Wireshark experiment based on computer network
data link layer
1. Familiar with Ethernet frame structure
Use Wireshark to capture packets at will, and be familiar with the structure of the Ethernet frame, such as: destination MAC, source MAC, type, field, etc.
It can be found that the MAC addresses are one-to-one, and the type field can also be viewed
2. Solve the MAC address when communicating within/outside the subnet
1. Ping qige.io (or any host outside this subnet), and use Wireshark to capture these packets (can be filtered by icmp), and record the destination MAC address of the frame sent and the source MAC address of the returned frame? Whose MAC address belongs to?
Destination MAC address: 5e-1d-d9-ea-96-64
Return source MAC address: 5e-1d-d9-ea-96-64
2. Ping www.cqjtu.edu.cn again (or hosts outside this subnet can be used), and use Wireshark to capture these packets (can be filtered by icmp), and record the destination MAC address of the sent frame and the source MAC address of the returned frame. how many? Whose MAC address is this?
Found that it is still the MAC address of the gateway
Summary: MAC addresses work in local area networks, and the interconnection between local area networks is generally through existing public networks or dedicated lines, which requires inter-network protocol conversion. Therefore, when accessing a computer on a non-local subnet, the destination MAC is the gateway's
3. Master the ARP resolution process
Use the arp -d * command to clear the arp cache and then ping qige.io (or hosts outside the subnet can be used), and use Wireshark to capture these packets (arp filtering is possible). Check what the ARP request is and pay attention to who is responding to the request. It is
found that the resolved MAC address is the MAC address of the gateway, indicating that the gateway is responding when pinging the computer on the external network.
Summary: ARP resolution is to check whether there is a target address in the ARP table. If so, you do not need to establish a connection again to obtain the target MAC. If not, you need to send an ARP request to get the destination MAC. If the destination address belongs to the same subnet, you do not need to communicate through the gateway, but if it is not in the same subnet, you need to establish a connection through the gateway
Network layer
1. Familiar with IP packet structure
Use Wireshark to capture packets at will (IP filtering can be used), and be familiar with the structure of IP packets, such as: version, header length, total length, TTL, protocol type and other fields.
To improve efficiency, we should make the IP header as streamlined as possible. But in such a precious IP header, you will find both a header length field and a total length field. Why?
There are two fields in the ip header that identify the length, one is the length of the entire datagram (head + data), and the other is just the length of the header, which is what you call ver_len. Moreover, the reason for using ver_len is that the ip option makes the length of the ip header not fixed. Only by knowing the length of the header can the beginning of the data be accurately located.
2. Segmentation and reassembly of IP packets
According to regulations, an IP packet can have a maximum of 64K bytes. However, due to the limitation of the Ethernet frame, when the data of the IP packet exceeds 1500 bytes, it will be segmented by the data link layer of the sender, and then reorganized at the network layer of the receiver.
By default, the ping command will only send 32 bytes of data to the other party. We can use the ping 202.202.240.16 -l 2000 command to specify the length of the data to be sent. At this time, use Wireshark to capture packets (filter with ip.addr == 202.202.240.16) to understand how IP packets are segmented, such as segmentation flags, offsets, and the size of each packet, etc.
3. Investigate TTL events
There is a TTL field in the IP packet header to limit how many hops the packet can be transmitted on the Internet. Generally, the value is set to 64, 128, etc.
In the confirmatory experiment part, we used the tracert command for route tracking. The principle is to actively set the TTL value of the IP packet, and gradually increase from 1 until it reaches the final destination host.
Please use the tracert www.baidu.com command to trace. At this time, use Wireshark to capture packets (filtered by icmp) and analyze the TTL of each sent packet.
In IPv4, although TTL is defined as Time To Live, but in reality, we set it by the number of hops/nodes. If you receive a packet with a TTL value of 50, how many hops can be inferred from the source of the packet to you?
128-50=78
Transport layer
1. Familiar with TCP and UDP segment structure
1. Use Wireshark to capture any packets (can be filtered by tcp), and be familiar with the structure of the TCP segment, such as: source port, destination port, serial number, confirmation number, various flags and other fields.
2. Use Wireshark to capture packets at will (udp filtering can be used), and be familiar with the structure of the UDP segment, such as: source port, destination port, length, etc.
From the above, you can see that the header of UDP is much simpler than TCP, but both have source and destination port numbers. What are the source and destination port numbers used for?
The role of the port is to uniquely identify this process. The source port identifies the process that initiates the communication, and the destination port identifies the process that accepts the communication. With the port number, it is possible to know which process to send the message to after receiving the message.
2. Analyze TCP connection establishment and release
1. Open a browser to visit the qige.io website, and use Wireshark to capture packets (you can use tcp to filter and then use followed by Follow TCP Stream). Do not stop Wireshark capture immediately. Wait for a while after the page is displayed to enable the capture and release the connection Package.
2. Please find the three-way handshake to establish a connection in the packets you captured, and explain why they are used to establish a connection and what are their characteristics.
It is recommended to enter the above filtering command first, and then open the qige.io website, you can clearly catch the three-way handshake packet.
Wait until the connection is released and stop the packet capture.
Three handshake:
Application layer
1. Understand DNS resolution
1. First use the ipconfig /flushdns command to clear the cache, and then use the nslookup qige.io command to analyze, and use Wireshark to capture any packets (can be filtered by dns)
2. You should be able to see that the current computer uses UDP to send a query request to port 53 of the default DNS server, and port 53 of the DNS server returns the result.
2. Understand HTTP requests and responses
1. Open a browser to visit the qige.io website, and use Wireshark to capture packets (http filtering can be used plus Follow TCP Stream). Do not stop Wireshark capture immediately. After the page is displayed, wait for a while to capture the packet that releases the connection. .
2. Please find the HTTP request packet in the packet you captured, and check the command used in the request, such as GET, POST.
3. Please find the HTTP response packet in the packet you captured, and check the response code, such as 200, 304, 404, etc. .
404: The page does not exist.