2020-04-15
Keywords: Ethernet protocol, network packet analysis
This article combines the actual network communication process to briefly understand the Ethernet protocol, TCP message format, IP message format and UDP message format.
Before this, we must know: all data, no matter what network data, network packets, video, audio, pictures, etc., are a set of "orderly serial data" in the network cable. This long string of data contains various protocols and various data.
1. TCP / IP message format
Let's first look at the TCP / IP message format in practical communication applications.
Here I use the tcpdump tool to grab, and use wireshark to analyze the interactive process of the two devices sending "Hello world" text through Socket.
1.1, analysis environment
First paste the original network package of the author here, if you are interested, you can download and view:
Link: https://pan.baidu.com/s/1QHXq88yiqTWISRMd-8-Q2g
extraction code: nd5u
Filter by IP in wireshark: ip.addr == 192.168.77.104
First introduce the basic information of the two devices:
Server equipment:
IP: 192.168.77.104
MAC: A8: BD: 3A: 37: 54: AB
Client device:
IP: 192.168.77.103
MAC: A8: BD: 3A: 37: 54: FF
Before communication, TCP must first establish a connection through a "three handshake", as shown in the following figure:
At the same time, after receiving a message from the other party, one party must make a "reply" to inform the sender "I have received it".
In this way, the "Hello world" text communication process that we carry out through Socket requires at least 5 communication processes, that is, 5 network packets. Of course, if you want to count the "four wave" when you disconnect, you have to add 4 more network packets, a total of 9 network packets. But here, we don't consider the case of disconnection, so there are only 5 network packets that we need to consider.
Five network packets in this process can be filtered out in wireshark, as shown in the following figure:
1.2, Ethernet header
The content of the first network package is as follows:
Here we only look at the "Serial Data" part in the middle. The content on both sides was added by wireshark to assist viewing.
First, the first 14 bytes belong to the Ethernet header. Its composition is as follows:
Destination MAC address (6 bytes) + Source MAC address (6 bytes) + IP protocol version number (2 bytes)
We can easily find that the first 6 bytes are indeed the MAC address of the server device A8: BD: 3A: 37: 54: AB, and the middle 6 bytes are the MAC address of the client A8: BD: 3A: 37: 54: FF. The last two bytes 0x0800 indicate that the network packet is using the IPV4 communication protocol.
The structure of the Ethernet header is so simple.
1.3, IP message format
The next step is the IP protocol.
Before looking at the IP message format, it is necessary to refer to the standard format composition diagram, as shown below:
IP message format
By default, the length of an IP packet is 20 bytes, as shown in the figure above. Take the network packet we captured above, its IP packet part is shown below:
The actual communication network packet is combined with the above IP message format to form a diagram. The first byte of the IP message contains two parts: the protocol version and the length of the IP message, each of which accounts for 4 Bit.
Version + header length:
The first byte in our network packet is 0x45. The value of the upper 4 digits is the number 4 in decimal, indicating that the version number of the current IP protocol is 4, which is IPV4. If it is IPV6, the value of the upper 4 digits is the number 6.
The lower 4 digits are the decimal number 5. This value is a little special. It does not mean that the IP packet is only 5 bytes in length, but that the value is multiplied by 4 bytes, that is 5 * 4bytes = 20bytes. The IP packet data in this network packet occupies 20 bytes in length. Does not contain optional fields and padding fields.
Differentiated services:
In our network packet, its value is 0x00. This value is generally ignored.
Total length:
It takes 2 bytes and the value is 0x003c, which is 60 in decimal. Represents the total length of IP packets + data packets in the entire network packet, that is, the total length of this network packet after removing the first 14 bytes of Ethernet header. It can be considered that this value describes the total length of the entire network packet.
Logo:
Takes two bytes. 0x500a. It can be considered as the ID number of this network package. This number usually increases in sequence, and the value is incremented by 1 for each network packet sent. However, when the data of the same network packet is too long (more than MTU size), this network packet will be "split" into short packets and sent one by one (that is, fragmented). The identification in each fragment is the same, so as to ensure that the receiving end can reassemble scattered network packets into a complete network packet.
Logo + slice offset:
It occupies 2 bytes, the flag occupies the upper 3 bits, and the chip offset occupies the lower 13 bits.
Logo:
The three digits from high to low are:
1. Reserved bits
2. Sharding is prohibited
0 means that the network packet has fragments. 1 means no fragmentation. (Depending on whether the data size of the network packet exceeds MTU)
3. More shards
0 means that the slice is the last one. A value of 1 indicates that this network packet is just one of them, and there are more fragments later.
In the network packet sampled in this article, the value of the flag segment is 0x4-> 010. Indicates that this network packet is not fragmented.
Slice offset:
13-bit value, the value range is 0 ~ 8191. Indicates the number of offset bits of this fragment relative to the first bit in the original data packet. This value has to be multiplied by 8 to be the true offset position. To put it bluntly, it is a frame of reference for bulk reassembly to the receiving end when the network packet data is too long to be split and sent.
Survival time:
That is TTL, which occupies 1 byte. In this example, the value is 0x40, which is 60 in decimal. It indicates the maximum number of route hops allowed by this IP packet. Every time an IP packet passes through a router, this value is decreased by 1. When the value decreases to 0 and the destination is not reached, the network packet is discarded. In fact, this TTL is really quite important. Without it, our Internet may be completely blocked by spam.
protocol:
1 byte. Indicates the protocol type used by the data carried in the IP packet. Common optional values are as follows:
1、0x06 -- TCP
2、0x11 -- UDP
3、0x01 -- ICMP
4、0x02 -- IGMP
The first checksum:
2 bytes of IP packet check code.
Source address + destination address:
Each takes 4 bytes. c0a84d67-> 192.168.77.103; c0a84d68-> 192.168.77.104
At this point, we have analyzed that there are 20 bytes. Since our IP packet has no optional fields and padding fields, the entire IP packet protocol is over. The next thing is the data field part.
1.4, TCP message format
Here our data part uses TCP protocol to communicate. So the next analysis is the TCP message format.
The standard format of the TCP message protocol is shown below:
In the network packet used in this example analysis, the content of the TCP part is shown in the following figure:
Source port + destination port:
The first four bytes are the source port and destination port of the IP address. 0xe785 is the IP communication port of the client device. 0x4315 is the IP communication port of the server device.
Serial number + confirmation number:
Each takes 4 bytes. The serial number is 0xaca2b4fd in this example. The serial number and confirmation number can be described as the time flow in a TCP session. Under normal circumstances, these two numbers are sequentially increasing. The serial number is the serial number corresponding to this network packet, which is simply understood as the sentence I said at a certain moment. The confirmation number indicates that I expect the serial number used by the receiving end when replying to my network packet. That is, the serial number used by the receiver when replying to our network packet should be the confirmation number of our network packet.
Generally speaking, the confirmation number is a value that is incremented based on the last serial number from the receiver. In this example, the confirmation number is 0. This is because this network packet is the first packet when a TCP session is initiated. There is no serial number of the previous packet to refer to, so you can only fill in 0.
Here is a schematic diagram of the serial number and confirmation number used in the five network packets in this example to deepen understanding. Students carefully appreciate the difference between these two numbers in several consecutive network packets:
Head length:
Also called "data offset". 4 positions. It indicates the length of bytes occupied by TCP packet header data. This value is 0xa in this example-> that is 10 decimal. It has to be multiplied by 4 bytes on the basis of this number, so the TCP header length is 10 * 4bytes = 40bytes. To put it bluntly, it is the length of the TCP packet except the data.
12 flag bits:
The 12 bits immediately following the "head length" in the previous paragraph are a series of flag bits. Among them, the high 6 bits are reserved bits, and the low 6 bits are used to set something. I do n’t want to make any corrections about the meaning of these bit settings. I directly paste the help of wireshark and the explanation in a netizen article for your reference.
Window size:
It takes 2 bytes. Related to TCP flow control. Can be used to indicate the creation size of the receive buffer.
TCP checksum:
It takes 2 bytes.
Emergency pointer:
It takes 2 bytes. Used to indicate the byte length of emergency data in this message. Urgent data will be at the head of the data segment.
Extra options:
slightly.
The data of the TCP packet except for the additional options is fixed at 20 bytes, which is the same as the length of the IP packet header.
The following is a complete TCP / IP network packet disassembly and annotations carrying data:
000c296b8577000c296b8577 [MAC address of both parties] 0800 [IPV4 logo] 45 [Version and IP message header length, here is 5 * 4 = 20 bytes] 00 [Differentiated service] 003a [Total length] fe10 [Identification] 4000 [Mark Offset from slice] 40 [TTL] 06 [Protocol, 06 means TCP] dd58 [Check code] c0a86f01c0a86f02 [Both parties ’IP address] [From here on is the TCP message protocol format] aa384316 [Source port and destination port] 56f4b30f [Serial Number] e4c60050 [Confirmation Number] 8018 [Head Length and Flag] 00e5 [Window] 0807 [Checksum] 0000 [Emergency Pointer] 0101080a00145223ffff9bf1 [Options, 12 bytes. 】 68656c6c6f0a [Data]
2. UDP message format
Through the previous TCP / IP network packet analysis, we already know that the composition of the entire network packet is arranged in sequence in no more than three parts:
1. Ethernet information
2. IP message information
3. TCP or UDP or ICMP or IGMP message information
The UDP message format is much simpler than TCP.
The standard format of the UDP message protocol is shown below:
Source port + destination port:
slightly.
length:
It takes 2 bytes. UDP packet header + total length of data.
Check value:
slightly.
data:
slightly.
Because UDP communication is not like TCP to shake hands and wave goodbye, it simply broadcasts data to the network directly and rudely. Therefore, analyzing its format does not have to be as cumbersome as analyzing TCP before. And the Ethernet information and IP message information in front of the UDP communication network packet have already been introduced in the front. Therefore, directly post a complete UDP network packet to send data and give the corresponding comments for your reference and learning:
Complete UDP communication network package:
000c296b8577000c296b8577080045000022cf40400040110c36c0a86f01c0a86f028ebf4316000e8acb68656c6c6f0a
Interpretation:
000c296b8577000c296b8577 [MAC address of both parties] 0800 [IP version number, here is IPV4] [The length of the following is the IP report + part number 45 IPV4 + 20bytes] 00 [Differentiated Services] 0022 [Total length other than 14-byte Ethernet header, 34 bytes] cf40 [Identity, that is, session number] 4000 [Logo + slice offset. No fragmentation. 】 40 [TTL] 11 [Protocol for carrying data in IP packets, here is UDP] 0c36 [Checksum of IP packet header] c0a86f01c0a86f02 [IP address of both parties] [The following is a UDP packet] 8ebf4316 [Port of both parties number. Source port + destination port] 000e [length, total length of UDP packet, UDP header+ Data total 14 bytes] 8acb [Check code] 68656c6c6f0a [Data]
Reference materials:
https://blog.csdn.net/bobozai86/article/details/87518617
https://blog.csdn.net/a7980718/article/details/82316880
https://blog.csdn.net/a4230787/article/details/80301048