Wireshark数据包分析之TCP协议包解读

*此篇博客仅作为个人笔记和学习参考

三次握手建立连接(SYN标志)

客户端发送链接请求,此时处于等待确认状态;服务端收到请求,回应确认请求;最后客户端确认;建立完毕,开始传输数据!

四次握手断开连接(FIN标志)

客户端发送断开请求,此时处于等待确认状态;服务端收到请求,回应确认请求,并再次确认是否断开;客户端最后确认;断开链接!

TCP协议包首部格式

三次握手建立连接---分析

第一次握手(SYN)

Transmission Control Protocol, Src Port: 52777 (52777), Dst Port: http (80), Seq: 0, Len: 0
#TCP,源端口:52777,目标端口:80#
Source Port: 52777 (52777) #源端口#
Destination Port: http (80) #目标端口#
[Stream index: 1] #流节点号#
Sequence number: 0 (relative sequence number) #序列号#
Acknowledgment number: 0 #确认编号#
Header Length: 32 bytes #首部长度#
Flags: 0x002 (SYN) #标志#

  1. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 0... .... = Congestion Window Reduced (CWR): Not set
    .... .0.. .... = ECN-Echo: Not set
    .... ..0. .... = Urgent: Not set #紧急指针#
    .... ...0 .... = Acknowledgment: Not set #确认编号#
    .... .... 0... = Push: Not set #紧急位#
    .... .... .0.. = Reset: Not set #重置#
    .... .... ..1. = Syn: Set #SYN标志位#
    [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] #专家信息#
    [Connection establish request (SYN): server port 80] #消息#
    [Severity level: Chat] #安全级别#
    [Group: Sequence] #组#
    .... .... ...0 = Fin: Not set #FIN标志位#
    Window size value: 8192 #窗口大小#
    [Calculated window size: 8192] #估计的窗口大小#
    Checksum: 0x0a48 [unverified] #校验和#
    Urgent pointer: 0 #紧急指针#
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项#
    Maximum segment size: 1460 bytes #最大段大小#
    No-Operation (NOP) #无操作指令#
    No-Operation (NOP) #无操作指令#
    No-Operation (NOP) #无操作指令#
    TCP SACK Permitted Option: True #TCP SACK允许选项#

    第二次握手(SYN/ACK)

    Transmission Control Protocol, Src Port: http (80), Dst Port: 52777 (52777), Seq: 0, Ack: 1, Len: 0
    #TCP,源端口:80,目标端口:52777#
    Source Port: http (80) #源端口#
    Destination Port: 52777 (52777) #目标端口#
    [Stream index: 1] #流节点号#
    Sequence number: 0 (relative sequence number) #序列号#
    Acknowledgment number: 1 (relative ack number) #确认编号#
    Header Length: 32 bytes #首部长度#
    Flags: 0x012 (SYN, ACK) #标志#

  2. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 0... .... = Congestion Window Reduced (CWR): Not set
    .... .0.. .... = ECN-Echo: Not set
    .... ..0. .... = Urgent: Not set #紧急指针#
    .... ...1 .... = Acknowledgment: Not set #确认编号#
    .... .... 0... = Push: Not set #紧急位#
    .... .... .0.. = Reset: Not set #重置#
    .... .... ..1. = Syn: Set #SYN标志位#
    [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] #专家信息#
    [Connection establish request (SYN): server port 80] #消息#
    [Severity level: Chat] #安全级别#
    [Group: Sequence] #组#
    .... .... ...0 = Fin: Not set #FIN标志位#
    Window size value: 8192 #窗口大小#
    [Calculated window size: 8192] #估计的窗口大小#
    Checksum: 0x0a48 [unverified] #校验和#
    Urgent pointer: 0 #紧急指针#
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项#
    Maximum segment size: 1460 bytes #最大段大小#
    No-Operation (NOP) #无操作指令#
    No-Operation (NOP) #无操作指令#
    No-Operation (NOP) #无操作指令#
    TCP SACK Permitted Option: True #TCP SACK允许选项#
    [SEQ/ACK analysis] #序列号 确认编号分析#
    [This is an ACK to the segment in frame: 4]
    [The RTT to ACK the segment was: 0.170392000 seconds]
    [iRTT: 0.170478000 seconds]

    第三次握手(ACK)

    Transmission Control Protocol, Src Port: 52777 (52777), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
    #TCP,源端口:52777,目标端口:80#
    Source Port: 52777 (52777) #源端口#
    Destination Port: http (80) #目标端口#
    [Stream index: 1] #流节点号#
    Sequence number: 0 (relative sequence number) #序列号#
    Acknowledgment number: 0 #确认编号#
    Header Length: 32 bytes #首部长度#
    Flags: 0x010 (ACK) #标志#

  3. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 0... .... = Congestion Window Reduced (CWR): Not set
    .... .0.. .... = ECN-Echo: Not set
    .... ..0. .... = Urgent: Not set #紧急指针#
    .... ...1 .... = Acknowledgment: Not set #确认编号#
    .... .... 0... = Push: Not set #紧急位#
    .... .... .0.. = Reset: Not set #重置#
    .... .... ..0. = Syn: Set #SYN标志位#
    [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] #专家信息#
    [Connection establish request (SYN): server port 80] #消息#
    [Severity level: Chat] #安全级别#
    [Group: Sequence] #组#
    .... .... ...0 = Fin: Not set #FIN标志位#
    Window size value: 8192 #窗口大小#
    [Calculated window size: 8192] #估计的窗口大小#
    Checksum: 0x0a48 [unverified] #校验和#
    Urgent pointer: 0 #紧急指针#
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项#
    Maximum segment size: 1460 bytes #最大段大小#
    No-Operation (NOP) #无操作指令#
    No-Operation (NOP) #无操作指令#
    No-Operation (NOP) #无操作指令#
    TCP SACK Permitted Option: True #TCP SACK允许选项#
    [SEQ/ACK analysis] #序列号 确认编号分析#
    [This is an ACK to the segment in frame: 13]
    [The RTT to ACK the segment was: 0.000061000 seconds]
    [iRTT: 0.168388000 seconds]

四次握手断开连接---分析

基本同上,SYN变成FIN,值为1;
Flags: 0x011 (FIN, ACK)

  1. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 0... .... = Congestion Window Reduced (CWR): Not set
    .... .0.. .... = ECN-Echo: Not set
    .... ..0. .... = Urgent: Not set
    .... ...1 .... = Acknowledgment: Set
    .... .... 0... = Push: Not set
    .... .... .0.. = Reset: Not set
    .... .... ..0. = Syn: Not set
    .... .... ...1 = Fin: Set

TCP重置---分析

基本同上,SYN变成RST,值为1;
Flags: 0x014 (RST, ACK)

  1. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 0... .... = Congestion Window Reduced (CWR): Not set
    .... .0.. .... = ECN-Echo: Not set
    .... ..0. .... = Urgent: Not set
    .... ...1 .... = Acknowledgment: Set
    .... .... 0... = Push: Not set
    .... .... .1.. = Reset: Set

原文地址:http://blog.51cto.com/13444271/2125339

时间: 2024-11-09 00:06:38

Wireshark数据包分析之TCP协议包解读的相关文章

Wireshark数据包分析之DHCP协议包解读

*此篇博客仅作为个人笔记和学习参考 DHCP协议包格式 DHCP报文类型 DHCP Discover.DHCP Offer.DHCP Request.DHCP ACK.DHCP NAK.DHCP Release.DHCP Decline.DHCP Infrom; DHCP Discover数据包分析(发现) Bootstrap Protocol (Discover)Message type: Boot Request (1) #DHCP消息类型,这是一个请求包,所以选项值为1;#Hardware

Wireshark数据包分析之DNS协议包解读

*此篇博客仅作为个人笔记和学习参考 DNS协议包格式 DNS资源记录类型 DNS数据包分析(查询) Domain Name System (query)[Response In: 16]Transaction ID: 0x0002 #DNS ID号#Flags: 0x0100 Standard query #标志#0... .... .... .... = Response: Message is a query ##响应信息,该值为0,表示一个DNS查询.000 0... .... ....

Wireshark数据包分析之HTTP协议包解读

*此篇博客仅作为个人笔记和学习参考 GET方法的数据包分析 Hypertext Transfer ProtocolGET / HTTP/1.1\r\n #请求行信息#[Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n] #专家信息#Request Method: GET #请求的方法#Request URI: / #请求的URI#Request Version: HTTP/1.1 #请求的版本#Host: www.boomgg.cn\r\n #请求主

Wireshark数据包分析之FTP协议包解读

*此篇博客仅作为个人笔记和学习参考 FTP响应代码 FTP数据报文分析 从数据6号帧中我们可以看到"USER administrator",这个是用户名;从数据9号帧中我们可以看到"PASS Admin.123",这个是密码; FTP数据重组 数据重组步骤一:选中TCP流进行过滤 数据重组步骤二:出去掉这些内容 数据重组步骤三:追踪数据结果,以源码形式展出 数据重组步骤三:Save as另存为数据 原文地址:http://blog.51cto.com/1344427

Wireshark数据包分析之IP协议包解读

*此篇博客仅作为个人笔记和学习参考 IP协议包首部格式 IP数据包概况 Internet Protocol Version 4, Src: 192.168.1.104 (192.168.1.104), Dst: 119.75.217.109 (119.75.217.109)#IPv4,源IP地址:192.168.1.104,目标IP地址:119.75.217.109#Version: 4 #IP协议版本:4#Header Length: 20 bytes #头部长度:20字节#Different

Wireshark数据包分析之UDP协议包解读

*此篇博客仅作为个人笔记和学习参考 UDP协议数据包首部格式 QQ登录时的OICQ_UDP协议数据包 User Datagram Protocol, Src Port: pda-gate (4012), Dst Port: irdmi (8000)#UDP协议,源端口:4012端口, 目标端口:8000端口#Source Port: pda-gate (4012) #源端口:4012端口#Destination Port: irdmi (8000) #目标端口:8000端口#Length: 47

Wireshark数据包分析之ARP协议包解读

*此篇博客仅作为个人笔记和学习参考 ARP请求报文格式 ARP回应报文格式 ARP数据包 ARP请求包 ARP回应包 原文地址:http://blog.51cto.com/13444271/2125341

FTP协议的粗浅学习--利用wireshark抓包分析相关tcp连接

一.为什么写这个 昨天遇到个ftp相关的问题,关于ftp匿名访问的.花费了大量的脑细胞后,终于搞定了服务端的配置,现在客户端可以像下图一样,直接在浏览器输入url,即可直接访问. 期间不会弹出输入用户名密码来登录的窗口. 今天我主要是有点好奇,在此过程中,究竟是否是用匿名账户“anonymous”该账户登录了,还是根本不需要登录呢? 于是用wireshark抓包了一下. 二.抓包过程 我这边直接用了捕获过滤器抓本机和ftp之间的包.抓包后直接ctrl+F进行文本查找. 果然发现是发送了USER

网络协议抓包分析——IP互联网协议

前言 IP协议是位于OSI模型的第三层协议,其主要目的就是使得网络间可以相互通信.在这一层上运行的协议不止IP协议,但是使用最为广泛的就是互联网协议. 什么是IP数据报 TCP/IP协议定义了一个在因特网上传输的包,称为IP数据报(IP Datagram).IP数据报是一个与硬件无关的虚拟包,由首部和数据两部分组成.首部部分主要包含版本.长度和IP地址等信息.数据部分一般用来传达其他协议如TCP.UDP和ICMP等.整个IP数据报的的首部表示总长度的字段位数为16位,于是可以表示的数据报最大大小