Article Directory
Preface
This part is classified according to the data link layer, network layer, transport layer, and application layer. There are 10 experiments in total. Need to use the protocol analysis software Wireshark, please download and install it yourself according to the introduction section.
Preparation
Please find or use the following reference materials to understand the basic use of Wireshark:
Select which network card to capture data packets.
Start/stop capture.
Understand the main window area of Wireshark.
Set data packet filtering.
Track data flow.
One, the data link layer
Implementation 1: Familiar with Ethernet frame structure
Use Wireshark to capture packets at will, familiar with the structure of Ethernet frame, such as: destination MAC, source MAC, type, field, etc.
Reference: How to use wireshark for newbies
Implementation 2: Understand the MAC address when communicating within/outside the subnet,
ping the computer next to you (same subnet), and use Wireshark to capture these packets (you can use the icmp keyword to filter for analysis), and record the purpose of sending the frame What is the MAC address and the source MAC address of the returned frame? Whose MAC address belongs to?
Then ping qige.io (or any host outside this subnet), and use Wireshark to capture these packets (can be filtered by icmp), and record the destination MAC address of the frame sent and the source MAC address of the returned frame? Whose MAC address belongs to?
Ping www.cqjtu.edu.cn again (or hosts outside this subnet can be used), and use Wireshark to capture these packets (can be filtered by icmp), and record the destination MAC address of the sent frame and the source MAC address of the returned frame. ? Whose MAC address is this?
1.
Although the computer next to ping is on the same subnet, there will be problems with the MAC addresses of the sending frame and the returning frame (it will pass through the gateway). The specific problem is unknown
2.
The destination MAC address of the sent frame: 00:74:9c:9f:40:13
The source MAC address of the returned frame: 00:74:9c:9f:40:13
This address is the gateway MAC address of the subnet where the host is located
3.
The destination MAC address of the sent frame: 00:74:9c:9f:40:13
The source MAC address of the returned frame: 00:74:9c:9f:40:13
This address is the gateway MAC address of the subnet where the host is located
Question
Through the above experiment, you will find that
when accessing a computer on this subnet, the destination MAC is the host's. When
accessing a computer on a non-local subnet, the destination MAC is the gateway.
What is the reason?
When accessing a computer on this subnet, the destination MAC is that of the host. When accessing a computer on a non-local subnet, the destination MAC is the gateway. This is because the machine must pass through the gateway when accessing a computer on a non-local subnet, and when accessing a computer on this subnet, it is directly reached, so the destination MAC address is the host.
Implement three to master the ARP resolution process
1. To prevent interference, first use the arp -d * command to clear the arp cache
2. Ping the computer next to you (same subnet), and use Wireshark to capture these packets (can be filtered by arp), and view ARP The format of the request and the content of the request, pay attention to what is the destination MAC address of the request. Check the response to the request again, and observe what the source and destination MAC addresses of the response are.
3. Use the arp -d * command again to clear the arp cache
. 4. Then ping qige.io (or a host outside the subnet can be used), and use Wireshark to capture these packets (arp filtering can be used). Check what the ARP request is and pay attention to who is responding to the request.
1.
Destination MAC address: ff:ff:ff:ff:ff:ff The
reply is the physical MAC address of the other party
The destination MAC address of the frame: ff:ff:ff:ff:ff:ff
Issue
the above experiment, you should find that,
1.ARP requests are sent using broadcast mode
2. If you are accessing this IP subnet, then the ARP will resolve the IP directly corresponding MAC; if non-book access Net IP, then the ARP analysis will get the gateway's MAC.
Why?
When this machine is accessing a computer on this subnet, the data packet does not need to leave the communication subnet, and ARP analysis will also be carried out in this subnet, so the ARP analysis will get the MAC physical address of the opposite host;
when this machine is accessing a non-local subnet For computers, data packets need to leave the communication subnet, and ARP analysis must pass through the gateway. Therefore, the destination MAC physical address obtained by the ARP analysis is the physical address of the gateway.
Second, the network layer
Implementation 1: Familiar with IP packet structure
Use Wireshark to capture packets at will (ip filtering can be used), and familiarize yourself with the structure of IP packets, such as: version, header length, total length, TTL, protocol type and other fields.
ping qige.io
Version: IPV4
Header length: 20 bytes
Overall length: 60
TTL: 128s
Protocol: ICMP
The problem
is to improve efficiency, we should make the IP header as streamlined as possible. But in such a precious IP header, you will find both a header length field and a total length field. Why?
The length of the IP header allows the receiving end to calculate where the header ends and where to start reading data. The total length field is to accept data, read data, and so on.
Implementation of two IP packet segmentation and reassembly
According to regulations, an IP packet can have a maximum of 64K bytes. However, due to the limitation of the Ethernet frame, when the data of the IP packet exceeds 1500 bytes, it will be segmented by the data link layer of the sender, and then reorganized at the network layer of the receiver.
By default, the ping command will only send 32 bytes of data to the other party. We can use the ping 202.202.240.16 -l 2000 command to specify the length of the data to be sent. At this time, with Wireshark capture (filtration with ip.addr == 202.202.240.16), to learn how to segment the IP packet, such as: the segment flag, the offset and the size of each packet like
the address can not be given due The request was successful, so I changed it
into two packages, 1480 and 528
Problem
segmentation and reassembly is a resource-consuming operation, especially when the segmentation is completed by the node or router on the transmission path, so IPv6 no longer allows segmentation. So in IPv6, what should the router do if it encounters a large data packet?
Discard it directly and notify the sender to retransmit.
Because segmentation can only be performed on the source and destination in IPv6, it cannot be performed on the router. When the data packet is too large, the router will directly discard the data packet.
Implementation three examines TTL events
There is a TTL field in the IP packet header to limit how many hops the packet can be transmitted on the Internet. Generally, the value is set to 64, 128, etc.
In the confirmatory experiment part, we used the tracert command for route tracking. The principle is to actively set the TTL value of the IP packet, and gradually increase from 1 until it reaches the final destination host.
Please use the tracert www.baidu.com command to trace. At this time, use Wireshark to capture packets (filtered by icmp) to analyze how the TTL of each sent packet is changed, so as to understand the principle of route tracking.
The problem is
in IPv4, although TTL is defined as Time To Live, but in reality, we set it by the number of hops/nodes. If you receive a packet with a TTL value of 50, how many hops can be inferred from the source of the packet to you?
50 hops
Third, the transport layer
Implementation 1: Familiar with TCP and UDP segment structure, use Wireshark to capture arbitrary packets (can be filtered by tcp), familiar with the structure of TCP segment, such as: source port, destination port, serial number, confirmation number, various flags and other fields. Use Wireshark to capture packets at will (udp filtering can be used), and be familiar with the structure of the UDP segment, such as: source port, destination port, length, etc.ping qige.io
tcp filter
UDP filter
Question
from the above we can see the UDP header is much simpler than TCP, but both the source and destination port numbers. What are the source and destination port numbers used for?
Source port and destination port: (The port is used to indicate the source of the data (application) and the destination of the data (the same application)) field contains the 16-bit UDP protocol port number, which allows multiple applications The same transport layer protocol and UDP protocol can be multiplexed, and different applications can be distinguished only by port number.
Fourth, the application layer
Implement a first understanding of DNS resolution
1. First use the ipconfig /flushdns command to clear the cache, and then use the nslookup qige.io command for resolution, and use Wireshark to capture arbitrary packets (can be filtered by dns).
2. You should be able to see that the current computer uses UDP to send a query request to port 53 of the default DNS server, and port 53 of the DNS server returns the result.
3. You can understand the meaning of the relevant fields of DNS query and response
Question:
You may find that we have issued more than one DNS resolution request for the same site. Think about the reason?
Because the URL we visit has only one domain name, but the server host is not unique. Each server has a different IP address, but their domain names are the same. Therefore, the parsing requests issued are distributed to different servers.
Implementation 2: Understanding HTTP requests and responses
1. Open a browser to visit the qige.io website, and use Wireshark to capture packets (http filtering can be used plus Follow TCP Stream). Do not stop Wireshark capture immediately, wait until the page is displayed. A period of time to release the connection packet capture.
2. Please find the HTTP request packet in the packet you captured, and check the command used in the request, such as GET, POST. And carefully understand which fields and their meanings in the header of the request.
3. Please find the HTTP response packet in the packet you captured, and check the response code, such as: 200, 304, 404, etc. And carefully understand which fields and their meanings in the header of the response.
GET
POST
3.
Question
Refresh the page of the qige.io website and capture the packet at the same time. You will find a lot of 304 code responses. This means that the requested object has not changed. Just let the browser use the locally cached content. So why does the server answer a 304 response instead of the usual 200 response?
Because the server tells the browser that the last modified time of the resource currently requested is this time. When the browser sends a request for the second time, it tells the browser that the resource requested last time is still in its own cache. If the original resource has not been modified, it does not need to send the response body. According to the time sent by the browser, the server finds that it is consistent with the modification time of the currently requested resource, and responds with 304, indicating that the response body is not transmitted, and it is taken from the previous cache.
Second, use steps
1. Introduce the library
The code is as follows (example):
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import warnings
warnings.filterwarnings('ignore')
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
2. Read in the data
The code is as follows (example):
data = pd.read_csv(
'https://labfile.oss.aliyuncs.com/courses/1283/adult.data.csv')
print(data.head())
The data requested by the url network used here.
to sum up
Tip: Here is a summary of the article:
For example, the above is what we are going to talk about today. This article only briefly introduces the use of pandas, and pandas provides a large number of functions and methods that enable us to process data quickly and conveniently.