网络分析学习资料

常见协议解码详解

l  数据包封包分层

数据包解码说
数据链路层 Data Link Layer

如:设备驱动

网络层 Network Layer

如:IP,ICMP,IGMP等

传输层 Transport Layer

如:TCP,UDP

应用层 Application Layer

如:FTP,HTTP,Email等

下图是科来网络分析系统对数据包的解码图,其中对数据包中的每一层协议分别进行了解码分析:

这里面,我们可以看到协议由外向内封装,分别是:

  1. 数据链路层对应“Ethernet II”协议;
  2. 网络层对应“IP”协议;
  3. 传输层对应“UDP”协议;
  4. 应用层对应“DNS”协议。

下面我们就分别对这四层协议做详细解释。

l  以太网数据包结构

Ethernet II的详细资料,可参见网页:
http://www.protocolbase.net/protocols/protocol_Ethernet%20Type%202.php
协议结构为:

  7 1 6 6 2 46-1500bytes 4
Pre SFD DA SA Length Type Data unit + pad FCS

下图是科来网络分析系统5.0对Ethernet II协议解码后的内容,我们利用此实例进行说明:

目标MAC地址        0位开始/6 bytes长

源MAC地址          6位开始/6 bytes长

上层协议           12位开始/2 bytes长

字段 说明
Destination address DA,目标MAC地址6 字节
Source addresses SA,源MAC地址6 字节
Protocol Length Type,承载的上层协议类型
Data unit + pad,数据字段(46-1500bytes)
FCS检验(4bytes)

MAC地址

MAC地址为16进制编码,在解码中可以将前3 bytes代表厂商的字段翻译出来,方便定位问题,如网络上有两台设备IP地址冲突,可以通过厂商信息方便的将故障设备找到,如00e04C为TP-LINK,000AKB为迅捷,00A0C9为Intel等等,此资料可参见科来软件提供的Ethernet Codes master page (Ethernet.txt)。

层协议

Ethernet II 承载的上层协议主要包括0x800为IP协议和0x806为ARP协议。

l  IP协议结构

IP的详细资料,可参见网页:
http://www.protocolbase.net/protocols/protocol_IP.php

IP头的结构如下:

4 8 16 19 32bits
Ver IHL Type of service Total length
Identification Flags Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
Option + Padding
Data

 

下图是科来网络分析系统对IP层解码后的内容,我们利用此实例进行说明:

下面是IP协议解码的对应字段解释:

字段 说明
Version: 4 版本号为4,即IPv4协议,
Header Length: 5 头部长度20字节,5 bits
Type of service: 000 0000 服务提供类型,显示参数摘要。
       Precedence 优先路由信息
       Delay 迟延
       Throughput 吞吐量
       Reliability 可靠性
Total Length: 131 总长131(单位字节,最长为65535字节)
Identification: 10403 标识
Fragmentation Flags: 000. …. 标志
       Reserved: 保留
       Fragment: 片断
       More Fragment: 最后片断
Fragment Offset: 0 偏移量
Time to Live: TTL, 科来网络分析系统5.0将丢弃TTL=0的数据包
Protocol: 17 是哪种协议,1–ICMP,6 – TCP, 17 – UDP,89 – OSPF
Check Sum: 0xCE73 对IP协议头的校验合,0xCE73 为正确
Source IP: 192.168.1.1 源IP地址
Destination IP: 192.168.1.2 目标IP地址

l  ARP协议结构

ARP的详细资料,可参见网页:

http://www.protocolbase.net/protocols/protocol_ARP.php

以下是ARP协议结构:

8 16 32 bits
Hardware Type Protocol Type
Hardware address length Protocol address length Opcode
Sender Hardware Address
Sender Protocol Address
Target Hardware Address
Target Protocol Address

下图是科来网络分析系统对ARP协议进行解码视图:

我们对上图中的ARP字段进行详细说明:

字段 说明
Hardware Type:1 (硬件类型) 占16 bits,用来定义运行ARP的网络类型,每一个局域网基于其类型被指定一个整数,例如,以太网是类型1,ARP可以使用在任何网络上。
Protocol Type: 0x0800 (协议类型)占16 bits,用来定义协议的类型。如:0x0800代表IP协议,ARP可用于任何高层协议。
Hardware Length: 6 (硬件长度)占8 bits,用来定义物理地址和长度。以太网值为6。
Protocol Length: 4 (协议长度)占8 bits,用来定义物理地址和长度。IPv4值为4。
Type: 1 (操作类型)占16 bits,用来定义操作类型,请求为1,回答为2。
Source Physics:
00:A0:C9:BB:21:2A
源MAC地址
Source IP: Source Ip
192.168.1.3
源IP地址
Destination Physics:
00:00:00:00:00:00
目标MAC地址,对于ARP请求数据包,此值全为0,因为请求主机并不知道目标主机的MAC地址
Destination IP:
192.168.1.1
目标IP地址

l  TCP协议结构

ARP的详细资料,可参见网页:

http://www.protocolbase.net/protocols/protocol_TCP.php

以下是DNS协议的结构:

16 32 bits
Source port Destination port
Sequence number
Acknowledgement number
Offset Reserved U A P R S F Window
Checksum Urgent pointer
Option + Padding
Data

下图是科来网络分析系统对TCP协议进行解码视图:

我们对上图中的TCP字段进行详细说明:

字段 说明
Source Port: 80 源端口,HTTP为80端口
Destination Port: 3406 目标端口
Sequence Number: 4161759990 32 bits. The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.
Ack Number: 0 32 bits. If the ACK control bit is set, this field contains the value of the next sequence number which the sender of the segment is expecting to receive. Once a connection is established, this value is always sent.
Data Offset: 80
Header Length: 80
4 bits. The number of 32-bit words in the TCP header. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.
Reserved: 0 6 bits. Reserved for future use. Must be cleared to zero.
      Urgent pointer: Urgent pointer field significant.
      Acknowledgment number Acknowledgment field significant.
      Push Function: Push function.
      Reset the connection: Reset the connection.
      Synchronize sequence: Synchronize sequence numbers.
      End of data: No more data from sender.
Window 16 bits. It specifies the size of the sender’s receive window, that is, the buffer space available in octets for incoming data.
Check Sum: 16 bits. The checksum field is the 16 bit one¡¯s complement of the one¡¯s complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.
Urgent Pointer 16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field can only be interpreted in segments for which the URG control bit has been set.

l  HTTP协议结构

ARP的详细资料,可参见网页:

http://www.protocolbase.net/protocols/protocol_HTTP.php

以下是HTTP协议的结构:

l  DNS 协议结构

ARP的详细资料,可参见网页:

http://www.protocolbase.net/protocols/protocol_DNS.php

以下是DNS协议的结构:

16 17 21 22 23 24 25 26 27 28 32
Identification QR Opcode AA TC RD RA Z AD CD Rcode
Question count Answer count
Authority count Additional count

下图是科来网络分析系统对DNS协议进行解码视图:

我们对上图中的DNS字段进行详细说明:

字段 说明
Identification: 43 标识,占16 bits
Flags:
Query/Response: 1 用于定义是Query还是Response。0为Query, 1为Response。
Operator Code: 0 占 4 bits,其对应代码如下:

0 QUERY, Standard query.

1 IQUERY, Inverse query.

2 STATUS, Server status request.

3 Reserved.

4 Notify.

5 Update.

6-15 Reserved.

Authoritative Answer: 0 1-bit field. When set to 1, identifies the response as one made by an authoritative name server.
0 Not authoritative.
1 Is authoritative
Truncation: 0 1-bit field. When set to 1, indicates the message has been truncated.
0 Not truncated.
1 Message truncated
Recursion Desired: 1
Recursion desired:
1-bit field. May be set in a query and is copied into the response. If set, the name server is directed to pursue the query recursively. Recursive query support is optional.
0 Recursion not desired.
1 Recursion desired.
Approve Recursion: 1 1 bit field. Indicates if recursive query support is available in the name server.
0 Recursive query support not available.1 Recursive query support available.
Reserved: 0 1 bit field. Indicates in a response that all data included in the answer and authority sections of the response have been authenticated by the server according to the policies of that server. It should be set only if all data in the response has been cryptographically verified or otherwise meets the server’s local security policy.
Respond code: 0 0 No error. The request completed successfully.

1 Format error. The name server was unable to interpret the query.

2 Server failure.

3 Name Error.
4 Not Implemented.
5 Refused.

6 YXDomain. Name Exists when it should not.

7 YXRRSet. RR Set Exists when it should not.

8 NXRRSet. RR Set that should exist does not.

9 NotAuth. Server Not Authoritative for zone.

10 NotZone. Name not contained in zone.

11-15 Reserved.

16 BADVERS. Bad OPT Version.BADSIG. TSIG Signature Failure.

17 BADKEY. Key not recognized.

18 BADTIME. Signature out of time window.

19 BADMODE. Bad TKEY Mode.

20 BADNAME.Duplicate key name.

21 BADALG.Algorithm not supported.

22-3840

3841-4095 Private use.

4096-65535

Questions: 1 16-bit field that defines the number of entries in the question section.
Answers: 2 16-bit field that defines the number of resource records in the answer section.
Authority: 0 16-bit field that defines the number of name server resource records in the authority section.
Additional: 0 16-bit field that defines the number of resource records in the additional records section.

 

 

 

Question: 数据结构

1 16 17 32
Query Name
Type Class

 

我们对上图的Question进行说明:

字段 说明
Domain Name: www.autofx.com. 请求的域名。
Type: 1 1为A, IPv4 address.
Class: 1 1为IN, Internet.

 

Answer: 数据结构

1 16 17 32
Name
Type Class
TTL
Rdata Length

 

我们对上图的Answer进行说明:

字段 说明
Domain Name: autofx.com. 解析的域名。
Type: 1 1为A, IPv4 address.
Class: 1 1为IN, Internet.
Time to Live: 1200 生存周期为1200秒
Data Length 4 数据长度为4 字节
IP Address: 206.132.220.203 IP地址为206.132.220.203

购买咨询

您的姓名 : *

联系方式 : *

您的邮箱 : *

您的职位 : *

公司全称 : *

公司地址 : *

网络规模 : *

咨询产品: *

购买用途 : *

补充留言: