常見協(xié)議解碼詳解

1、常見協(xié)議解碼詳解l 數(shù)據(jù)包封包分層數(shù)據(jù)包解碼說明數(shù)據(jù)鏈路層 Data Link Layer如：設(shè)備驅(qū)動網(wǎng)絡(luò)層 Network Layer如：IP，ICMP，IGMP等傳輸層 Transport Layer如：TCP，UDP應(yīng)用層 Application Layer如：FTP，HTTP，Email等下圖是對數(shù)據(jù)包的解碼圖，其中對數(shù)據(jù)包中的每一層協(xié)議分別進(jìn)行了解碼分析：這里面，我們可以看到協(xié)議由外向內(nèi)封裝，分別是：1. 數(shù)據(jù)鏈路層對應(yīng)“Ethernet II”協(xié)議；2. 網(wǎng)絡(luò)層對應(yīng)“IP”協(xié)議；3. 傳輸層對應(yīng)“UDP”協(xié)議；4. 應(yīng)用層對應(yīng)“DNS”協(xié)議。下面我們就分別對這四層協(xié)議做詳細(xì)解釋。l

2、 以太網(wǎng)數(shù)據(jù)包結(jié)構(gòu)協(xié)議結(jié)構(gòu)為： 7166246-1500bytes4PreSFDDASALength TypeData unit + padFCS下圖是Ethernet II協(xié)議解碼后的內(nèi)容，利用此實(shí)例進(jìn)行說明：上層協(xié)議0x0800 (IP協(xié)議)目標(biāo)MAC地址源MAC地址 目標(biāo)MAC地址 0位開始/6 bytes長 源MAC地址 6位開始/6 bytes長 上層協(xié)議 12位開始/2 bytes長字段說明Destination addressDA，目標(biāo)MAC地址6 字節(jié)Source addressesSA，源MAC地址6 字節(jié)ProtocolLength Type，承載的上層協(xié)議類型Data u

3、nit + pad，數(shù)據(jù)字段（46-1500bytes）FCS檢驗（4bytes）MAC地址：MAC地址為16進(jìn)制編碼，在解碼中可以將前3 bytes代表廠商的字段翻譯出來，方便定位問題，如網(wǎng)絡(luò)上有兩臺設(shè)備IP地址沖突，可以通過廠商信息方便的將故障設(shè)備找到，如00e04C為TP-LINK，000AKB為迅捷，00A0C9為Intel等等，上層協(xié)議：Ethernet II 承載的上層協(xié)議主要包括0x800為IP協(xié)議和0x806為ARP協(xié)議。l IP協(xié)議結(jié)構(gòu)IP頭的結(jié)構(gòu)如下：48161932bitsVerIHLType of serviceTotal lengthIdentificationFla

4、gsFragment offsetTime to liveProtocolHeader checksumSource addressDestination addressOption + PaddingData下圖是IP層解碼后的內(nèi)容，利用此實(shí)例進(jìn)行說明：下面是IP協(xié)議解碼的對應(yīng)字段解釋：字段說明Version: 4版本號為4，即IPv4協(xié)議，Header Length: 5頭部長度20字節(jié)，5 bitsType of service: 000 0000服務(wù)提供類型，顯示參數(shù)摘要。Precedence優(yōu)先路由信息Delay遲延Throughput吞吐量Reliability可靠性Total L

5、ength: 131總長131（單位字節(jié)，最長為65535字節(jié)）Identification: 10403標(biāo)識Fragmentation Flags: 000. .標(biāo)志Reserved:保留Fragment:片斷More Fragment:最后片斷Fragment Offset: 0偏移量Time to Live:TTL, 科來網(wǎng)絡(luò)分析系統(tǒng)5.0將丟棄TTL=0的數(shù)據(jù)包Protocol: 17是哪種協(xié)議，1ICMP，6 TCP， 17 UDP，89 OSPFCheck Sum: 0xCE73對IP協(xié)議頭的校驗合，0xCE73 為正確源IP地址目標(biāo)IP地址l ARP協(xié)議結(jié)構(gòu)以下是ARP協(xié)議結(jié)構(gòu)：

6、81632 bits Hardware Type Protocol Type Hardware address lengthProtocol address lengthOpcodeSender Hardware Address Sender Protocol Address Target Hardware Address Target Protocol Address 下圖是對ARP協(xié)議進(jìn)行解碼視圖：我們對上圖中的ARP字段進(jìn)行詳細(xì)說明：字段說明Hardware Type:1（硬件類型) 占16 bits，用來定義運(yùn)行ARP的網(wǎng)絡(luò)類型，每一個局域網(wǎng)基于其類型被指定一個整數(shù)，例如，以太網(wǎng)是類型

7、1，ARP可以使用在任何網(wǎng)絡(luò)上。Protocol Type: 0x0800（協(xié)議類型）占16 bits，用來定義協(xié)議的類型。如：0x0800代表IP協(xié)議，ARP可用于任何高層協(xié)議。Hardware Length: 6（硬件長度）占8 bits，用來定義物理地址和長度。以太網(wǎng)值為6。Protocol Length: 4（協(xié)議長度）占8 bits，用來定義物理地址和長度。IPv4值為4。Type: 1（操作類型）占16 bits，用來定義操作類型，請求為1，回答為2。Source Physics:00:A0:C9:BB:21:2A 源MAC地址Source IP: Source Ip源IP地址De

8、stination Physics: 00:00:00:00:00:00 目標(biāo)MAC地址，對于ARP請求數(shù)據(jù)包，此值全為0，因為請求主機(jī)并不知道目標(biāo)主機(jī)的MAC地址目標(biāo)IP地址l TCP協(xié)議結(jié)構(gòu)以下是TCP協(xié)議的結(jié)構(gòu)：16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Reserved UAPRSFWindow Checksum Urgent pointer Option + Padding Data 下圖是對TCP協(xié)議進(jìn)行解碼視圖：我們對上圖中的TCP字段進(jìn)行詳細(xì)說明：字段

9、說明Source Port: 80源端口，HTTP為80端口Destination Port: 3406目標(biāo)端口Sequence Number: 416175999032 bits. The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.Ack Numb

10、er: 032 bits. If the ACK control bit is set, this field contains the value of the next sequence number which the sender of the segment is expecting to receive. Once a connection is established, this value is always sent.Data Offset: 80Header Length: 804 bits. The number of 32-bit words in the TCP he

11、ader. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.Reserved: 06 bits. Reserved for future use. Must be cleared to zero. Urgent pointer:Urgent pointer field significant. Acknowledgment numberAcknowledgment field significant. Push Function:Push fun

12、ction. Reset the connection:Reset the connection. Synchronize sequence:Synchronize sequence numbers. End of data: No more data from sender.Window16 bits. It specifies the size of the sender's receive window, that is, the buffer space available in octets for incoming data.Check Sum:16 bits. The c

13、hecksum field is the 16 bit one¡¯s complement of the one¡¯s complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for check

14、sum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.Urgent Pointer16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The ur

15、gent pointer points to the sequence number of the octet following the urgent data. This field can only be interpreted in segments for which the URG control bit has been set.l DNS 協(xié)議結(jié)構(gòu)以下是DNS協(xié)議的結(jié)構(gòu)：1617212223242526272832IdentificationQROpcodeAATCRDRAZADCDRcodeQuestion countAnswer count Authority countA

16、dditional count 下圖是對DNS協(xié)議進(jìn)行解碼視圖：我們對上圖中的DNS字段進(jìn)行詳細(xì)說明：字段說明Identification: 43 標(biāo)識，占16 bitsFlags:Query/Response: 1用于定義是Query還是Response。0為Query, 1為Response。Operator Code: 0占 4 bits，其對應(yīng)代碼如下：0 QUERY, Standard query. 1 IQUERY, Inverse query. 2 STATUS, Server status request. 3 Reserved. 4 Notify. 5 Update. 6-1

17、5 Reserved.Authoritative Answer: 01-bit field. When set to 1, identifies the response as one made by an authoritative name server. 0 Not authoritative. 1 Is authoritativeTruncation: 01-bit field. When set to 1, indicates the message has been truncated. 0 Not truncated. 1 Message truncatedRecursion D

18、esired: 1 Recursion desired: 1-bit field. May be set in a query and is copied into the response. If set, the name server is directed to pursue the query recursively. Recursive query support is optional.0 Recursion not desired. 1 Recursion desired.Approve Recursion: 11 bit field. Indicates if recursi

19、ve query support is available in the name server.0 Recursive query support not available. 1 Recursive query support available.Reserved: 0 1 bit field. Indicates in a response that all data included in the answer and authority sections of the response have been authenticated by the server according t

20、o the policies of that server. It should be set only if all data in the response has been cryptographically verified or otherwise meets the server's local security policy.Respond code: 00 No error. The request completed successfully. 1 Format error. The name server was unable to interpret the qu

21、ery. 2 Server failure. 3 Name Error. 4 Not Implemented.5 Refused. 6 YXDomain. Name Exists when it should not. 7 YXRRSet. RR Set Exists when it should not. 8 NXRRSet. RR Set that should exist does not. 9 NotAuth. Server Not Authoritative for zone. 10 NotZone. Name not contained in zone. 11-15 Reserved. 16 BADVERS. Bad OPT Version.BADSIG. TSIG Signature Failure. 17 BADKEY. Key not recognized. 18 BADTIME. Signature out of time window. 19 BADMODE. Bad TKEY Mode. 20 BADNAME.Duplicate key name. 21 BADALG.Algorithm not supported. 22-38403841-4095 Privat