Wireshark network packet capture (three) - Network protocol
A, ARP protocol
ARP (Address Resolution Protocol) address resolution protocol, to resolve the IP address into a MAC address.
IP address in the third layer of the OSI model, MAC address in the second layer of the OSI, not in direct communication with each other;
It occurs when the IP packet over Ethernet, first encapsulation layer, third (32-bit IP address) and a second layer (48-bit MAC address) of the header;
But because only know the destination IP address when sending packets, do not know the Mac address and can not cross the second, three, so need to use the ARP.
ARP request and response sub-workflow:
Dos window within a "ping" the domain to grab the package:
Two, IP protocol
IP (Internet Protocol) Internet Protocol, the main purpose is to enable inter-network can communicate with each other , located OSI layer is responsible for communication across a network address.
When transmitting data packets in a broadcast mode, the MAC address is positioned, and need a computer in the same sub network.
When not on the same subnet routing needs to send, this time you need to locate the IP address.
Also within dos window "ping" to grab a domain name packages:
Three, TCP protocol
TCP (Transmission Control Protocol) transport control protocol A connection-oriented, reliable, IP-based transport protocol, the main purpose is to provide reliable end to end data transmission.
The fourth layer in the OSI model work, and capable of processing data error recovery sequence, to ensure that data can eventually be reached where it arrives.
1) flag
SYN: synchronization , the synchronization number is used when establishing the connection. SYN = 1, ACK = 0 indicates a segment connection request. SYN = 1, ACK = 1 agreed to establish a connection.
FIN: terminating , FIN = 1, this indicates that the data transmission terminal segment has been transmitted, and for the release of transmission connections.
ACK: acknowledgment , ACK = 1 which is an acknowledgment on behalf of the TCP packet, the value 0 is not an acknowledgment packet.
DUP ACK: repeat , repeat acknowledgment message, duplicate packets, usually is caused by packet loss or delay, this should be a message to see the loss.
URG: emergency , when URG = 1, segment representation emergency data to be transmitted as soon as possible
PSH: push , when the sender PSH = 1, the receiving end as soon as possible to deliver application process
RST: Reset When RST = 1, show that serious errors occurred in the connection TCP, the connection must be released and re-establish the connection
2) port
When the client establishes a connection to a different server, the source and destination ports can be different.
3) TCP three-way handshake
4) TCP four wave
Four TCP disconnect, such as turning off the page when it will be disconnected.
5) TCP concept
1. Send window
Can not be seen simply send window size, the window will be determined by the sending network element. Send window defines a hair bytes, these bytes and MSS is defined by the number of packets transmitted.
2. congestion window (cwnd)
It describes the number of packets transmitted up to a source in the case of congestion control.
In the sender maintains a virtual congestion window and use various algorithms to make it as close to the real point of congestion.
Network restrictions on the sending window, is implemented by the congestion window.
3. transit number of bytes (bytes in flight)
It has been sent, but the number of bytes not yet been acknowledged.
The number of bytes in transit = Seq + Len - Ack
Seq Len and wherein a data packet from the sender, and the Ack from a packet data receiver.
4. Point congestion (congestion point)
When congestion occurs in the network congestion is the number of bytes transit point at that time.
Start Wireshark find a first retransmission packet in the series, to find the number of bytes of the original packet in transit last original packet transmission time calculated based on the Seq.
5. Slow Start
RFC recommended initial congestion window send 2, 3 or 4 MSS, if the packet can be sent out is confirmed, it indicates not to the point of congestion, can receive acknowledgments increase the n n MSS
6. Congestion Avoidance
After the slow start for some time, congestion window to reach a larger value, you have to slow down RFC proposed to increase an MSS in each round-trip time, for example, made a 16 MSS all confirm, then increased to 17 MSS
7. retransmission timeout
The package sent out after waiting for some time (RTO), acknowledgment is not received, you can only retransmitted
8. The fast retransmission (Fast Retransmit)
Time is not driven, data-driven and retransmission. If the packet does not arrive continuously, it is likely that the final ACK packet is lost, if the sender of the ACK. 3 receive the same consecutive times, retransmits.
9. SACK(Selective Acknowledgment)
Selective retransmission acknowledgment data ACK or the ACK Fast Retransmit, reporting SACK is received, the transmitting end can know which data to be in accordance with the SACK backhaul, which is not to.
10. The delayed acknowledgment (Delayed ACK)
If a packet is received temporarily no data to your partner, then a delay revalidation. If this time just has data to send, and acknowledgment that the data information may be transmitted in one packet.
11. LSO
LSO save CPU out of the creative, in order to ease the pressure on the CPU, the part of its work outsourced to the card, such as TCP segments.
After enabling the LSO, TCP layer can be greater than the MSS data blocks directly to the card, so that the card is responsible for segmentation.
For example "Seq = 348586, Len = 2776", the card is divided into "Seq = 348586, Len = 1388" and "Seq = 349974, Len = 1388" two package.
Capture at the transmitting end corresponding to the angle standing CPU, only to see a large segment of the previous packet, and the receiver can see two packages.
Thus giving rise saw the retransmission packet, but no case of the original package.
12. Nagle algorithm
Before the data sent out has not been confirmed, if there are little data is generated, then the little data collected, collected a full or MSS, etc. and then receive a confirmation is sent.
13. Vegas algorithm
Adjusting the speed by monitoring network status contract.
When the network state is good, the RTT packets is relatively stable, then the congestion window can be increased;
Starts when the network is busy, a packet start line, the RTT becomes large, when the congestion window is reduced.
6) Options field
The PTR (the Record the Pointer) : pointer record, PTR record resolves domain names to IP addresses
TTL(Time to live):
Survival, time limit of the packet in the network, to prevent data packets continuously circulating on the Internet IP, the initial value is generally 64, each route after subtracting a 1.
TTL by filtration operators hijack package, fake package is the first to respond, and so true TTL packet may be different (eg ip.ttl == 54)
Seq : sequence number of data segments, when the receiver receives packets out of order, based on this number can be reordered, and the like on one current Seq Seq number acquired by adding the length
Len : length of the data segment, the TCP header length does not include
ACK : acknowledgment number, the sender receives the acknowledgment direction which bytes have been received
The RTT (Round Trip Time) : a packet that is sent out to the back from the time
The RTO (Retransmission the TimeOut) : retransmission timeout counter, description data packets transmitted from a failure time interval, is an important parameter in determining whether or not packet loss and network congestion if
The MTU (the Maximum Transmit Unit) : Maximum transmission unit
The MSS (the Maximum Segment Size) : up segment, the maximum amount of data that can be carried in the TCP packet, a TCP header is not included and Option. Usually MTU value is subtracted IPv4 header (at least 20 bytes), and the TCP header (at least 20 bytes) obtained.
Win (Window Size) : declare your own receive window
Window Scale TCP : window expansion, Option on the TCP header beyond, to the other party to declare a shift count, as an index of 2, multiplied by the definition of the TCP receive window, get real TCP window
The DF (the Do Not the fragment) : in the network layer, the belt if it is discarded with no fragmentation
The MF (More fragments) : 0 indicates the last fragment, is not the last one represents 1
7) filter expression
Handshake request was refused: tcp.flags.reset === 1 && tcp.seq === 1
Retransmission request Handshake: tcp.flags.syn === 1 && tcp.analysis.retransmission
Filter delayed acknowledgment: tcp.analysis.ack_rtt> 0.2 and tcp.len == 0
Four, UDP protocol
UDP (User Datagram Protocol) user datagram protocol, does not provide a simple and reliable transaction-oriented messaging services.
The network data stream into a compressed form of data packets. The first 8 bytes of each packet header information is stored, the remaining transmission contains specific data.
Although UDP is not reliable transport protocol, but it is the ideal distribution protocol information, such as stock market reports on the screen, display aeronautical information;
Modify the Routing Information Protocol RIP (Routing Information Protocol) route table, QQ chat, Thunder, Internet telephony.
TCP efficiency is not necessarily lower than the UDP, as long as the window is large enough, TCP can not be bound by the round trip time and the steady flow of data transfer.
1) UDP advantage
1. UDP protocol header length is less than half of the TCP header, the same size of the net bag UDP packets carrying more than TCP,
2. There is no concept Seq and Ack, etc., eliminating the overhead of establishing a connection, DNS resolve on the use of UDP protocol.
2) UDP disadvantage
1. exceeding the MTU, when the sender network layer is responsible for fragmentation, fragmentation recipient after receipt assembled, this process consumes resources, reduce performance.
2. No retransmission, packet loss by the application layer processing, a write operation has six pack, when there is a loss of time, it must re-send the 6 pack.
3. weaknesses fragmentation mechanism, the receiver is a package "More fragments" flag to determine whether the packet has been completely received, as well as slice represents 1, 0 indicates the last fragment to be assembled.
If you continue to send flag as UDP 1, the receiver can not be assembled, it is possible to run out of memory.
Five, ICMP protocol
ICMP (Internet Control Message Protocol) Internet control message protocol for the transmission of control information, error reports , there are extremely important to network security.
For example requested service is not available, or routing host unreachable, ICMP protocol relies on IP protocol to complete the task, is an integral part of the IP protocol.
User programs are generally not directly use the network, used for such diagnostic procedures tracert ping and the like.
Six, DNS protocol
DNS (Domain Name System) domain name system, DNS is a server domain name resolution.
DNS protocol runs over UDP protocol, port 53, works as follows:
DNS resolution process:
DNS client sends a query to the local name server A, if no IP address A record keeping, A will send a request to the root name server B
If B is not, A to send a request to a C, to send no request to D, then E, will find the address to the DNS client.
Domain name resolution process involves recursive queries and iterative queries.
The client then connect to the Web server.
Seven, HTTP protocol
HTTP (HyperText Transfer Protocol) Hypertext Transfer Protocol, HTTP is an application layer protocol, stateless, composed of requests and responses, is a standard client-server model.
HTTP workflow is as follows:
The following is a description message header field, taken from the table " graphic HTTP ."
HTTP request header:
| Accept | Media type (user agent can process the MIME ) type of media and the relative priority, "text / plain; q = 0.3" |
| Accpet-Charset | The relative priority of the character set and character set to inform the user agent server support, "iso-8859-5" |
| Accept-Encoding | Inform the user agent server support content encoding and priority order "gzip, deflate" |
| Accept-Language | Natural language set to inform the user agent server is capable of processing, and a priority, "zh-cn, zh; q = 0.7" |
| Authorization | User agent authentication information (certificate value), "Basic dWVub3NlbjpwYNzd ==" |
| Expect | Expected to occur in certain behaviors, returns "417 Expectation Failed" error, "100-continue" |
| From | The user's e-mail address, user agent in order to show the person in charge of the search engines and other contact information, "[email protected]" |
| Host | Resources which the Internet host name and port number of the request must be included in the request header, "www.hh.com" |
| If-Match | Conditional request, only when the If-Match ETag matches the field value will accept the request, otherwise "412 Precondition Failed" |
| If-Modified-Since | If the field value is updated earlier than the time resources (Last-Modified), the resource is not updated returns "304 Not Modified" |
| If-None-Match | In contrast with the If-Match |
| If-Range | Coincides field value and ETag requesting resources or time, as the scope of the request processing, otherwise, return all resources |
| If-Unmodified-Since | And If-Modified-Since the opposite effect |
| Max-Forwards | Specifies the maximum number of servers may be subjected to a decimal integer. Server forwards once, reducing 1, when forwarding is not 0 |
| Proxy-Authorization | Upon receiving the server sent from the proxy authentication challenge sends this field, notification information necessary for authentication server |
| Range | Only the extent of resources request acquisition section, "5001-10000" from 5001 bytes to 10000 bytes resources. |
| Referer | URI original resource request is Back |
| TO | Transfer encoding client can process the response and relative priority can specify Trailer field of chunked transfer encoding mode. "Gzip, deflate; q = 0.5" |
| User-Agent | Creating browser and user agent name and other information requested |
HTTP response headers:
| Accpet-Ranges | Whether tell the client server can handle a range request to specify access to resources on the server side of a section. "Bytes" |
| Age | How long before creating the source server response, the field value in seconds |
| ETag | Client entity identifier, a device that can uniquely identify the resources to do a string manner |
| Location | The receiver in response to a request URI guide position different resources configures 3xx: Redirection of response |
| Proxy-Authenticate | Authentication information required by the proxy server to the client |
| Retry-After | The client should inform how long after (in seconds or specific date) sends a request again, mainly with "503 Service Unavailable" or "3xx Redirect". |
| Server | Information about the current HTTP server applications installed on the server, including the version number. "Apache / 2.2.6 (Unix) PHP / 5.2.5" |
| Vary | Cache control, set "Accept-Language", if the field value is the same, the response is returned from the cache. |
| WWW-Authenticate | HTTP access authentication, tells the client to an access request URI applicable certification program resources (Basic or Digest) and specified parameters prompt question (challenge) |
General HTTP header field:
| Cache-Control | Cache operation mechanism, a plurality of instructions with "," split, "private, max-age = 0, no-cache" |
| Connection | Control is no longer forwarded to the header field and management agents persistent connections, "keep-alive" |
| Date | The date and time HTTP packet |
| Pragema | HTTP1.1 before legacy field, defined as backward compatibility, the requesting client only sent. "No-cache" |
| Trailer | Described later message body record header field which can be applied when the coded transport block. In the last message written important information |
| Transfer-Encoding | Coding scheme used to transmit the packet when the body block transmission "chunked" |
| Upgrade | Detecting whether the HTTP protocol, and other protocols may be used for later communication |
| Via | Tracing requests between clients and servers and the transmission path response message, each proxy server will add their own information to the server Via |
| Warning | Inform the user of some of the issues related to the cache warning |
HTTP entity header fields:
| Allow | 告知客户端能够支持Request-URI指定资源的所有HTTP方法,“GET,HEAD”。当不支持,会返回“405 Method Not Allowed” |
| Content-Encoding | 服务器对实体的主体部分选用的内容编码方式,在不丢失内容的前提下进行压缩。“gzip” |
| Content-Language | 实体主体使用的自然语言(中文或英文等) |
| Content-Length | 主体部分的大小(单位是byte) |
| Content-Location | 给出与报文主体部分相对应的URI,与Location不同 |
| Content-MD5 | 一串由MD5算法生成的值,目的在于检查报文主体在传输过程中是否保持完整,以及确认传输到达 |
| Content-Range | 针对范围请求,作为响应返回的实体的哪个部分符合范围请求,单位为byte。“bytes 5001-10000/10000” |
| Content-Type | 实体主体内对象的媒体类型,与Accpet一样,字段值用type/subtype形式赋值。“text/html; charset=UTF-8” |
| Expires | 将资源失效的日期告知客户端。当首部字段Cache-Control有指定max-age指令时,优先处理max-age指令 |
| Last-Modified | 指明资源最终修改时间,一般来说,这个值就是Request-URI指定资源被修改的时间 |
详细信息可以参考MDN的《HTTP Headers》
MIME (Multipurpose Internet Mail Extensions) 是描述消息内容类型的因特网标准,一种通知客户端其接收文件的多样性的机制,文件后缀名在网页上并没有明确的意义。
八、HTTPS协议
HTTPS(Hypertext Transfer Protocol over Secure Socket Layer)基于SSL的HTTP协议,HTTP的安全版。
使用端口43,HTTPS协议是由SSL+HTTP协议构建的可进行加密传输和身份认证的网络协议。
1)HTTPS工作流程
2)SSL
SSL(Secure Sockets Layer)安全套接层,TLS(Transport Layer Security)传输层安全是其继任者。
SSL和TLS在传输层对网络连接进行加密。
SSL协议分为两层,SSL记录协议(SSL Record Protocol)和SSL握手协议(SSL Handshake Protocol)。
SSL记录协议建立在TCP之上,提供数据封装、压缩加密基本功能的支持。
SSL握手协议建立在SSL记录协议之上,在数据传输之前,通信双方进行身份认证、协商加密算法和交换加密秘钥等。
SSL工作分为两个阶段,服务器认证和用户认证。
SSL协议既用到了公钥加密(非对称加密)又用到了对称加密技术。
3)数据包
客户端与服务器之间的通信:
1.客户端发出请求(Client Hello)
2.服务器响应(Server Hello)
3)证书信息
3.密钥交换
4.应用层信息通信
用户可以发送通过TLS层使用RC4的写实例加密过的普通HTTP消息,也可以解密服务端RC4写实例发过来的消息。
此外,TLS层通过计算消息内容的HMAC_MD5哈希值来校验每一条消息是否被篡改。
参考资料:
理解TCP序列号(Sequence Number)和确认号(Acknowledgment Number)
