网络系统设计与工程 (三)TcP/P协议分析 浙江大学计算机学院 邱劲松
网络系统设计与工程 (三)TCP/IP协议分析 浙江大学计算机学院 邱劲松
TCP/P协议分析 ·本节内容 Etherea软件介绍 通过 Ethereal捕获网络包 分析捕获数据,深入探查TCP/P协议
TCP/IP协议分析 • 本节内容 – Ethereal软件介绍 – 通过Ethereal捕获网络包 – 分析捕获数据,深入探查TCP/IP协议
Ethereal软件介绍 免费的开源产品,可捕获和分析局域网的数据包 下载地址:www.ethereal.com ·本课件使用的版本:099 ·运行环境 Windows Linux Solaris 需要的组件 - Winpcap运行库(自动安装)
Ethereal软件介绍 • 免费的开源产品,可捕获和分析局域网的数据包 • 下载地址:www.ethereal.com • 本课件使用的版本:0.99 • 运行环境 – Windows – Linux – Solaris • 需要的组件 – Winpcap运行库(自动安装)
捕获 Ethernet包 No,Time Source Destination ProtocolIInfo Transact ion ID o 20.00143310.211.160.19 11.164.53 Transaction ID 0X89132204 30.0403480.0.0.0 255.255.255.255 DHCP DHCP Discover-Transaction ID 0xaa234300 40.071472207.46.2.92 220.191.115.176 MSNMS NLN BSY luming03721cn,cm351262\201\346\230\216357274\2 5 0.132541 cisco af: 9f: 1e PVst+ 60.185410220.191.115.176207.46.2.92 70.295461207.46.2.92 220.191.115.176 ASW13001863,[ACK]5q=4008161724ck=5005701417=6555n NLNNLNluming37e2lcn.com\351262201\346\230\216\357274\2 80.485837220.191,115.176207,46.2.92 cP1300>1863[ACK]seq=4005816172Ack=500547377win=65172Len= 90.5138290.0.0.0 255.255.255.255 DHCPDHCP Discover - Transaction ID oxacff1201 10 0.782084 cisco af: 9f: 1e PVsT+ STP Conf. Root = 32768/00: 03: e3: db: 16: 94 Cost 12 Port 0x8016 110.830947220.184,121.203220.184,161.174TCP3338> microsoft-ds[ SYN] Seq=1915889027Len=0MsS=1414 120.974195192.168,0.1 255.255.255.255 DHCP DHCP offer Transaction ID 0x4b594 700 D Frame 1(342 bytes on wire, 342 bytes captured Ethernet II, src: Jetcell-ac: 21: 1b(00: do: 2b: ac: 21: 1b), Dst: HuaweiTe_4a: Od: a4 (00: e0: fc: 4a: 0d: a4) y Destination: HuaweiTe_4a: 0d: a4 (00: e0: fc: 4a: od: a4) Address: HuaweiTe_a: ou. a4 too.ee: fc. 4a: ed: a4) 目的网卡地址 Multicast: This is a UNICAST frame Locally Administrated Address: This is a FACTORY DEFAULT address 9 Source: Jetcell_ac: 21: 1b(00: d0: 2b: ac: 21: 1b) Address:jetceTl_ac: 21: 1b(00: do: 2b: ac: 21:IbT 源网卡地址 Multicast: This is a UNICaST fr Local ly Adm ated Address: This is a FACTORY DEFaULt address 网络层协议类型(值>1500) Internet protocol,src:10.211.160.19(10.211.160.19),Dst:10.211.175.153(10.211.175.153) b User Datagram protocol, Src port: bootps (67), Dst port: bootpc (68) 000000e0千c4a 10da400d02bac211b08004500 2090643004942228: C.D.4 41 D: 41 M: 0 Drops: 0
捕获Ethernet包 目的网卡地址 源网卡地址 网络层协议类型(值>1500)
捕获LLc帧 No.Time Source Destination Protocol"Info CIsco at 1e PVST+ STP0Rot=3276800393:06:9ost= Frame 4 (64 bytes on wire, 64 bytes captured) ieEE 802.3 Ethernet Destination PVST+(01: 00: 0c: cc: cc: cd) dress: PVST+(01: 00: 0c: cc: cc: ed). 目的MAC(网卡)地址 1............=Multicast: This is a MULtIcast frame s-Leeanly Administrated Address: This is a FACTORY DEFAULT addres source: cisco_af: 9f: le(00: 0d: ed: af: 9f: le) s: Cisco_af: 9f:le(00: od:ed af: 9f:1e 源MAC(网卡)地址 Multicast: This is a UNICAST frame -O,A.,....,,.Locally Administrated Address: This is a FACTORY DEFAULT address Length: 50 数据长度(<1500,表示是8023帧) ogical-Link Control /DSAP: SNAP (oxaal IG Bit. indiuieluaf 目的SAP地址 AP: SNAP (Xaa 源SAP地址 ER Bit. command 7 Control field: U, func=UI (0x03) 000. 00..= Command Unnumbered Information (ooo) ∴.11= Frame type: Unnumbered frame(0×03) or ganization Code: cisco (oxo0oooc) PID: PVSTP+(ox010b) 高层协议为生成树协议 spanning Tree Protocol 0000 o1 00 oc cc cc cd o0 od ed af of le oo 0010 000c0100000000000800000 0020 6940000000c83c3000 d ed af9f 00301e0300140002000f000000000002 8品 LC帧格式:[ GI DSAP C/RSAP 控制(1或2 bytes) 工数据(变长)
捕获LLC帧 目的MAC(网卡)地址 源MAC(网卡)地址 数据长度(<1500,表示是802.3帧) 目的SAP地址 源SAP地址 LLC帧格式: I/G| DSAP C/R| SSAP 控制(1或2bytes) 数据(变长) 高层协议为生成树协议
捕获ARP包 Time Source Destination Protocol Info 169.43212 工bm79:1a:78 ohas192.168.0.17Te192168,11.221 179.433506D- Link f9:ef:9cIbm_79:1a:78 ARP 192.168.0.1isat00:13:46:f9:ef:9c b Frame 16(42 bytes on wire, 42 bytes captured) > Ethernet II, src: Ibm_79: 1a: 78(00: 0d: 60: 79: 1a: 78), Dst: Broadcast (ff: ff: ff: ff: ff: ff) y Destination Broadcast (ff: ff: ff: ff: ff: ff) Address: Broadcast (ff: ff: ff: ffff:ff) 目的MAC(网卡)地址填写广播地址 Multicast This is a MULTICaST fi a-tocaTTy Administrated Address: This is Not a factory default address v sour ce:Ibm_79:1a:78(00:0d:60:79:1a:78) Address:Ibm79:1a:78(00:0d:60:79:1a:78) Multicast: This is a unicast fram Locally Administrated Address: This is a FACTORY DEFAULT address Type: ARP (0x0806)+ 网络层协议类型(ARP) Address Resolution protocol(request) Hardware type: Ethernet (ox00o1 Protocol type: IP (OX0800) Hardware size: 6 Protocol size; 4 Opcode: request (oxooo1D ARP请求 请求者的MAC(网卡)地址 sender MAC address: Ibm_79: 1a: 78 (00: 0d: 60: 79: 1a: 78) ender ip address:192.168.11.221(192.168.11.221)← 请求者的P地址 Target MAc address:00:00:00_00:00:00(00:00:00:00:00:00) Target IP address:192.168,0.1(192.168.0,1) 查询对象的P地址 000十 f000d60791a78080600 0010 0020
捕获ARP包 ARP请求 查询对象的IP地址 请求者的IP地址 请求者的MAC(网卡)地址 目的MAC(网卡)地址填写广播地址 网络层协议类型(ARP)
ARP响应包 No.Time Source Destination Protocol Info 169.432127bm79:1a:78 Broadcast who has192.168.0.1?Te11192.168.11.221 192.168.0,115at00:13:46:19:ef:g b Frame 17 (60 bytes on wire, 60 bytes captured) 7 Ethernet II, src: D-Link_f9: ef: 9c (00: 13: 46: f9: ef: 9c), Dst: Ibm_79: 1a: 78 (00: od: 60: 79: 1a: 78) y Destination: Ibm_79: 1a: 78 (o0: od: 60: 79: 1a: 78) Address-:Ibm79:1a:78(00:0d:60:791a:78 目的MAC(网卡)地址填写请求者地址 Multicast This is a UNICAST frame ........=Locally Administrated Address: This is a FACTORY DEFAULT address 7 Source: D-Link_f9: ef: 9c (00: 13: 46: f9: ef: 9c) Address: D-Link_f9: ef: 9c (00: 13: 46: f9: ef: 90) Multicast: This is a unicast frame Locally Administrated Address: This is a FACTORY DEFAULT address Type: ARP (OX0806) Trai1er:00000000000000000o000000000000000o00 7 Address Resolution Protocol (reply) Hardware type: Ethernet (oxo001) Protocol type: IP (OX0800) Hardware si Protocol size: 4 opcode: reply (ox0oo2) ARP响 响应者的MAC(网卡)地址 Sender MAC address: D-Link_f9: ef: 9c (00: 13: 46: f9: ef: 9c Sender IP address:192.168.0.1(92.168:0,1)响应者的P地址 arget mAc address: Ibm_79: la: 78(00: od: 60: 79: 1a: 78) Target Ip address:192.168.11.221(192.168.11.221) 00000d60791a7800134619e19c080600
ARP响应包 目的MAC(网卡)地址填写请求者地址 ARP响应 响应者的MAC(网卡)地址 响应者的IP地址
捕获|包 No. Time ource De Destination ProtocolIn 232.1200860.0.0.0 255.255.255.255 DHCPDHCP Discover- Tr ansaction ID 0x44c3cf4 242.411667 255.255.255.255 DHCPDHCP Discover Transaction ID 0X14715801 20.184.161.174 PNG Frame 25 (67 bytes on wire, 67 bytes captured) b Ethernet II, Src: EdimaxCo-_36: 4e: d8 (00: 00: b4: 36: 4e: d8), Dst: unispher-_40: 8e: af (00: 90: 1a: 40: 8e: af) b PPP-over-Ethernet session b Point-to-Point Protocol Internet Protoco1,src:220.184.161.174(220.184.161.174),Dst:207.46.24.65(207.46.24.65 version: 4 Header length: 20 bytes P协议版本 b Differentiated services Field: 0xoo (DSCP 0x00: Default: ECN: 0x0o) Total Length: 45 Ident ification: 0x1666 (5734) A Flags: 0x04 (Dont Fragment) Fragment offset: o Time to live: 64 Protoco1:TcP(0×06) 高层协议类型 b Header check sum: oxbe&e [correct] source. 220.184.161.174(220.184.161,174) 源、目的P地址 estination:207.46.24.65(20746.24.65 b Transmission control Protocol, src Port: 1030 (1030), Dst Port: 1863(1863), Seg: 204886, Ack: 78343764. 00101376002f0021 0020 0030 00504e Version Type of service 0040470d0a Identification Fragment offset Time to live Protocol Header checksum Source address P数据包格式 Destination address Options(0 or more words)
捕获IP包 IP数据包格式 高层协议类型 源、目的IP地址 IP协议版本
捕获DNS包 DNS服务器地址 No.Time Source Destination Protocol. Info 56021.489006220.191.115.176202.96.64.68 DNS Standard query A ww. zju. edu. cn 56221.926514202.96.64.68 220.191.115.176DNs standard query response A 61.. 193.61 b User patag am protocol, src Port: 1969(1969), Dst Port: domain(53)6508 1202. 96. 64. 08) DNS服务端口 Transaction ID: 0x0003 Flags: 0x0100 (standard query) Response: Message is a query DNS查询请求 opcode: standard query (o) Truncated: Message is not truncated Recursion desired: Do query recursively Non-authent icated dat a ok: Non -aut henticated data is unacceptable uestions: 1 Answer rrs: Q Authority RRs: 0 Additional RRs: 0 y Quer 1es DNS查询内容:www.zju.edu.cn 7www.zju.ec du. cn: type A, class I Name:www.zju.educn DNS查询项目:地址 Type: A (Host address) Class:IN(0×0001) 地址类型: Internet 00000901a415525000 91a7888641100.AU%.y.x.d. 0010067d003e00214500003c1aa40000801 }.>,!E 0020c4f8dcbf73boca60404407b100350028 D...5 030a8
捕获DNS包 DNS查询请求 DNS服务端口 DNS服务器地址 DNS查询内容:www.zju.edu.cn DNS查询项目:地址 地址类型:Internet
DNS查询响应 N Destination I Protocol Info 56021.489006220191.115,176202.96.64.68 DNS standardqueryAwww.zju.edu.cn 514202。96。64.68 220.. 176 DNS Standard query response A 61. 175.193.61 b User Datagr am Protoco l, src Port: domain (53),Dst 7 Domain Name system (response Transaction ID: 0x0003 Flags: 0x8180 (standard query response, No error Response: Message is a response DNS查询响应 0000. opcode: standard query (o) Authoritative: server is not an authority for doma in Truncated: Message is not truncated Recursion desired: Do query recursively Recursion available: server can do recursive queries Answer authenticated: Answer/authority portion was not authenticated by the se 0000= Reply code: No error (o) Questions: 1 Answer RRs: 1 hority RI Additiona Rrs: 0 v Quer les wwzju. edu. cn: type A, c1 DNS查询请求内容 Name Type: A (Host address) Class: IN (OX0001) v Answers ywww.zju.educn:typeA,classIn,addr61.175.193.61 DNS查询结果 0 0070 706861c010
DNS查询响应 DNS查询响应 DNS查询请求内容 DNS查询结果
