Wireshark data capture and analysis of the transport layer protocol (TCP protocol)
2022-08-03 02:38:00 【ChuMeng1999】
The previous course covered in detailUDP协议,It can be known that the protocol experiment is very simple,并且容易实现.但是其可靠性较差,一旦将数据包发出,将无法知道对方是否收到.为了解决这个问题,TCP协议就诞生了.使用TCP协议,可以提供网络的安全性.因为使用TCP协议传输数据时,Acknowledgment is required for each packet sent.如果有一个数据包丢失,I did not receive the confirmation package,发送方就知道应该重发这个数据包.这样,TCP协议就保证了数据的安全性.
TCP端口就是为TCPWindow for providing services for protocol communication.所有TCP通信都会使用源端口和目的端口,and these can be found in eachTCP头中找到.Ports are like jacks on old-fashioned telephones,A total operator monitors the lights and plugs on a panel.When the light is on,It will link the caller,Who asked it for,Then plug in a cable to link it to its destination address.Every call needs to have a source port(呼叫者)和目的端口(接收者).TCPThat's probably how ports work.
In order to be able to transfer data to a remote server or device specific application,TCP数据包必须知道远程服务所监听的端口.If you want to try connecting to a different port,then the communication will fail.The source port in the sequence is not very important,So can be selected at random.The remote server can also easily get this port from the raw data sent.如下图所示,List the two services used in the diagramTCP端口.
The figure shows the client andWebA communication server and mail server.从该图中,You can see when the client establishes a connection with a different server,Using the source port and destination port is different.
在使用TCP进行通信的时候,有65535个端口可供使用,and usually divide these ports into two parts,如下所示:
1~1023:是标准端口组(忽略掉被预留的0),The specified services will use these are usually located in port of port group standard.
1024~65535:是临时端口组(Although some operations have different definition),When a service wants to use the port to communicate at any time,The operating system will randomly choose this source port,Make this communication use a unique source port.这些源端口通常就位于临时端口组.
在TCP/IP协议中,TCPProtocol provides reliable link service,Establish a link by using a three-way handshake.所有基于TCPThe communication of the protocol needs to start with the handshake of the two hosts.下面将介绍TCP的三次握手.TCPThe three-way handshake is shown in the following figure:
上图描述了TCP的三次握手,To help learners understand more clearlyTCP协议,Below we describe the three-way handshake in detail..在图中,Seq表示请求序列号,Ack表示确认序列号,SYN和ACK为控制位.
3.1 第一次握手
3.2 第二次握手
The second handshake is actually done in two parts.即SYN+ACK(请求和确认)报文.
3.3 第三次握手
这样就完成了三次握手,此时,The client can start sending data to the server.
在TCP协议中,Terminates after every handshake.Just like greeting each other,In the end there will be a goodbye.TCPTerminate is used to gracefully end the link after the two devices have finished communicating.该过程包含4个数据包,并且用一个FINsign to indicate the end of the link.
TCPFour disconnects as shown below:
The four processes shown above,sent by4packets disconnected from the server,A detailed overview of the whole process is as follows:
(2)After the server receives the packet sent by the client,发送一个ACK数据包来响应客户端.
(3)The server then transmits its ownFIN/ACK数据包.
(4)客户端收到服务器的FIN/ACK包时,响应服务器一个ACK数据包.Then end the communication process.
在理想情况中,Every connection will start withTCPFour times off to mark the end of the normal session.但是在现实中,Connections often drop suddenly.例如,This could be due to a potential attacker doing a disconnect scan,Or just a misconfiguration of the host.在这些情况下,you need to use the settingsRST标志的TCP数据包.RSTFlag used to indicate that the connection was aborted or the packet that refused the connection request.
在实验环境中,We simulate data transfer between two machines on a local area network,来抓取和分析TCP协议数据.
This tool and analysisUDPsame as the agreement,Installed in a lab environment,repeat here,我们使用“TCP&UDP测试工具”来制作和发送TCP数据包.双击测试者机器桌面的“TCP&UDP测试工具”,会出现下图显示页面:
获取的TCP协议的数据包.分为两部分,即TCP三次握手,四次断开的数据.但在实际的操作中,There are more situations that may be encountered,比如源IP和目的IP比较多,Various problems such as out-of-order frame numbers of the protocol.在此,We teach you simple filtering capabilities,Coloring function for easy filtering and viewing.启动Wireshark,在Filter中输入tcp,点击Apply会看到很多的数据包,这是因为测试环境中,有很多的应用程序,与其服务器连接,使用TCP协议.如下图:
我们可以看到,有很多的数据,不方便查看.在这里,我们已知两台机器的IP情况下,可以在filter中输入“ip.addr == and ip.addr ==”来过滤出我们想要的数据,点击工具中的“连接”按钮.如下图:
The sending area input“hetinlabtcp”点击发送,会持续的更新TCP数据.
在点击“断开连接”后,会出现TCP的四次断开.The process of all the screenshots,如下:
如上图,If you still find it inconvenient to analyze the protocol,WiresharkIt also provides us with shading and specified frame information saving functions.Left click on a frame,右键选择“Colorize Conversation”,横向选择“TCP”,Horizontal and then choose the color you like,操作如下图:
It can be easily seen from the above,70,73,74帧是tcp的三次握手,428,429,430,431帧是四次断开的数据.If you also want to save the three-way handshake and four disconnected packets separately,Wireshark也提供了这样的功能,And support the case of frame sequence number disorder.下面,Let's save the three-way handshake packet first,Because the frames of the three-way handshake are out of sequence,We first right click70帧,选择“Mark Packet(toggle)”,在依次选择73帧,74帧,如下图:
在Wireshark的菜单栏中,依次选择File→Export Specified Packets命令,Open as shown in the following pages:
选择Marked packets,and select the save name and path,即可.Let's save the four disconnected data,因428-431for consecutive serial numbers,所以在Wireshark的菜单栏中,依次选择File→Export Specified Packets命令,Open as shown in the following pages:
选择Range,Enter the starting and ending digits of the sequence number,Select the save name and path.
任务描述:through experiment one,we've got the packet,and stored in categories,The second experiment willTCP的三次握手进行详细分析.
在上面的表中,TCPThe first meaning of each field is shown below:
序号:This number is used to represent aTCP片段.This field is used to ensure that no part of the data stream is lost.
确认号:This number is the sequence number of the next packet in the communication expected from the other device.
校验和:用来保证TCPContents of headers and data,The integrity of the when get to the destination.
上面提到了TCP传输时,available flags,下面分别介绍这6the role of markers,如下:
URG:紧急标志,表示TCPThe urgent pointer for the package is valid,用来保证TCP连接不被中断,并且督促中间层设备要尽快处理这些数据.
ACK:确认标志,表示应答域有效,就是前面所说的TCP应答号将会包含在TCP数据包中,This flag has two values,分别是0和1.当为1的时候,表示应答域有效.反之为0.
PSH:This flag indicatesPush操作.所谓Push操作就是指在数据包到达接收端以后,立即传送给应用程序,instead of queuing in the buffer.
RST:This flag indicates a link reset request,Used to reset links that generate errors,也被用来拒绝错误和非法的数据包.
SYN:表示同步序号,用来建立连接.SYN标志位和ACK标志位搭配使用,当连接请求的时候,SYN=1,ACK=0;当连接被响应的时候,SYN=1,ACK=1.这个标志的数据包经常被用来进行端口扫描.Scanners found aSYN的数据包,如果对方主机响应了一个数据包回来,Is the host on the surface of the port;但是由于这种扫描方式只是进行TCP三次握手的第一次握手,Therefore, the success of this scan means that the scanned machine is not safe.Because a host of safety,will force a link to be strictlyTCP的三次握手.
FIN:表示发送端以及达到数据末尾,That is to say, the data transmission between the two parties is completed.,没有数据可以传送了.此时发送FIN标志位的TCP数据包后,link will be broken.这个标志的数据包也经常被用于进行端口扫描.当一个FIN标志的TCPAfter a packet is sent to a specific port on a computer,If the computer responded to this data,And feedbackRST标志的TCP包,It means that the port is not open on this computer,But this computer is there;If the computer does not return any packets,It is marked,The scanned computer this port.
TCPThree handshake is understandingTCPThe most important part of the agreement,下面我们就以tcp-handshake.pcapng捕获文件为例,来分析TCP的三次握手.
2.1 第一次握手
从Wireshark的Packet List面板中的Info列可以看到显示的TCP标志位是SYN.所以该数据包是客户端向服务器发送的第一次握手连接.在Packet Details面板中,显示了该包的详细信息,下面详细介绍:
以上信息,表示这是第1Details of a data frame,and the size of the package is62个字节.
The above content is the header information of the Ethernet frame,Actually the sourceMAC地址为02:00:04:78:01:7b,目标MAC地址为02:00:7b:16:02:43.
以上内容是传输层首部的详细信息,这里使用TCP协议,其中源端口为56678,目标端口为6000.Each field in the header is described in detail below.
Source Port: 56678 (56678) #源端口号
Destination Port: 6000 (6000) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 0 (relative sequence number) #序列号
Acknowledgment number: 0 #确认编号
Header Length: 28 bytes #首部长度
.... 0000 0000 0010 = Flags: 0x002 (SYN) #标志,这里是SYN
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set #紧急指针
.... ...0 .... = Acknowledgment: Not set #确认编号
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set #设置SYN标志位,值为1
Expert Info (Chat/Sequence): Connection establish request (SYN): server port
6000 #专家信息
Connection establish request (SYN): server port 6000 #消息
Severity level: Chat #安全级别
Group: Sequence #组
.... .... ...0 = Fin: Not set #FIN标志位
Window size value: 8192 #窗口大小
Calculated window size: 8192 #估计的窗口大小
Checksum: 0x16d3 [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
Options: (8 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项
Maximum segment size: 1460 bytes #最大段大小
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
No-Operation (NOP) #无操作指令
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP) #无操作指令
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
TCP SACK Permitted Option: True #TCP SACK允许选项
Kind: SACK Permitted (4)
Length: 2
根据以上信息的描述,It can be seen that the packet is a data packet sent by the client to the server to establish a connection request.The source port number for establishing the connection is56678,目标端口号为6000,确认编号为0.and in the flagFLAGS(0x0002)中,只设置了SYN,That is, the bit synchronization flag,表示请求建立连接.选项是8个字节,The content inside the most long(MSS),大小为1460字节.
We will use the above information,对应到TCPEach field of the header format,如下:
2.2 第二次握手
TCPThe second handshake capture packet details,如下:
在该界面显示了第二次握手数据包的详细信息,其中位于TCPWhen shaking hands with the above information and the first phase approximation,这里不做解释,重点看TCP协议部分,如下:
Source Port: 6000(6000) #源端口号
Destination Port: 56678(56678) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 0 (relative sequence number) #序列号
Acknowledgment number: 1 (relative ack number) #确认编号,值为1
Header Length: 28 bytes #首部长度
.... 0000 0001 0010 = Flags: 0x012 (SYN,ACK) #标志位,此处为(SYN,ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Not set #确认编号已设置
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set #请求位
Expert Info (Chat/Sequence): Connection establish request (SYN): server port
6000 #专家信息
Connection establish request (SYN): server port 6000 #消息
Severity level: Chat #安全级别
roup: Sequence #组
.... .... ...0 = Fin: Not set #FIN标志位
Window size value: 8192 #窗口大小
Calculated window size: 8192 #估计的窗口大小
Checksum: 0x5bf8 [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
Options: (8 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项
Maximum segment size: 1460 bytes #最大段大小
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
No-Operation (NOP) #无操作指令
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP) #无操作指令
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
TCP SACK Permitted Option: True #TCP SACK允许选项
Kind: SACK Permitted (4)
Length: 2
SEQ/ACK analysis #序列号/Confirmation number analysis
This is an ACK to the segment in frame: 1
The RTT to ACK the segment was: 0.002362000 seconds
iRTT: 0.002387000 seconds
Describe the details of the above is the server after receiving the request,Confirm package sent to the client(SYN+ACK).根据以上描述,It can be seen that the initial sequence number of this host is included in the frame data packet0,and a confirmation number1.This acknowledgment number is larger than the previous packet(1帧数据包)序列号大1,because this field is the value used to represent the next sequence number that the host expects.
We will use the above information,对应到TCPEach field of the header format,如下:
2.3 第三次握手
TCPThe third handshake capture packet details,如下:
Here we look at key directlyTCP协议部分:
Source Port: 56678(56678) #源端口号
Destination Port: 6000(6000) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 1 (relative sequence number) #序列号
Acknowledgment number: 1 (relative ack number) #确认编号,值为1
Header Length: 20 bytes #首部长度
.... 0000 0001 0000 = Flags: 0x010 (ACK) #标志位,此处为(ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Not set #确认编号已设置
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Set #请求位
.... .... ...0 = Fin: Not set #FIN标志位
Window size value: 64240 #窗口大小
Calculated window size: 64240 #估计的窗口大小
Window size scaling factor: -2 (no window scaling used) #窗口大小缩放比例因素
Checksum: 0x16cb [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
SEQ/ACK analysis
This is an ACK to the segment in frame: 2
The RTT to ACK the segment was: 0.000025000 seconds
iRTT: 0.002387000 seconds
The above information is the confirmation packet sent by the client to the server.在以上信息中,The serial number and confirmation number are both1.Only the flags are setACK,Indicates that the packet is an acknowledgment packet.这样就完成了TCPlink building stage.此时没有Options字段.
We will use the above information,对应到TCPEach field of the header format,如下:
任务描述:TCP的四次断开,也是TCP协议的主要工作之一.The following will be captured bytcp-break.pcapng文件,来分析TCP的四次断开.
TCPfirst disconnected packet,如下:
Source Port: 56678(56678) #源端口号
Destination Port: 6000(6000) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 1 (relative sequence number) #序列号
Acknowledgment number: 1 (relative ack number) #确认编号
Header Length: 20 bytes #首部长度
.... 0000 0001 0001 = Flags: 0x011 (FIN,ACK) #标志位,此处为(FIN,ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Not set #确认编号已设置
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Set #请求位
.... .... ...1 = Fin: Not set #FIN标志位
Expert Info (Chat/Sequence): Connection finish (FIN) #专家信息
Connection finish (FIN) #消息内容,连接完成(FIN)
Severity level: Chat #安全级别
Group: Sequence
Window size value: 64240 #窗口大小
Calculated window size: 64240 #估计的窗口大小
Window size scaling factor: -1 (unknown) #窗口大小缩放比例因素
Checksum: 0x16cb [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
Through the description of the above information,You can see that the client sends to the serverFIN和ACK标志的数据包开始断开连接,其中FIN和ACK标志位都为1.
We will use the above information,对应到TCPEach field of the header format,如下:
TCPSecond disconnected packet,如下:
Source Port: 6000(6000) #源端口号
Destination Port: 56678(56678) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 1 (relative sequence number) #序列号
Acknowledgment number: 2 (relative ack number) #确认编号
Header Length: 20 bytes #首部长度
.... 0000 0001 0000 = Flags: 0x010(ACK) #标志位,此处为(ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Not set #确认编号已设置
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Set #请求位
.... .... ...0= Fin: Not set #FIN标志位
Window size value: 64240 #窗口大小
Calculated window size: 64240 #估计的窗口大小
Window size scaling factor: -1 (unknown) #窗口大小缩放比例因素
Checksum: 0xadbe [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
SEQ/ACK analysis
This is an ACK to the segment in frame: 1
The RTT to ACK the segment was: 0.000369000 seconds
Through the description of the above information,It can be seen that the package was sent the server to the clientACK包.其中ACK标志位为1.
We will use the above information,对应到TCPEach field of the header format,如下:
TCP3rd disconnected packet,如下:
Source Port: 6000(6000) #源端口号
Destination Port: 56678(56678) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 1 (relative sequence number) #序列号
Acknowledgment number: 2 (relative ack number) #确认编号
Header Length: 20 bytes #首部长度
.... 0000 0001 0001 = Flags: 0x010(FIN,ACK) #标志位,此处为(FIN,ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Not set #确认编号已设置
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Set #请求位
.... .... ...1= Fin: Not set #FIN标志位
Expert Info (Chat/Sequence): Connection finish (FIN) #专家信息
Connection finish (FIN)
Severity level: Chat
Group: Sequence
Window size value: 64240 #窗口大小
Calculated window size: 64240 #估计的窗口大小
Window size scaling factor: -1 (unknown) #窗口大小缩放比例因素
Checksum: 0xadbe [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
Through the description of the above information,It can be seen that the package was sent the server to the clientFIN和ACK包.其中FIN和ACK标志位为1.
We will use the above information,对应到TCPEach field of the header format,如下:
Source Port: 56678(56678) #源端口号
Destination Port: 6000(6000) #目标端口号
Stream index: 0 #流节点号
TCP Segment Len: 0 #分段长度
Sequence number: 2 (relative sequence number) #序列号
Acknowledgment number: 1 (relative ack number) #确认编号
Header Length: 20 bytes #首部长度
.... 0000 0001 0000 = Flags: 0x010 (ACK) #标志位,此处为(ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Not set #确认编号已设置
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Set #请求位
.... .... ...1 = Fin: Not set #FIN标志位
Window size value: 64240 #窗口大小
Calculated window size: 64240 #估计的窗口大小
Window size scaling factor: -1 (unknown) #窗口大小缩放比例因素
Checksum: 0x16cb [validation disabled] #校验和
Good Checksum: False
Bad Checksum: False
Urgent pointer: 0
SEQ/ACK analysis
This is an ACK to the segment in frame: 3
The RTT to ACK the segment was: 0.000040000 seconds
Through the description of the above information,You can see that the client sends to the serverACK的包.其中,ACK标志位都为1.
We will use the above information,对应到TCPEach field of the header format,如下:
