Network packet capture analysis, IP datagram, MAC frame, ICMP report, ARP report format and the process of different network communication.
Network capture tool wireshark
Wireshark (formerly known as Ethereal) is a network packet analysis software. The function of network packet analysis software is to intercept network packets and display the most detailed network packet information as possible. Wireshark uses WinPCAP as an interface to directly exchange data packets with the network card.
The software interface is as follows:
Ethernet v2MAC frame
The frame header of a MAC frame includes three fields. The first two fields are respectively a 6-byte destination address field and a source address field. The destination address field includes destination MAC address information, and the source address field includes source MAC address information. The third field is a 2-byte type field, and the information contained in it is used to indicate what protocol the upper layer uses, so that the receiving end can hand over the data part of the received MAC frame to the protocol of the upper layer. For example, when the value of the type field is 0x0800, it means that the upper layer uses IP datagram.
The data part of the MAC frame has only one field, its length is between 46 and 1500 bytes, and the information contained is the data passed down from the network layer. The frame tail of the MAC frame also has only one field, which is 4 bytes long, and the information contained is the frame check sequence FCS (using CRC check).
IP datagram format
- Version (4 bits) : This field defines the IP protocol version, and is responsible for indicating to the IP software running on the processor which version the IP datagram is, and all fields must be interpreted according to the protocol of this version. If the computer uses a different version, the datagram is discarded.
- Header length (4 bits) : This field defines the length of the datagram protocol header, indicating the number of 32-bit word lengths in the protocol header. The minimum value of the protocol header is 5, and the maximum value is 15 .
- Service (8 bits) : This field defines the service quality expected by the upper layer protocol for processing the current datagram, and allocates datagrams according to the importance level. The first 3 digits become the priority digits, the latter 4 digits become the service type, and the last digit is not defined. These 8-bit fields are used to assign priority, latency, throughput, and reliability.
- Total Length (16 bits) : This field defines the byte length of the entire IP datagram , including the protocol header and data. Its maximum value is 65535 bytes . The Ethernet protocol has minimum and maximum limits (46~1500 bytes) on the data that can be encapsulated in a frame.
- Identification (16 bits) : This field contains an integer that identifies the current datagram. When a datagram is fragmented , the value of the ID field is copied across all fragments. This field is assigned by the sender to help the receiver focus on fragmenting the datagram.
- Flag (3 bits) : This field is composed of 3-bit fields, of which the lowest bit (MF) controls the segment , and the next segment is set to 1, otherwise it is set to 0 to indicate that the segment is the last segment. The middle bit (DF) indicates whether the datagram can be segmented . If it is 1, the machine cannot segment the datagram. The third bit, the highest bit, is not used and the value is 0.
- Segment Offset (13 bits) : This field indicates the relative position of the segmented data in the source datagram, and supports the target IP to properly reconstruct the source data.
- Time-to-live (8 bits) : This field is a kind of counter, which is decremented by 1 at each point of discarding the datagram until it is reduced to 0. This ensures that the datagram has a limited loop process (ie, TTL) , limiting the datagram's lifetime.
- Protocol (8 bits) : This field indicates which upper-layer protocol received the incoming datagram after the IP processing was complete . The value of this field is very helpful for the receiver's network layer to understand which protocol the data belongs to.
- Header Checksum (16 bits) : This field helps ensure the integrity of the IP protocol header. This requires recalculation and verification for each point due to changes in certain protocol header fields. The calculation process is to first set the checksum field to 0, then divide the entire header into parts every 16 bits, add the parts, and then take the inverse of the calculation result and insert it into the checksum field
- Source address (32 bits) : The IP address of the source host . This field must remain unchanged during the transmission of IPv4 datagrams from the source host to the destination host.
- Destination address (32 bits) : The IP address of the destination host . This field must also remain unchanged during the transmission of IPv4 datagrams from the source host to the destination host
.
ICMP message format
ICMP (Internet Control Message Protocol) Internet Control Message Protocol. It is a sub-protocol of the TCP/IP protocol cluster ( ICMP input network layer protocol ), used to transfer control messages between IP hosts and routers. The control message refers to the message of the network itself such as whether the network is unreachable, whether the host is reachable, and whether the route is available. Although these control messages do not transmit user data, they play an important role in the transmission of user data.
ICMP type
| TYPE | CODE | Description | Query | Error |
|---|---|---|---|---|
| 0 | 0 | Echo Reply - echo response (Ping response) | x | |
| 3 | 0 | Network Unreachable——The network is unreachable | x | |
| 3 | 1 | Host Unreachable——The host is unreachable | x | |
| 3 | 2 | Protocol Unreachable——The protocol is unreachable | x | |
| 3 | 3 | Port Unreachable——The port is unreachable | x | |
| 3 | 4 | Fragmentation needed but no frag. bit set - Fragmentation is required but no fragmentation bit is set | x | |
| 3 | 5 | Source routing failed——source route selection failed | x | |
| 3 | 6 | Destination network unknown——The destination network is unknown | x | |
| 3 | 7 | Destination host unknown——The destination host is unknown | x | |
| 3 | 8 | Source host isolated (obsolete)——The source host is isolated (obsolete) | x | |
| 3 | 9 | Destination network administratively prohibited——The destination network is forcibly prohibited | x | |
| 3 | 10 | Destination host administratively prohibited——The destination host is forcibly prohibited | x | |
| 3 | 11 | Network unreachable for TOS——The network is unreachable due to the type of service TOS | x | |
| 3 | 12 | Host unreachable for TOS - due to service type TOS, the host is unreachable | x | |
| 3 | 13 | Communication administratively prohibited by filtering——communication is forcibly prohibited due to filtering | x | |
| 3 | 14 | Host precedence violation——host privilege violation | x | |
| 3 | 15 | Precedence cutoff in effect——priority cutoff takes effect | x | |
| 4 | 0 | Source quench - the source is closed (basic flow control) | ||
| 5 | 0 | Redirect for network - redirection to the network | ||
| 5 | 1 | Redirect for host——redirect the host | ||
| 5 | 2 | Redirect for TOS and network——redirect to service type and network | ||
| 5 | 3 | Redirect for TOS and host——redirect the service type and host | ||
| 8 | 0 | Echo request - echo request (Ping request) | x | |
| 9 | 0 | Router advertisement——router advertisement | ||
| 10 | 0 | Route solicitation - router request | ||
| 11 | 0 | TTL equals 0 during transit - the time to live during transit is 0 | x | |
| 11 | 1 | TTL equals 0 during reassembly - time to live is 0 during datagram assembly | x | |
| 12 | 0 | IP header bad (catchall error) - bad IP header (including various errors) | x | |
| 12 | 1 | Required options missing - missing required options | x | |
| 13 | 0 | Timestamp request (obsolete)——timestamp request (obsolete) | x | |
| 14 | Timestamp reply (obsolete)——Timestamp reply (obsolete) | x | ||
| 15 | 0 | Information request (obsolete)——information request (obsolete) | x | |
| 16 | 0 | Information reply (obsolete)——Information reply (obsolete) | x | |
| 17 | 0 | Address mask request——Address mask request | x | |
| 18 | 0 | Address mask reply——address mask reply |
ARP protocol and ARP message format
ARP (Address Resolution Protocol) address resolution protocol is a TCP/IP protocol that obtains physical addresses based on IP addresses . When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the LAN, and receives the return message to determine the physical address of the target; after receiving the return message, store the IP address and physical address in the machine In the ARP cache and keep it for a certain period of time, the next request will directly query the ARP cache to save resources.
硬件类型:指明了发送方想知道的硬件接口类型,以太网的值为1;
协议类型:指明了发送方提供的高层协议类型,IP为0800(16进制);
硬件地址长度和协议长度:指明了硬件地址和高层协议地址的长度,这样ARP报文就可以在任意硬件和任意协议的网络中使用;
操作类型:用来表示这个报文的类型,ARP请求为1,ARP响应为2,RARP请求为3,RARP响应为4;
发送方硬件地址(0-3字节):源主机硬件地址的前4个字节;
发送方硬件地址(4-5字节):源主机硬件地址的后2个字节;
发送方IP地址(0-1字节):源主机硬件地址的前2个字节;
发送方IP地址(2-3字节):源主机硬件地址的后2个字节;
目标硬件地址(0-1字节):目的主机硬件地址的前2个字节;
目标硬件地址(2-5字节):目的主机硬件地址的后4个字节;
目标IP地址(0-3字节):目的主机的IP地址。
抓包分析
IP数据报抓包分析
打开wireshark软件,然后选择可以正常上网的网卡,然后进行抓包(右键 start capture)即可。
此时已经抓到了一些数据报,可以开始分析了
在分析之前,我们还需要做一件小事情,查看一下自己主机的ip信息和mac信息 win+r cmd 进入到控制命令台,然后输入ipconfig/all查看自己的网络配置信息.
然后我的wifi网络信息是:
IPv4 地址 : 192.168.122.114(首选)
子网掩码 : 255.255.255.0
物理地址(MAC地址): 4C-D5-77-A3-8E-A9
DNS 服务器 : 192.168.122.55
分析,此IP数据报的信息(恰好是tcp的数据报),我们知道网络是协议层层封装,所以应该是mac数据链路层->网络层ip->运输层tcp/udp->更高层次协议封装。
一、观察图中的数据,首先,前14个字节应该为mac的头部:
1. 4c d5 77 a3 8e a9 为我的wifi网卡的源mac地址.
2. e2 02 f5 b1 d1 c7 应该为网关的mac地址信息即目的mac.
3. 接下来是 0800 即 mac地址格式中的类型字段,表明当前接收的数据是ip数据报.
二、前14个字节,为mac帧的头部信息,所以从第15个字节开始,里面封装的应该是ip数据报
然后在ip数据报的格式中的话,我们首要的任务是找到其中的目的IP和源IP,经过上面的IP数据报格式得知,IP数据报首部每行4个字节。
- 对应的协议字段应该为第10个字节,即比特流中的第24个字节,对应下图的06,即此ip数据报的协议是tcp,
- 源IP地址和目的IP地址,应该分别对应的其中第四行(第13-16字节)和第五行(第17-20字节)即比特流中的第27字节开始为源IP地址,第31字节开始为目的IP地址。
- 源IP地址为 :
75 a1 c0 ef(十六进制) 即117.161.192.239(十进制) - 目的IP地址为:
c0 a8 7a 72(十六进制)即192.168.122.114(十进制)。
icmp数据报的抓包分析
我们知道icmp最常用的场景就是ping命令和traceroute命令。
所以首先,重新开启wireshark抓包工具,然后在cmd中输入ping命令,比如ping 192.168.122.144(这里我ping的是自己的网关)。
在过滤器一栏中输入icmp,进行对不同协议的数据报进行过滤
因为icmp属于ip的一个子协议,然后的话上面也说了它的数据报格式,所以它是封装在ip数据报的数据部分中,即对应比特流中的mac 14字节的首部,ip地址20字节的首部地址,第35字节开始到第38字节结束为对应的icmp数据报的首部(4字节)。
03 03 73 7e 即为icmp的数据报首部。
- 第一个 03 为icmp的首部类型,对应十进制的3表示 Network Unreachable——网络不可达
- 第二个 03 为icmp的首部代码,对应十进制的3表示 Port Unreachable——端口不可达
- 73 7e 为icmp的首部校验和
ARP数据报的抓包分析
首先,查看一下本机的arp高速缓存表,使用命令arp -a.
同样,在过滤器中输入arp进行过滤查看,我们随便挑一条来分析下
先瞅一眼,mac帧的类型为 0806 即 封装的数据是arp的数据报。
然后arp协议是封装在mac帧内部的,所以我们从比特流中的第15个字节开始看
00 01对应的前两个字节硬件类型 ,十进制1代表以太网08 00The two bytes correspond to the protocol type , 0x0800 is the ip protocol06Corresponding hardware length04The corresponding protocol length is 400 02Corresponding operation type Corresponding decimal 2 means arp response. (ARP request is 1, ARP response is 2, RARP request is 3, RARP response is 4)4c d5 77 a3 8e a9It is the complete source mac addressc0 a8 7a 72Corresponding to the complete source IP address 192.168.122.144 The ip address of my wifi network carde2 02 f5 b1 d1 c7Corresponding to the complete destination MAC addressc0 a8 7a 37It is the destination IP address 192.168.122.55 my DNS server address