您好,欢迎访问三七文档
常见协议解码详解数据包封包分层数据包解码说明数据链路层DataLinkLayer如:设备驱动网络层NetworkLayer如:IP,ICMP,IGMP等传输层TransportLayer如:TCP,UDP应用层ApplicationLayer如:FTP,HTTP,Email等下图是对数据包的解码图,其中对数据包中的每一层协议分别进行了解码分析:这里面,我们可以看到协议由外向内封装,分别是:1.数据链路层对应“EthernetII”协议;2.网络层对应“IP”协议;3.传输层对应“UDP”协议;4.应用层对应“DNS”协议。下面我们就分别对这四层协议做详细解释。以太网数据包结构协议结构为:7166246-1500bytes4PreSFDDASALengthTypeDataunit+padFCS下图是EthernetII协议解码后的内容,利用此实例进行说明:目标MAC地址0位开始/6bytes长源MAC地址6位开始/6bytes长上层协议12位开始/2bytes长字段说明DestinationaddressDA,目标MAC地址6字节SourceaddressesSA,源MAC地址6字节ProtocolLengthType,承载的上层协议类型Dataunit+pad,数据字段(46-1500bytes)FCS检验(4bytes)目标MAC地址源MAC地址上层协议0x0800(IP协议)MAC地址:MAC地址为16进制编码,在解码中可以将前3bytes代表厂商的字段翻译出来,方便定位问题,如网络上有两台设备IP地址冲突,可以通过厂商信息方便的将故障设备找到,如00e04C为TP-LINK,000AKB为迅捷,00A0C9为Intel等等,上层协议:EthernetII承载的上层协议主要包括0x800为IP协议和0x806为ARP协议。IP协议结构IP头的结构如下:48161932bitsVerIHLTypeofserviceTotallengthIdentificationFlagsFragmentoffsetTimetoliveProtocolHeaderchecksumSourceaddressDestinationaddressOption+PaddingData下图是IP层解码后的内容,利用此实例进行说明:下面是IP协议解码的对应字段解释:字段说明Version:4版本号为4,即IPv4协议,HeaderLength:5头部长度20字节,5bitsTypeofservice:0000000服务提供类型,显示参数摘要。Precedence优先路由信息Delay迟延Throughput吞吐量Reliability可靠性TotalLength:131总长131(单位字节,最长为65535字节)Identification:10403标识FragmentationFlags:000.....标志Reserved:保留Fragment:片断MoreFragment:最后片断FragmentOffset:0偏移量TimetoLive:TTL,科来网络分析系统5.0将丢弃TTL=0的数据包Protocol:17是哪种协议,1–ICMP,6–TCP,17–UDP,89–OSPFCheckSum:0xCE73对IP协议头的校验合,0xCE73为正确SourceIP:192.168.1.1源IP地址DestinationIP:192.168.1.2目标IP地址ARP协议结构以下是ARP协议结构:81632bitsHardwareTypeProtocolTypeHardwareaddresslengthProtocoladdresslengthOpcodeSenderHardwareAddressSenderProtocolAddressTargetHardwareAddressTargetProtocolAddress下图是对ARP协议进行解码视图:我们对上图中的ARP字段进行详细说明:字段说明HardwareType:1(硬件类型)占16bits,用来定义运行ARP的网络类型,每一个局域网基于其类型被指定一个整数,例如,以太网是类型1,ARP可以使用在任何网络上。ProtocolType:0x0800(协议类型)占16bits,用来定义协议的类型。如:0x0800代表IP协议,ARP可用于任何高层协议。HardwareLength:6(硬件长度)占8bits,用来定义物理地址和长度。以太网值为6。ProtocolLength:4(协议长度)占8bits,用来定义物理地址和长度。IPv4值为4。Type:1(操作类型)占16bits,用来定义操作类型,请求为1,回答为2。SourcePhysics:00:A0:C9:BB:21:2A源MAC地址SourceIP:SourceIp192.168.1.3源IP地址DestinationPhysics:00:00:00:00:00:00目标MAC地址,对于ARP请求数据包,此值全为0,因为请求主机并不知道目标主机的MAC地址DestinationIP:192.168.1.1目标IP地址TCP协议结构以下是TCP协议的结构:1632bitsSourceportDestinationportSequencenumberAcknowledgementnumberOffsetReservedUAPRSFWindowChecksumUrgentpointerOption+PaddingData下图是对TCP协议进行解码视图:我们对上图中的TCP字段进行详细说明:字段说明SourcePort:80源端口,HTTP为80端口DestinationPort:3406目标端口SequenceNumber:416175999032bits.Thesequencenumberofthefirstdataoctetinthissegment(exceptwhenSYNispresent).IfSYNispresent,thesequencenumberistheinitialsequencenumber(ISN)andthefirstdataoctetisISN+1.AckNumber:032bits.IftheACKcontrolbitisset,thisfieldcontainsthevalueofthenextsequencenumberwhichthesenderofthesegmentisexpectingtoreceive.Onceaconnectionisestablished,thisvalueisalwayssent.DataOffset:80HeaderLength:804bits.Thenumberof32-bitwordsintheTCPheader.Thisindicateswherethedatabegins.ThelengthoftheTCPheaderisalwaysamultipleof32bits.Reserved:06bits.Reservedforfutureuse.Mustbeclearedtozero.Urgentpointer:Urgentpointerfieldsignificant.AcknowledgmentnumberAcknowledgmentfieldsignificant.PushFunction:Pushfunction.Resettheconnection:Resettheconnection.Synchronizesequence:Synchronizesequencenumbers.Endofdata:Nomoredatafromsender.Window16bits.Itspecifiesthesizeofthesender'sreceivewindow,thatis,thebufferspaceavailableinoctetsforincomingdata.CheckSum:16bits.Thechecksumfieldisthe16bitone¡¯scomplementoftheone¡¯scomplementsumofall16-bitwordsintheheaderandtext.Ifasegmentcontainsanoddnumberofheaderandtextoctetstobechecksummed,thelastoctetispaddedontherightwithzerostoforma16-bitwordforchecksumpurposes.Thepadisnottransmittedaspartofthesegment.Whilecomputingthechecksum,thechecksumfielditselfisreplacedwithzeros.UrgentPointer16bits.Thisfieldcommunicatesthecurrentvalueoftheurgentpointerasapositiveoffsetfromthesequencenumberinthissegment.Theurgentpointerpointstothesequencenumberoftheoctetfollowingtheurgentdata.ThisfieldcanonlybeinterpretedinsegmentsforwhichtheURGcontrolbithasbeenset.DNS协议结构以下是DNS协议的结构:1617212223242526272832IdentificationQROpcodeAATCRDRAZADCDRcodeQuestioncountAnswercountAuthoritycountAdditionalcount下图是对DNS协议进行解码视图:我们对上图中的DNS字段进行详细说明:字段说明Identification:43标识,占16bitsFlags:Query/Response:1用于定义是Query还是Response。0为Query,1为Response。OperatorCode:0占4bits,其对应代码如下:0QUERY,Standardquery.1IQUERY,Inversequery.2STATUS,Serverstatusrequest.3Reserved.4Notify.5Update.6-15Reserved.AuthoritativeAnswer:01-bitfield.Whensetto1,identifiestheresponseasonemadebyanauthoritativenameserver.0Notauthoritative.1IsauthoritativeTruncation:01-bitfield.Whensetto1,indicatesthemessagehasbeentruncated.0Nottruncated.1MessagetruncatedRecursionDesired:1Recursiondesired:1-bitfield.Maybesetinaqueryandiscopiedintotheresponse.Ifset,thenameserverisdirectedtopursuethequeryrecursively.Recursivequerysupportisoptional.0Recursionnotdesired.1Recursiondesired.ApproveRecursion:11bitfield.Indicatesifrecursivequerysupportisavailableinthenameserver.0Recursivequerysupportnotavailable.1Recursivequerysupportavailable.Reserved:01bitfie
本文标题:常见协议解码详解
链接地址:https://www.777doc.com/doc-2488727 .html