Analysis of ARP protocol based on Wireshark and analysis of IP packets and ICMP packets｜Network data capture｜Course design｜traceroute｜ping｜

foreword

那么这里博主先安利一些干货满满的专栏了！

首先是博主的高质量博客的汇总，这个专栏里面的博客，都是博主最最用心写的一部分，干货满满，希望对大家有帮助。

高质量博客汇总https://blog.csdn.net/yu_cblog/category_12379430.html?spm=1001.2014.3001.5482

Table of contents

Editor's Preface

Wireshark software usage and ARP protocol analysis

Basic use of WireShark

Edit Ethernet frame structure analysis and mac address analysis

Analyze the arp packet and describe the working process of the arp protocol

Steps to capture ARP packets on the same network segment as the local machine

Analysis of ARP packets on the same network segment as the local machine

Analysis of ARP packets on different network segments of the local machine

Request and response process analysis and comparison of arp packets on the same network segment and across network segments

IP and ICMP analysis

IP header analysis and comparison of ICMP request frame and response frame

capture process

Analyze an IP datagram

Comparison of ICMP request frame and response frame

IP packet fragment analysis

ICMP Error Packet Analysis

capture step

ICMP Error Packet Analysis

Analysis of traceroute working principle

Schematic diagram of data interaction based on ICMP messages

Wireshark software usage and ARP protocol analysis

The experimental content of this section includes:

Basic use of WireShark
Analysis of Ethernet frame structure and mac address analysis
ARP protocol analysis
Thinking questions and summary

Basic use of WireShark

Use wireshark to start capturing packets

Click the shark logo symbol to start capturing packets, and click the square red symbol to stop capturing packets.

Add filter conditions for packet capture

Currently, I will filter out all packets based on the tcp protocol and the port number is 80, as shown in the figure below.

Display arp packets, as shown in the figure below.

specific groups can be exported

Analysis of Ethernet frame structure and mac address analysis

Experiment preparation

Also use the TCP-based HTTP server written last time. Use the local browser to send a request to the HTTP server of the remote Alibaba Cloud server, set the port number to 8080, and use wireshark to capture the data packets of the entire process.

frame structure analysis

The following is the detailed information of a captured packet, and the following interface can be opened by right-clicking continuously.

Capture time of the Arrival Time packet: May 11, 2023 23:36:36.794865000

Frame Number Frame number: 250

Frame Length The length of the packet: 78 bytes

Capture Length capture length: 78 bytes

Protocols in frame Protocol encapsulation level: etc:ethertype:ip: tcp

Time delta from previous captured frame The time delta captured by the previous frame: 0.067s

Time delta from previous displayed frame The time increment displayed in the previous frame: 0.0s

mac address analysis

In the Ethernet frame header, there are two important flag bits, namely the LAC bit and the IG bit, wherein the LAC bit corresponds to the 13th bit, and the IG bit corresponds to the 14th bit.

The LAC bit (also called LG bit) indicates whether the frame is a multicast frame. When the LAC bit is set to "1", it means that the frame is a multicast frame; when the LAC bit is set to "0", it means that the frame is a Unicast frame or broadcast frame.

The IG bit (also called IG bit) indicates whether the frame needs to be learned by the switch. When the IG bit is set to "1", it means that the frame does not need to be learned, that is, the MAC address of the sending end does not need to be added to the MAC address of the switch. In the address table; when the IG bit is set to "0", it means that the frame needs to be learned, that is, the MAC address of the sending end needs to be added to the MAC address table of the switch.

In Ethernet, if a packet is a broadcast or multicast frame, the switch broadcasts it so that all connected devices can receive the packet. And if it is a unicast frame, the switch will only send it to the port corresponding to the destination MAC address. Therefore, the setting of LAC bit and IG bit is very important for the processing of broadcast, multicast and unicast frames in Ethernet and the learning process of switches.

In the mac frame of this experiment, all LG bits and IG bits are 0, indicating that it is a unicast frame that needs to be learned.

By clicking on the datagram and selecting Ethernet IIthe option, you can view the detailed information of the frame.

Now we will analyze each field and the corresponding byte range.

A standard mac header contains 14 bytes, including source mac address (6 bytes), destination mac address (6 bytes) and protocol type (2 bytes), the structure is shown in the figure below.

It is reflected in wireshark as shown in the figure below.

The following byte part is the payload to be delivered up (network layer), which is a complete IP message. The payload of the IP packet is a complete TCP packet.

Analyze the arp packet and describe the working process of the arp protocol

Steps to capture ARP packets on the same network segment as the local machine

Use the command to clear the ARP cache on the mac computer sudo arp -d -a.

Select the capture option on wireshark, set the capture local interface of the machine

Enter in the filter condition arp, capture an ARP message

Analysis of ARP packets on the same network segment as the local machine

Except for the first 14 bytes of the message, the rest belong to the ARP message, and the format is shown in the figure below.

Through one-to-one correspondence with the fields on Wireshark, the information of the packet can be obtained, as shown below.

Hardware type: Ethernet (1) Protocol type: IPv4 (0x0800) Hardware address length: 6 Protocol address length: 4 Operation: reply (2) Source MAC address: 22:37:a5:51:ae:64 (22:37:a5:51:ae:64) Source IP address: 172.20.10.1 Destination MAC address: Apple_0c:35:22 (ac:c9:06:0c:35:22) Destination IP address: 172.20 .10.3

Analysis of ARP packets on different network segments of the local machine

The capture result is shown below.

Among the filtered data packets, the data packets whose Destination field is Broadcast are the ARP data packets to be transmitted across network segments.

This is because ARP requests are usually sent in the form of broadcast, so the destination address field of the Ethernet layer should be set to all F , indicating that the data packet will be sent to all devices in the local network. The target MAC address field of the ARP layer is set to all 0s, because the purpose of the ARP request is to find the MAC address of a certain IP address. At this time, the MAC address corresponding to the IP address has not been determined, so the target MAC address field of the ARP layer should be Set to all 0s. As shown below.

Request and response process analysis and comparison of arp packets on the same network segment and across network segments

The situation of the same network segment

When the machine sends an ICMP message to another device on the same network segment, it will first query the local ARP cache table to find the MAC address of the target device. If there is no MAC address of the device in the cache, the device needs to send an ARP request packet to obtain the MAC address of the target device.
The ARP request packet is a broadcast packet that propagates within the network where the machine is located. The packet contains source MAC address and source IP address (IP address of the machine), destination IP address and destination MAC address.
When the target device receives an ARP request packet, it will check the target IP address in the packet, and if the target IP address matches its IP address, the device will generate and send an ARP response packet.
The ARP response packet is a unicast packet and will only be sent to the MAC address of the device from which the request originated. The packet contains source MAC address and source IP address, destination IP address and destination MAC address.
When the source device of the request receives the ARP response packet, it will update the local ARP cache table and save the MAC address of the target device. In subsequent communications, the device can directly use the target device's MAC address.

In this way, the request/response process is completed. An ARP entry and the corresponding MAC address are established between the local machine and the target device, so that the MAC address of the target device can be found more quickly during future communication.

Situation of different network segments

The main difference between the ARP packets on the same network segment as the local machine and the ARP data packets on a different network segment from the local machine is the difference between the destination MAC address and the source IP address.

When the machine communicates with devices in different network segments, the machine will first use ARP to query its default gateway, and then use the MAC address of the default gateway to route the communication to the external network. In this case, the destination IP address in the ARP request is the IP address of the router's gateway (as shown in the figure below), not the IP address of the destination device.

IP and ICMP analysis

IP header analysis and comparison of ICMP request frame and response frame

Experimental content

Implement the ping command, record the triggered IP datagram and ICMP message, and save it as a pcapng file. Interpret the header of any IP datagram and compare ICMP Echo request and response frames. Change the length parameter of ping to account for IP datagram fragmentation.

capture process

Enter the filter expression for the ping command in the Filter box: icmp && icmp.type==8. This will only display ICMP Echo request packets related to the ping command.
Execute the ping command in a terminal window. For example, execute the following command:ping 192.168.0.1
Capture and analyze packets generated by ping command in Wireshark.
After you stop capturing, choose "File" -> "Save As", select the pcapng format and save the file.

The capture result is shown in the figure below

Analyze an IP datagram

The figure below shows the structure of an IP datagram.

The following is the capture result of Wireshark and the analysis of its IP packets.

Field analysis results: Version Version: 4 Header Length: 20 bytes (5) Service Type Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 84 Identifier Identification: 0x503b (20539 ) Flags: 0x0 Fragment Offset: 0 Time to Live: 64 Upper layer protocol Protocol: ICMP (1) Header Checksum: 0xa0bf [validation disabled] Source IP address Source Address: 172.28.28.233 Destination IP address Destination Address: 192.168.0.1

Comparison of ICMP request frame and response frame

I use my computer to ping my tablet, and the Wireshark capture results are as follows, and I can get a series of request frames and response frames.

ICMP is a protocol that runs on the IP layer and is used to transmit control messages in the IP network. Both ICMP Echo Request and ICMP Echo Reply are types of ICMP packets, and they include fields such as Type, Code, Checksum, Identifier, and Sequence Number. As shown below.

By comparing the request frame and the response frame, the difference between the two can be analyzed.

The Type field of ICMP Echo Request is 8, and the Code field is 0, while the Type field of ICMP Echo Reply is 0, and the Code field is also 0. Other fields of the two messages may also be different. For example, an ICMP Echo Request packet usually contains an Identifier (identifier) field and a Sequence Number (sequence number) field, while an ICMP Echo Reply packet contains the same Identifier and Sequence Number fields as the previously sent Echo Request packet.

In addition, when the ICMP Echo Request message times out or receives an error response, it usually returns an ICMP error message to terminate the process, in which the Type field is 11, the Code field is 0 (ICMP Time Exceeded message) or the Type field It is 3, and the Code field is 0 (ICMP Destination Unreachable message). (The phenomenon of this part will be reflected in detail in the ICMP error message analysis part)

IP packet fragment analysis

By pingsending a request to my tablet computer and increasing the length of the message, I can observe the fragmentation of the IP message.

ping 172.20.10.4 -s 3000(The message length is 3000 as an example)

Why IP Packet Fragmentation Occurs

The reason for IP packet fragmentation is that the problem of MTU (Maximum Transmission Unit, maximum transmission unit) limitation may be encountered during the transmission process, that is, the maximum size of each data packet that can be transmitted by the network transmission medium (such as Ethernet) limited. If the size of the IP packet exceeds the MTU, it needs to be divided into multiple smaller data packets for transmission, which is the function of IP packet fragmentation. The fragmentation operation is performed by the sending end, and the receiving end needs to reassemble the fragmented data packets to restore the original IP packets.

Experimental results

By constantly adjusting the size and length of the data packet, the final experiment is done. When the data packet size is reached 1484, the ip data packet starts to be fragmented .

The following is a comparison of fragmented and non-fragmented ip datagrams.

Through the analysis of the experimental results, it can be known that the main difference between the fragmented IP data packet and the non-fragmented IP data packet lies in the setting of the size and the identification field.

Size: The size of non-fragmented IP datagrams does not exceed the MTU limit, while fragmented IP datagrams can be cut into multiple smaller data pieces for transmission according to the MTU limit.
Identification: The identification field in the non-fragmented IP datagram is 0, and the identification field in the fragmented IP datagram is generally the same, so that the receiving end can accurately identify them when receiving multiple data pieces assembled together to recover the original IP datagram.

In addition, the fragmented IP data packet also includes an offset field , which is used to indicate the position of the data fragment in the original IP data packet. This field does not exist in non-fragmented IP datagrams.

In the experiment, I think it is the best and most convenient way to judge whether the ip datagram is fragmented or not by observing whether it contains the offset field (whether the offset field is 0).

ICMP Error Packet Analysis

Requirements: implement the tracert command, record the triggered ICMP message, and save it as a pcapng file; explain the structure of any ICMP error message; describe the working principle of tracert, and draw a schematic diagram of data interaction combined with ICMP message records.

capture step

Use traceroutethe command , traceroute 172.20.10.4, and the terminal phenomenon is shown in the figure below.

Use wireshark to capture icmp packets.

In this way, we have captured a series of icmp error messages.

ICMP Error Packet Analysis

The following is an error message.

Packet type Type: 11 (Time-to-live exceeded) indicates that the time has expired Code Code: 0 (Time to live exceeded in transit) Checksum Checksum: 0x9d17 [correct] [Checksum Status: Good] Unused: 00000000 Internet Protocol Version 4, Src: 172.29.69.176, Dst: 172.20.10.4 User Datagram Protocol, Src Port: 62171, Dst Port: 33435

We can compare the information of the ICMP message in the previous request frame and response frame, and we can find that the message type Typefield is different . As far as we know, the request frame is 8, the response frame is 0, and the timeout message in this experiment is 11 .

By consulting the data, I found the explanation of the message type corresponding to the Type code, as shown in the table below.

When distinguishing these packets, generally the type and code field in the ICMP packet header can be used to determine which type of packet it is. For the error message, information such as the "protocol field" in the IP header and the TTL in the ICMP message can also be used to judge the information of the message.

Analysis of traceroute working principle

traceroute is a command-line tool for testing network connection paths and bottlenecks. The basic principle is to increment the TTL field of the datagram every time an ICMP datagram is sent, and decrement the TTL of the datagram every time it passes through a router until the TTL is reduced to 0. When the TTL is reduced to 0, the router discards the datagram and returns an "ICMP Time Exceeded" error message to the sender, which also contains the router's IP address.

Traceroute sends a series of ICMP messages with increasing TTL values to the target host, and records the time consumed by each transmission, and calculates the order in which the TTL values increase, that is, the route list of the datagram, so as to obtain the source host to the target host. The full routing path.

In simple terms, the workflow of traceroute is as follows:

Set the TTL value to 1, and send a Ping message to the target host. After receiving the Ping message, the first router will decrease the TTL by 1, forward the message to the target host, and return an ICMP error message, indicating that the time has expired.
Set the TTL value to 2, send a Ping message to the target host, the second router receives the Ping message, decrements the TTL by 1, forwards the message to the target host, and returns an ICMP error message, indicating that the time has expired.
Gradually increase the TTL value until the target host receives the data packet and returns an ICMP response message, indicating that the target host has received the message.
According to the returned ICMP error message and ICMP response message and the time of each sending and receiving, calculate the IP address and delay time of each router, so as to obtain the complete routing path from the source host to the target host.

Schematic diagram of data interaction based on ICMP messages

The schematic diagram of data interaction according to the ICMP message is shown in the figure.