The packet capture results have been uploaded and can be downloaded for free to watch:
wireshark packet capture results
1. Process combing
My machine 192.168.1.131 referred to as A and the server machine 223.166.138.30 referred to as B first shake hands three times to establish a TCP connection, then make an HTTP request, and finally wave four times to disconnect the TCP connection
1. Three handshakes:
A sends a SYN packet to B first Request to establish a connection
B sends back an ACK SYN packet to A for the previous SYN request and sends a request to establish a connection
A then sends back an ACK packet to B for the previous SYN request
2. PSH
TCP segment of a reassembled PDU, literally means the TCP segment of the protocol data unit (PDU: Protocol Data Unit) to be reassembled. For example, the response packet of the HTTP protocol composed of multiple data packets is as follows
Segmentation here means: the response of the upper-layer protocol HTTP is composed of multiple segments, and each segment is of the TCP protocol. TCP itself does not have the concept of segmentation. Its sequence number and acknowledgment number are the support for making TCP a stream-based protocol. The appearance of TCP segment of a reassembled PDU is the summary given by Wireshark after analyzing its upper-layer HTTP protocol. If the configuration of Wireshark does not support HTTP protocol analysis
Reference: https://blog.csdn.net/weixin_30439067/article/details/97999147?spm=1001.2101.3001.6650.1&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1-97999147- blog-103210932.pc_relevant_multi_platform_whitelistv3&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-1-97999147-blog-103210932.pc_relevant_multi_platform_whitelistv3&utm_relevant_index=2
PSH (Push): Tell the other party whether to push the data to the upper layer immediately after receiving the segment. If the value is 1, it means that the data should be submitted to the upper layer immediately instead of being cached.
3. The HTTP request and the corresponding
working method of HTTP is that the client initiates a request to the server, and then the server replies with a response. According to different needs, the request sent by the customer service end will use different methods, including GET, POST, PUT, etc.,
the POST method is used here, which is mostly used to log in the account on the website. It is used to transmit the entity's body
/cloudquery.php to indicate the request URI
HTTP/1.1 indicates the protocol version. The
response to the POST method is the processing result of the server receiving the body.
200OK means The request sent from the customer service end is processed normally on the server end
4. TCP's four waved hands
Since TCP is a full-duplex connection, both parties need to notify each other to disconnect, and then the other end responds to this notification. The sequence
here and the example in the book will be different.
Host A sends a disconnection request first.
Host B Immediately after sending a disconnection request,
host B corresponds to the disconnection request of host A.
Host A responds to the disconnection request of host B.
2. Read network packets
Now open the No. 80 packet that host B responds to the connection establishment request of host A: the
bottom one is the hexadecimal form of the entire data packet. Since it is the corresponding packet for the connection establishment request, it does not carry the information to be transmitted, only each layer header
The first line: Because this packet is captured on the host, the outermost layer is encapsulated by the data link layer. The data link layer will encapsulate the data packet into a frame (Frame), and the sequence number of the frame is the frame number of this packet. Serial number, the packet has a total of 64 bytes.
The second line: data link layer, from which you can see the MAC addresses of two adjacent devices, and the source MAC address can also see the model of the router, so the network packet can be relayed The third line
: the network layer, the main task of this layer in this data packet is to add the data transmitted by the TCP layer to the destination address and source address The
fourth line: the transport layer, indicating the use of the TCP protocol and the source address Port number and destination port number, and some information in the TCP connection
The fifth line: the meaning of filling.
Because in Ethernet, the minimum data packet is stipulated as 64 bytes, if the data packet is less than 64 bytes, it will be filled by the network card.
The padding is displayed in the sniffer, and the trailer is displayed in wiershark.
Click on the network layer, then click on the source IP address:
223 corresponds to df, 166 corresponds to a6, 138 corresponds to 8a, 30 corresponds to 1e
1e: 16+14=30
and then click on the transport layer:
you can see that the source port number is 80 , the target port number is 55469,
the serial number is 11769945,
the confirmation response number is 1205542292,
the data offset is reserved, and the control bits are recorded together in flags:
Hexadecimal 70 converted to binary: 0111 1110
header length 0111 converted to decimal is 7, TCP header The length unit is 4 bytes, that is, 28 bytes. The
reserved bit is 1110, which is mainly for future expansion. Ignore
the hexadecimal 12 and convert it to binary for the time being: 0001 0010
only sets SYN and ACK to 1 in the corresponding figure, which indeed conforms to
the window size of
14600 Checksum 0x0376
Urgent Pointer 0
Option: The option field is mainly used to improve the transmission performance of TCP.
A more intuitive display of the TCP header:
3. About TCP's three-way handshake and four-way wave
A and B separately maintain the serial number of the magic network packet sent by
A. The serial number of the network packet indicating the establishment of the connection is 1205542291.
B also sends the network packet indicating the establishment of the connection. The serial number is 117691945, and the confirmation number is 1205542292. Although the SYN packet and FIN packet sent when the connection is disconnected do not carry data, they will also increase the corresponding serial number as a byte, otherwise the serial number is the serial number of the previous data packet plus its length, this confirmation number It not only indicates that the last data packet has been received, but also indicates what the starting sequence number of the other party’s next data packet should be.
A sends a confirmation for the connection establishment request sent by B. The serial number is 1205542292 and the confirmation number is 117691946
Most of them are similar to the handshake. Points to note:
before the TCP connection is disconnected, it is an HTTP response. The serial number of the response is 117691946, and the length is 482. The sum is 117692428, which is the serial number of the next data packet sent by B
The penultimate packet is neither a syn packet nor a fin packet, and there is no data in it, so the syn count on the B side will not increase by 1
4. About the change of window size
MSS: maximum segment size maximum message length
MSS (Maximum Segment Size) is a property of TCP Layer ( L4 ), and MSS refers to the length of TCP payload. When transmitted on a network with MTU 1500, MSS is 1460 (that is, 1500 minus 20 bytes of IP header, 20 words Section TCP header).
The sending window determines how many bytes can be sent in one breath, and the MSS determines how many segments these bytes should be
divided into. segment to send
When establishing a TCP connection, both ends send MSS to each other and then take the smallest MSS to use
Here, the two MSS are the same
Flow control: TCP provides a mechanism that allows the sender to control the amount of data sent according to the actual receiving capacity of the receiver. The specific operation: the receiver host notifies the sender host of the size of the data that the host can receive, so the sender will send no more than this When the buffer of the receiving end overflows, the value of the window size will also be set to a smaller value and the notification will be sent to the sending end, thereby controlling the amount of data sent.
Note that window size does not refer to the sending window, but tells the other party its own receiving window, that is, its own buffer size