The Ethereal network protocol analysis work mainly we need to combine the knowledge learned a few months, through the network packet capture the way so that they have a more profound understanding. In a few months we learned the details of the main osi model and where each layer, and associated protocols.
osi mainly composed of several seven protocol layers, respectively, showing the application layer session layer transport network layer data link physical layer. The figure below shows the relationship between osi protocol layers.
The job requires that we use to crawl out of the capture software are some of the application layer protocol transport network data link layer.
I am here to focus on finishing what I consider the more important three-way handshake, and its release ip packet analysis.
First, the application layer:
Application layer
Application layer
Packet capture www
HTTP protocol running over TCP protocol. Select an HTTP packet analysis in the captured data.
After I typed www.baidu.com address in a browser can grab the client makes a request to the ip address.
http request packet.
http response packets
The next important point concerns the knowledge is the transport layer protocol tcp established three-way handshake process.
Transport Layer
Three-way handshake
The so-called "three-way handshake": In order for the amount of data sent each time tracking and consultation to ensure that send and receive data synchronization section, based on the amount of data received and confirmation data transmission, when the Undo link After acceptance, and establish a virtual connection.
the first time
the second time
the third time
In addition to the three-way handshake The test also relates to the process of the release of four
Connection has been established. After receiving confirmation of TCP server, also notify its parent process: TCP connection has been established.
Release the connection:
The first release: the application A issues a connection release Xianxiang its TCP packet segment, and stops resending data, actively closed tcp connection.
At this time, the connection release message A segment header FIN = 1, which sequence number seq = u, waiting for an acknowledgment of B
Second release:
Acknowledgment sent by B, confirmation number ack = u + 1, the segment sequence number seq = v. TCP server process notifies the high-level application process. Connection from A to B on the release.
Third release: A if B has no data to be transmitted to, the application process will inform the release of TCP link.
Fourth release: A receives a connection release segment, it must send a confirmation.
In the acknowledgment message ACK = 1 segment
Confirmation Number
Ack=w+1, seq=u.
Then also it relates to the analysis of ip packets.
It can be known from the figure:
Ip packet version number is: ipv4
Header length is: 20bytes
Datagram length: 40
Identifier: 0xrca5
Life: 116
Upper-layer protocols: TCP
Header checksum: 0x7bb0
Source ip address: 202.89.233.100
The purpose ip address is: 192.168.43.19
Now I would like to use two graphs summarize wire shark packet analysis
This is the relationship wireshark layers corresponding to the packet.
This is the format of each wireshark tcp packets corresponding to the following parameters
The testing process for wireshark I use is completely from zero to find video online self-study. I learned how to use wireshark filters for analysis. Generally speaking through a job not just familiar with the protocol network-related knowledge, but also a self-study software, it can be said that the benefits greatly.