WireShark packet capture and common protocol analysis
Open the kali terminal and enter wireshark
to enter the wireshark click option
Check the option Promiscuous mode to start packet capture
Enter the terminal to open Firefox, open Baidu to capture packets
At this point we caught many types of packets
The filter above can specify the type of data treasure or specify the source address and destination address, etc., for example, now grab the data packets of the arp protocol
We ping an address
and we can filter the source and destination addresses using syntax, ip.src_host represents the source address, and ip.dst_host represents the destination address
Use WireShark to capture packets of common protocols and analyze the principle
1.ARP
Address Resolution Protocol is a network transmission protocol that parses network layer addresses to find data link layer addresses. ARP uses network addresses to locate MAC addresses.
start filtering arp
We use nmap to scan based on the arp protocol
Back in wireshark, we select the first captured arp protocol packet for analysis
1.Address Resolution Protocol (request) //ARP address resolution protocol request request packet
2.Harfware type:Ethernet (1) //hardware type
3.Protocol type:IPv4 (0x0800) //Protocol type
4.Hardware size:6 //hardware address
5.Protocol size:4 //Protocol length
6.Opcode:request (1) //Opcode 1 represents the request packet
7. Sender MAC address: VMware_91:59:6a (00:0c:29:91:59:6a) //Source MAC address
8.Sender IP address: 192.168.91.132 //Source IP address
9.Target MAC address:00:00:00_00:00:00 (00:00:00_00:00:00) //target MAC address
10.Target IP address: 192.168.91.2 //target IP address
Next, analyze the next ARP reply packet
1.Address Resolution Protocol (reply) //ARP address resolution protocol reply packet
2.Harfware type:Ethernet (1) //hardware type
3.Protocol type:IPv4 (0x0800) //Protocol type
4.Hardware size:6 //hardware address
5.Protocol size:4 //Protocol length
6.Opcode:request (2) //Opcode 2 means reply packet
7.Sender MAC address:VMware_ff:2a:74 (00:50:56:ff:2a:74) //Source MAC address
8.Sender IP address: 192.168.91.2 //Source IP address
9.Target MAC address:VMware_91:59:6a (00:0c:29:91:59:6a) //target MAC address
10.Target IP address: 192.168.91.132 //target IP address
It is easy to understand from the picture. 192.168.91.132 sends out a broadcast to send out an arp request, requesting the MAC address of 192.168.91.2, and then 192.168.91.2 receives the request and replies to 192.168.91.132 with its own MAC address
2.ICMP
ping an IP address, then filter the packets of the ICMP protocol
1.Type:8
//Protocol type 8
2.Code:0
//Code 0 means echo request (ping request)
3.Checksum: 0xb151 [correct]
//Checksum is used to check error data
4.[Checksum Status: Good]
//Check status Good
5.Identifier (BE): 34896 (0x8850)
6.Identifier (LE): 20616 (0x5088)
//The ID value returns this field in the response packet
7.Sequence Number (BE): 1 (0x0001)
8.Sequence Number (LE): 256 (0x0100)
//The serial number is still returned to this field in the response packet
9.Response frame:4
//The serial number of the response frame: 7
10.Data (48 bytes)
//fill data 48 bytes in total
The response packet is the same
3.tcp
To simulate the establishment of a tcp session, the simple way is to use Xshell to connect to kali remotely, and the three-way handshake of tcp will be captured.
Let's analyze the TCP data packet
The core concept of the TCP protocol is nothing more than three handshakes and four waves. Let's look at the three-way handshake first.
1.Source Port: 49164
//Source Port
2.Destination Port: 22
//Destination Port
3.Sequence Number: 0 (relative sequence number)
//Sequence Number
4.Sequence Number (raw): 328436414
[Next Sequence Number: 1 (relative sequence number)]
//Confirm sequence number
5.1000 . . . . =Header Length: 32 bytes (8)
//Header Length
6.Flags: 0x002 (SYN)
//Flag bit SYN
7.Window: 64240
// Windows window size
8.Checksum: 0xddd4 [unverified]
[Checksum Status: unverified]
//Checksum
Turn on the flag to view the details
From the above information, it can be seen that this is a SYN data packet, SYN=1 means sending a link request, then both seq and ACK are 0
second packet
The difference is the sequence number seq=0 ACK=1
The flag bit SYN/ACK indicates that this is the second packet of the TCP three-way handshake
The server receives the SYN connection request and returns the data packet SYN=1, ACK=1 means responding to the first packet
Look at the third packet below
You can see that seq=1 is equal to the confirmation sequence number of the previous frame
ACK=1 confirms that the serial number is valid,
so that the three-way handshake process is over.
We can generate a chart to observe the process of data interaction
click traffic graph
The three gray ones are the three-way handshake.
Let's clear the packet and see what happens when the link is disconnected.
Find the grey part at the bottom
At this time, it is more intuitive to look at the flow chart directly.
Let's analyze the process. We enter EXIT in the terminal, which is actually the command executed on our Kali, which means that the
server side of our SSHD initiates a request to close the link to the client.
The first wave: The server sends a [FIN+ACK], indicating that it has no data to send, and wants to disconnect and enter the
FIN_WAIT_1 state.
The second wave: After the client receives the FIN, it knows that there will be no more data. From the server, send ACK for confirmation, the confirmation sequence number
is the received sequence number + 1 (same as SYN, one FIN occupies one sequence number), and the client enters the CLOSE_WAIT state.
The third wave: the client sends [FIN+ACK] to the other party, indicating that it has no data to send, the client enters the
LAST_ACK state, and then directly disconnects the TCP session to release the corresponding resources.
The fourth wave: After receiving the FIN signaling from the client, the server enters the TIMED_WAIT state and sends an ACK confirmation
message. In the TIMED_WAIT state, the server waits for a period of time and no data arrives. It considers that the other party has received the
ACK sent by itself and closed it correctly to enter the CLOSE state. It also disconnects the TCP connection and releases all resources. When the client receives the
ACK response from the server, it will enter the CLOSE state and close the local session interface to release the corresponding resources.
4.HTTP
Directly filter the TCP protocol, because the HTTP protocol is the upper layer protocol of TCP
The first three and the last four are tcp three-way handshakes and four waves, and the middle 4 to 7 are the http request part
Step 1: We send an HTTP HEAD request
Step 2: The server receives our request and returns a Seq/ACK for confirmation
Step 3: The server returns the HTTP header information to us The client status code is 200 means the page is normal
Step 4: The client receives the header information returned by the server and sends Seq/ACK to the server for confirmation
. After the sending is completed, the client will send FIN/ACK to request to close the link.