I'll basically finish this etheric frame .
There is still an Ethernet frame with the last four bytes FCS, It is mainly used for cyclic redundancy check . However, if you are careful, you may find , The total length of Ethernet frames is 71 byte ,ip The data report total length yes 57 byte , Add the header of Ethernet frame （6+6+2=14）14 byte ,57+14=71 byte , However , Without the back FCS Where are the four bytes ？ Is it because we made a mistake in calculation ？ Obviously, our calculation is correct , This is because the router and other hardware have verified the Ethernet frame , It returns only the previous part to the operating system ,FCS Not returned to the operating system , therefore wireshark I can't catch the four bytes checked later , Of course , The Ethernet frame with wrong check will not be wireshark Captured , therefore , The Ethernet frames we see are all the correct Ethernet frames checked by tongduo .