1. Experimental purpose
Through this experiment, you will master the skills of using Wireshark to capture TCP/IP protocol data packets, and be able to conduct in-depth analysis of TCP frame format and "TCP three-way handshake". Understand the TCP/IP protocol by capturing and analyzing data packets to further improve the ability to connect theory with practice.
2. Experimental content
1.The focus of this experiment: using Wireshark to capture TCP packets and analyze TCP packets.
2. The difficulty of this experiment:Analyze the captured TCP packets.
3. This experimental environment:Windows 7, Wireshark.
4. Contents of this experiment:
The TCP protocol is the most widely used protocol in computer networks. Many application services such as FTP, HTTP, SMTP, etc. all use the TCP protocol at the transport layer. Therefore, if you want to capture the data packets of the TCP protocol, you can capture the corresponding After analyzing the data packets of network services, analyze the TCP protocol data packets and gain an in-depth understanding of the protocol encapsulation, protocol control process and data carrying process. The two pictures are the TCP frame format and the TCP three-way handshake.
3. Experimental process
1. The process of capturing and analyzing TCP packets is as follows:
The first step is to determine the protocol to use and use HTTP service. Select http://www.sina.com.cn/ as the target address.
The second step is to start packet capture: click [start] to start packet capture, and enter http://www.sina.com.cn in the browser address bar.
The third step is to obtain first-pass data packets through display filters: a large number of data packets are obtained through packet capture. In order to facilitate the analysis of data packets, it is necessary to use filters and add local IP address and TCP protocol filtering conditions.
(1) Open the command prompt and check the local IP address through ipconfig /all.
(2) Fill in the filtering conditions in the Filter dialog box on the toolbar: tcp and ip.addr==196.168.100.131. The filtering results are as follows:
It turned out that the effect was not very good, so I changed the IP address in the filtering conditions to the IP address of http://www.sina.com.cn. The operation process is as follows:
(1) Open the command prompt and check the target IP address by pinging www.sina.com.cn.
(2) Open the command and fill in the filtering conditions in the Filter dialog box on the toolbar: tcp and ip.addr==218.30.66.248. The filtering results are as follows:
Among them, the red box is a three-way handshake process:
The fourth step is to analyze the TCP data packet and analyze each part of the TCP packet according to the data frame format in the first picture.
- Original port/destination port (16bit). As shown in the figure below, the source port is 443, which identifies the sending process; the destination port is 3201, which identifies the receiving process.
- Serial number (32bit). As shown in the figure below, the sending sequence number Sequence Number is 0, which identifies the data byte stream sent from the source end to the destination end. It indicates the sequence number of the first data byte in this message end. The sequence number is 32. Bit unsigned type, the sequence number expression reaches 2^32 - 1 and then starts from 0. When a new connection is established, the SYN flag is 1, and the serial number will be randomly selected by the host as a sequence number ISN (Initial Sequence Number).
- Confirmation number (32bit). As shown in the figure below, the Acknowledgment Number is 1, which contains the next sequence number that the end that sends the confirmation expects to receive. Therefore, the confirmation sequence number should be the sequence number of the last successfully received data plus 1. The confirmation sequence number field is valid only when the ACK flag is 1. TCP provides full-duplex services for the application layer, which means that data can be transmitted independently in both directions, so the two ends of the connection must ensure the order of data transmission in each direction.
- Offset(4bit). As shown in the figure below, the offset is 32 bytes. The offset here actually refers to the length of the TCP header. It is used to indicate the number of 32-bit words in the TCP header. Through it, you can know where the user data of a TCP packet starts. .
- Reserved bits (6bit). As shown in the figure below, the reserved bit Reserved is not set.
- Flag(6bit). There are 6 flag bits in the TCP header, and multiple of them can be set to 1 at the same time. As shown below:
URG (Urgent Pointer Field Significant): Urgent pointer flag, used to ensure that the TCP connection is not interrupted and urges the intermediate device to process the data as soon as possible. Its value is 1 in the figure.
ACK (Acknowledgement Field Signigiant): Confirmation number field. When this field is 1, it means that the response field is valid, that is, the TCP response number will be included in the TCP message. Its value is 1 in the figure.
PSH (Push Function): Push function. The so-called push function means that the receiving end pushes the data to the application immediately after receiving it, instead of queuing it in the buffer. Its value is 0 in the figure.
RST (Reset the connection): Reset the connection, but moving it means disconnecting a connection. The value in the figure is 0.
SYN (Synchronize sequence numbers): Synchronization sequence number, used to initiate a connection request, its value is 1 in the figure.
FIN (No more data from sender) indicates that the sending task of the sender has been completed (that is, the connection is disconnected).
- Window size (16bit). As shown in the figure below, the window size Windows size value is 29200, which means that the source host can receive a maximum of 29200 bytes.
- Checksum (16bit). As shown in the figure below, the checksum Checksum is 0xc24f, which contains the TCP header and TCP data segment. This is a mandatory field that must be calculated and stored by the sender and verified by the receiver.
- Urgent pointer (16bit). As shown in the figure below, the URG flag is 1. This field is valid only when the URG flag is set to 1. The emergency pointer is a positive offset, which is added to the value in the sequence number field to represent the sequence number of the last byte of urgent data. . TCP's emergency mode is a way for the sender to send urgent data to another segment.
- TCP options. A variable-length field of at least 1 byte identifying which options are valid. Kind=0: end of option table, Kind=1: no operation, Kind=2: maximum segment length, Kind=3: window expansion factor, Kind=8: timestamp. As shown in the figure below, Kind is 2, which represents the maximum message length MSS size.
- data part. The data part of the current packet is as shown in the figure below:
2. TCP three-way handshake:
First handshake packet: The client sends a TCP with the flag bit SYN and the sequence number 0, which represents the client's request to establish a connection, as shown in the figure below (first item):
Data packet of the second handshake: The server sends back a confirmation packet with the flag bits SYN and ACK. Set the Acknowledgment Number (Acknowledgement Number) to the client's I S N plus 1. That is, 0+1=1, as shown in the figure below (No. Article 2):
Data packet of the third handshake: The client sends an acknowledgment packet (ACK) again with the SYN flag bit as 0 and the ACK flag bit as 1. And the sequence number field of the ACK sent by the server + 1 is placed in the confirmation field and sent to the other party. After a three-way handshake, a TCP connection is established with the server, as shown in the figure below (third item):
