Use WireShark to capture packets and analyze TCP_IP protocol

foreword

The TCP/IP protocol is a set of protocols used for Internet communication. It consists of two main protocols: Transmission Control Protocol ( TCP ) and Internet Protocol ( IP ). The TCP/IP protocol is one of the most commonly used protocols on the Internet, which enables different types of computers and network devices to communicate with each other.

• TCP is responsible for breaking up data into packets and ensuring their delivery on the network.
• IP is responsible for routing packets from source address to destination address.

In the book Computer Network (edited by Xie Xiren), the layers involved in TCP/IP network transmission and the meaning of each bit are introduced in detail. In this article, we will use Wireshark to capture packets and analyze the TCP/IP protocol, and use practice to verify the theory.

• 
  Wireshark is a network protocol analyzer that can help you capture and analyze network packets. It is an open source software that can run on multiple operating systems .
• The latest version of Wireshark can be downloaded from https://www.wireshark.org .

1. TCP/IP protocol

1.1 OSI layering

OSI is the abbreviation of OSI/RM (Open Systems Interconnection Reference Model), which was formulated by ISO in 1983 and formed a formal document.

OSI Layering is a network architectural model that divides network communication into seven distinct layers. Each level has its own features and tasks. The following is a brief introduction to each level from top to bottom:

serial number	level	name
1	application layer	Responsible for providing various applications such as e-mail, file transfer, and remote login.
2	presentation layer	Responsible for converting data into a format that applications can understand, it defines how to exchange data between different systems.
3	session layer	Responsible for establishing, managing and terminating sessions, it defines how a connection is established between two nodes.
4	transport layer	Responsible for splitting data into packets and ensuring their transmission on the network. It also provides a reliable end-to-end transport service.
5	Network layer	Responsible for routing data packets from source addresses to destination addresses, it defines how to transmit data packets between different networks.
6	data link layer	Responsible for transmitting packets from one node to another, it defines how packets are transmitted on the physical medium.
7	physical layer	Responsible for transferring data from one node to another, it defines the specifications for electrical, optical, and mechanical interfaces.

Although the standard has been established, due to some defects, the largest Internet covering the world today does not use the OSI standard, but uses the TCP/IP standard.

1.2 TCP/IP layering

Compared with the OSI 7-layer model, the TCP/IP protocol has only 4 layers, which merges some layers.

Generally speaking, the TCP/IP protocol refers to the TCP/IP protocol cluster, which can be divided into the following parts according to the layering

level	protocol name
application layer	HTTP、FTP、SMTP、POP3、IMAP、Telnet、SSH、DNS
transport layer	TCP、UDP
Network layer	IP、ICMP、ARP、RARP
network interface layer	Ethernet、Token Ring、FDDI、PPP

The WireShark used for packet capture below uses the TCP/IP standard.

2. Capture packets

2.1 Socket code

Use Java to write server and client codes, and realize the communication between the two by calling Socket API.

Socket is a socket, which is an intermediate software abstraction layer for communication between the application layer and TCP/IPthe protocol family. It is represented as a programming interface (API) that encapsulates the TCP/IP protocol cluster. ServerSocket uses the TCP protocol. If you want to use the UDP protocol, you can use DatagramSocket.

WireShark needs to be started with administrator privileges. By default, it cannot view the loopback that does not use the network card, and needs the next npcap.

1. Server.java

   public class Server {
         
         
       public static void main(String[] args) throws IOException {
         
         
           ServerSocket server = new ServerSocket(10007);
           System.out.println("服务器已启动，等待客户端连接...");
           Socket socket = server.accept();
           System.out.println("客户端已连接！");
           BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
           String str = br.readLine();
           System.out.println("客户端说：" + str);
           PrintWriter pw = new PrintWriter(socket.getOutputStream());
           pw.println("欢迎您！");
           pw.flush();
           socket.close();
       }
   }
   

2. Client.java

   public class Client {
         
         
       public static void main(String[] args) throws IOException, InterruptedException {
         
         
           Socket socket = new Socket("localhost", 10007);
           BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
           String str = br.readLine();
           PrintWriter pw = new PrintWriter(socket.getOutputStream());
           pw.println(str);
           pw.flush();
           BufferedReader br2 = new BufferedReader(new InputStreamReader(socket.getInputStream()));
           String str2 = br2.readLine();
           System.out.println("服务器说：" + str2);
           socket.close();
       }
   }
   

2.2 Filter package

1. Start Wireshark with administrator privileges

2. Select the corresponding network card interface
   

3. open filter

   

4. Start the Server, then start the Client, and send hello

5. filtered packets

   

3. Analysis

3.1 TCP header

The TCP header looks like this:

3.2 Actual Combat Analysis

1. Source port and destination port, each occupying 2 bytes

   

2. Serial number, occupying 4 bytes

   

3. Confirmation number, occupying 4 bytes

   

4. Data offset, occupying 4 bits, half a byte

   

5. Reserved, 6 digits

   

6. Flag control bit: URG/ACK/PSH/RST/SYN/FIN, occupying 6 bits

   

7. window, occupying 2 bytes

   

8. checksum, 2 bytes

   

9. Urgent pointer, occupying 2 bytes

   

10. Option, the number of bytes is not fixed, the following is 12 bytes

    

3.3 Three-way handshake

The first three packets of the tcp connection establishment are the three packets of the handshake. The following will analyze the specific process of the three-way handshake from the theory combined with the actual packet capture

1. Client sends to server

   When the client establishes a TCP connection, it will enable a random serial number, and store its value in the serial number field of the TCP header of the first message segment exchanged with each other, and the serial number field value of the subsequent TCP message segment will be incremented sequentially

   In the following packet capture process, it can be found that 0x4cf2bfaa is the random sequence number of the first packet, and wireshark has marked the relative sequence number Seq as 0, which is the first packet.

   Moreover, the TCP client needs to set SYN to 1 when sending, and the client enters the SYN-SENT state at this time

   

2. Server sends to client

   After receiving the message, the server agrees to establish a connection and send a confirmation message to the client. This message needs to set both SYN and ACK to 1, ack to the sent seq+1, and enable a random sequence number for itself , in the message, it can be found that the random sequence number is 0x890b1b78, and the server enters the SYN-RCVD state at this time

   

3. Client sends to server

   After the client receives it, it needs to confirm and send the message again. This time the message sets ACK to 1, the serial number to its previous serial number + 1 = 0x4cf2bfab, and ack to the serial number sent by the server + 1 = 0x890b1b79. When it is sent, it will enter the ESTABLISHED state, and the server will also enter the ESTABLISHED state after receiving it

   

The above process can be summarized as follows, in the above example x is actually 0x4cf2bfaa, y is actually 0x890b1b78

3.4 Four waves

The chart that can be obtained from page 226 of the book is as follows:

Both the server and the client that established the connection can release the connection. Both parties need to wave their hands four times. The java code above is found to be the server that releases the connection first.

1. The server sends a FIN message

   Send FIN=1, ACK=1, seq=u (the packet capture u is actually 0x91dd5af1 this time).

   It is recorded in the book that u is the serial number of the last byte of the previously sent data plus 1. This is not clear, and the actual ACK is also set to 1. Is it necessary? follow-up study

   

2. The client sends ACK=1, seq=v (the actual seq of this packet capture is 0x6a067550), and the ack is u+1 (the actual packet capture is 0x91dd5af2 this time)

   v is the sequence number of the last byte of the previously sent data plus 1.

   

3. The client then sends FIN=1, ACK=1, seq=w (this time the captured packet is actually 0x6a067550), ack=u+1 (this time the captured packet is actually 0x91dd5af2)

   The w here actually captures the packet and finds that w is the same as v

   

4. The server sends ACK=1, seq=u+1 (this time the captured packet is actually 0x91dd5af2), ack=w+1 (this time the captured packet is actually 0x6a067551)

   

The above process can be summarized as follows. Since both the client and the server can send FIN packets to release the connection, the following chart releases the connection from the client

reference

1. Computer Network (6th Edition, edited by Xie Xiren)
2. OSI seven layer model
3. TCP protocol transfer layer specification
4. TCP's three-way handshake and four-way wave