常见协议解码详解

《常见协议解码详解》由会员分享，可在线阅读，更多相关《常见协议解码详解（12页珍藏版）》请在装配图网上搜索。

1、常见协议解码详解数据包封包分层Data Link LayerWetwork Layer数据链路层Da ta Link Layer 如：设备驱动网络层 Net work Layer 如：IP， ICMP， IGMP 等Transport Layer传输层 Transport Layer女口： TCP, UDPL Application Layer应用层 Applica tion Layer 如：FTP， HTTP， Email 等F图是对数据包的解码图，其中对数据包中的每一层协议分别进行了解码分析：H-,H-H-a-a-s-:Num:54E：415 PktLan: 84 CapLenzBO Ti

2、me: ZQ0507Z4 10: E9: 53.573thern.Des:00:OA:IE:DA:7F:36 Src:00:EO:4C:AO:S6:BD Pro:OkOSOOVer:4 HLen:5 T03:0000 0000 T Len:GG ID:121 Flags:000.Src:302：l res:E3 Len:4 Suhl: 0k24SSID;41 F;QwOiaa QD;1 AM;口 AU;0 AB;0 QS;FCS:0kB8A8106这里面，我们可以看到协议由外向内封装，分别是：1. 数据链路层对应“Ethernet II”协议；2. 网络层对应“IP”协议；3. 传输层对应“U

3、DP”协议；4. 应用层对应“DNS ”协议。F面我们就分别对这四层协议做详细解释。以太网数据包结构协议结构为：7166246-1500bytes4PreSFDDASALength TypeData unit + padFCSF图是Ethernet II协议解码后的内容，利用此实例进行说明：-A-Jacket- l-Ii.uik1 巳r:Iacket. Lemt-h: C apt.ur e L:limest.tLDipzEtlueriuet II HeaderE1 estinat.ion Aiiiress:Sour ce Address:1=P 卫 rutCinul :IP - Interne

4、t ProtocolO Version:8480Z005-07-Z4 10:29z0000目标MAC:573086地址0/140:OAzEBzDA:7F:960/6 0:EO:4CzAO:S6:BD.源 “AC12/21OkOSOOL4/Z04上层协议地址.1F0CIO 0A EB DA 7F 9G 00 E0 4C A0 86 ED 08001500 SO 11 86 46 匚Ci AS 01 0Z CO AS 01 010x0800 (IP 协议)118S0024OOZA 00 29 01 00 00 01 00 00 00 00 00 00 03 77 77 77 0C 70 72 6F

5、 74003F F 63 6F 6C 61 73 65 03 EE 65 74 00 00 01 01E_.Bl.-.J5. - .)linijTij.p r or.IL as list- 再目 D已 st-ination Address :00:OA:EB:DA:7F:960/6目标MAC地址0位开始/6 bytes长邑 Source AdireszQO:E0:4C:AO:S6:BD6/6源MAC地址6位开始/6 bytes长1=F Prut-cicuL:QkOSOO上层协议12位开始/2 bytes长字段说明Destination addressDA,目标MAC地址6字节Source ad

6、dressesSA,源MAC地址6字节ProtocolLength Type，承载的上层协议类型Data unit + pad，数据字段(46-1500bytes)FCS 检验(4bytes)MAC地址：MAC地址为16进制编码，在解码中可以将前3 bytes代表厂商的字段翻译出来，方便定位问 题，如网络上有两台设备IP地址冲突，可以通过厂商信息方便的将故障设备找到，如00e04C 为 TP-LINK，OOOAKB 为迅捷，00A0C9 为In tel 等等，上层协议：Ethernet II承载的上层协议主要包括0x800为IP协议和0x806为ARP协议。IP 协议结构IP头的结构如下：48

7、161932bitsVerIHLType of serviceTotal le ngthIde ntificatio nFlagsFragme nt offsetTime to liveProtocolHeader checksumSource addressDesti nati on addressOpti on + Padd ingDataF图是IP层解码后的内容，利用此实例进行说明：白IP - Internet Pirotoml.14/20Q14/1Oku口F口 Versicn:iO Header Length.:52 0 hT.rr.P514/1OxOLiOF0 O Type o f

8、Seri r已:OOLIU 00001-5/1 Precedence:00LIrouting inf口ruiat-iuii 16/1 0x00E0:Q Delay:-.0 NurraaL ielay 16/1 OkOOIO:Q Tlirougliput.:0.Normal throughput 16/10x0008O B.pliatiil it.y z .0.Normal reliotiility 16/1 0m0004T ut- llI Lct114t.il：13116/Z；-旨1 Id&nti ficatl已n:1040 218/20Fi:ati_c-n Flag兰：00LI20/1 Ow

9、OOEO-:U Reset wed:20/1 LIkOOSO:U Fr aiipieiit :-0. M ay f r airiLL ent 2.0 / 1 U z 0 0 4 0: U Here F r 亠尹匹 n 匕:-a. L ast t r ELiiriiietit 2 0 / 丄LI z 0 0 2 0-F r aijTii eiit Utts 己七：u2ij/2UkIFFF Tiiiie Tc L iwe :U2271: 包 Prc-t ci c c 1 z17UI：I23/1 ：Clieck Si-iriizOxCE73C or r ect- 24/E J Source IF:L

10、9Z16S.11MH寸IP :L9Z16S.1 Z30/J Hq IP Options:3/0-1TDF User Datagram. Protocol:34/8：bour c p pnrt:5334fl芒1F面是IP协议解码的对应字段解释：字段说明Versi on: 4版本号为4,即IPv4协议，Header Len gth: 5头部长度20字节，5 bitsType of service: 000 0000服务提供类型，显示参数摘要。Precedenee优先路由信息Delay迟延Throughput吞吐量Reliability可靠性Total Len gth: 131总长131 （单位字节

11、，取长为65535字节）Ide ntifieatio n: 10403标识Fragme ntati on Flags: 000标志Reserved:保留Fragme nt:片断More Fragme nt:最后片断Fragme nt Offset: 0偏移量Time to Live:TTL,科来网络分析系统5.0将丢弃TTL=0的数据包Protocol: 17是哪种协议，1ICMP, 6 TCP,17 UDP，89 OSPFCheek Sum: 0xCE73对IP协议头的校验合，0xCE73为正确Source IP: 192.168.1.1源IP地址Dest in ation IP: 192.

12、168.1.2目标IP地址ARP协议结构以下是ARP协议结构：81632 bitsHardware TypeProtocol TypeHardware address lengthProtocol address lengthOpcodeSender Hardware AddressSender Protocol AddressTarget Hardware AddressTarget Protocol AddressF图是对ARP协议进行解码视图:-) AKP - Address Resolut-lon Protocol1-ocnta rH F *咽咽 U翊-1翊-lFC!IP14/2811

13、4/E0x080016/E61S/L419/1120/Z00:AO:C9:BB:21:2A22/G152.1S.1.32S/400:00:00:00:00:0032/5192.16B.1.13B/4OkCGTEOEEF Galcnlated| FF FF FF FF FF 00 AO 匚9 EE ZL ZA OB 06 00 01 08 00 06 04 000015 01 00 AO C9 BE 21 2A CO kS 01 02 00 00 00 00 CO AS Cil 010000我们对上图中的ARP字段进行详细说明：字段说明Hardware Type:1（硬件类型）占16 bits，

14、用来定义运行ARP的网络类型，每一个局域 网基于其类型被指定一个整数，例如，以太网是类型1, ARP可以使 用在任何网络上。Protocol Type: 0x0800（协议类型）占16 bits，用来定义协议的类型。如:0x0800代表IP协 议，ARP可用于任何咼层协议。Hardware Len gth: 6（硬件长度）占8 bits，用来定义物理地址和长度。以太网值为6。Protocol Len gth: 4（协议长度）占8 bits，用来定义物理地址和长度。IPv4值为4。Type:1（操作类型）占16 bits,用来定义操作类型，请求为1,回答为2。Source Physics:00:

15、A0:C9:BB:21:2A源MAC地址Source IP: Source Ip192.168.1.3源IP地址Dest in ati on Physics:00:00:00:00:00:00目标MAC地址，对于ARP请求数据包，此值全为0,因为请求主机并 不知道目标主机的MAC地址Dest in atio n IP:192.168.1.1目标IP地址TCP协议结构以下是TCP协议的结构：1632 bitsSource portDestination portSequence numberAcknowledgement numberOffset Reserved U A P R S FWind

16、owChecksumUrgent pointerOption + PaddingDataF图是对TCP协议进行解码视图:-一;1 TCP Tiraibspoi?七 GoiiXhoI Pirotoucjl 3 4/Source Port:Destination P o rt-:Seigi.ience Wi-Uiiti s r :Ack Mi-ULLtier:=|;=-1111=-1111=-111 ll-JIInll-Jllnl - He ade r L erngt-h:EleservedzFlags:Q U it irerit p o int g e :O A Cktii-T.Tl G dgT

17、iiStit 1i1.UllL：i总 it :Q Push Fi-uict-ioti：Q P.eset tire cotiiie匚七 i 口1丄z O Saicliuc-ij-i ze sele11ce z O End 口 dat- a z： -lp WiiAllow :：-Clieck Sujiz： -lp Ur iLreiit- p 口 iiit-:= BT口 TC P Optioixs :日 冷 Exx-a D-at-a.:8034/2340636/E416175993038/404Z/4SO20 bytes46/1 OhOOFO046/ZOmOFCO00OLOCI47/1OmOOSF0

18、.-48/1OkOOZO.0-48/1OkOOLO-0.48/1OkOOCiS-丄-48/10h00Ci4-.0.48/1OhOOCiZ048/1OhOOCH04S/2:OxASFBCorrect-EO/2Ox0000E2/2：54/U54/600000015002ALiU E0 4C AU 86 ED 00 0A EB I?A 7F 360 U 34 06 Bl 8F 31：- 7 8 96 IE CO AS 0100 00 00 00 0 04 00 00 A9 FE 00 0008 00 45 00 OLi 28 00 LIU 40OZOO 50 OD 4E F3 OF GA F6e.E

19、 AU SA AA 41 41_ 4. - . =z.AA我们对上图中的TCP字段进行详细说明：字段说明Source Port: 80源端口，HTTP为80端口Destination Port: 3406目标端口Sequence Number: 416175999032 bits. The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, thesequence number is the initial sequence number

20、 (ISN) and the first data octet is ISN+1.Ack Number: 032 bits. If the ACK control bit is set, this field contains the value of the next sequence number which the sender of the segment is expecting to receive. Once a connection is established, this value is always sent.Data Offset: 80Header Length: 8

21、04 bits. The number of 32-bit words in the TCP header. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.Reserved: 06 bits. Reserved for future use. Must be cleared to zero.Urgent pointer:Urgent pointer field significant.Acknowledgment numberAcknowled

22、gment field significant.Push Function:Push function.Reset the connection:Reset the connection.Synchronize sequence:Synchronize sequence numbers.End of data:No more data from sender.Window16 bits. It specifies the size of the senders receive window, that is, the buffer space available in octets for i

23、ncoming data.Check Sum:16 bits. The checksum field is the 16 bit one; - s complement of the ones complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-b

24、it word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.Urgent Pointer16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in thi

25、s segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field can only be interpreted in segments for which the URG control bit has been set.DNS 协议结构以下是DNS协议的结构：1617212223242526272832IdentificationQROpcodeAATCRDRAZADCDRcodeQuestion countAnswer countAu

26、thority countAdditional countF图是对DNS协议进行解码视图：DcnftazLn NamePi?ol3CJC：ol工己已口匸i fication:一古1 Flags : O Que ry/Re sp or is : Op e r at o r C o ds z:O Authu 匸 it at. iLrs Ju is wer z b-O T ri-itinat-iuii：O Recursion desiryii: b App r owe p. p cur s 1 cui: P.eserv&il Respond code:Quest i Otis:Ai-Lsue r s

27、 :Aij-t-ho rAddi_t i anal iQi_ies七 i 二H I? oiiiain. ITanie z亭 Type:=5 C lass:ir FC S 一 Firame Check. Sequerkce: 步 FCS:42/3E434Z/ZOKLIILILI44/Z0口ery 44/10x00800QUERY 44/10x00780Wo aut-ho r it at ive44/1 Oku 0 040Wo truncation 44/1 OxOOOZ1Recursion 44/1LiKULiOl0Wo approve 45/1Ox LIOSO045/10x00700No er

28、rcr 45/10:-：i：ii：ii：iJ,146/204S/2050/2052/21-54/2 0t-tt-tt.t _ ai.it 口 f ： _ 匚匚1 ILL .54/1G1A 70/21Int-e met72/2A=UxAE 1A09EA Calculat-e dZ. . 乂 AC S6 BE1 OS UU 4 5 UU 口0 3C :益 X3 OOOUIE 0 U SO 11 8 4A CO AS U1 02 CO AS 01 01 UE： CD 00 3S 0 U Z8 CO 7C我们对上图中的DNS字段进行详细说明：字段说明Identification: 43标识，占16 b

29、itsFlags:Query/Response: 1用于疋义疋 Query 还疋 Response o 0 为 Query, 1 为 Response oOperator Code: 0占4 bits,其对应代码如下：0 QUERY, Standard query.1 IQUERY, Inverse query.2 STATUS, Server status request.3 Reserved.4 Notify.5 Update.6-15 Reserved.Authoritative Answer: 01-bit field. When set to 1, identifies the re

30、sponse as one made by anauthoritative name server.0 Not authoritative.1 Is authoritativeTruncation: 01-bit field. Whe n set to 1, in dicates the message has bee n trun cated.0 Not truncated.1 Message truncatedRecursion Desired: 1Recursion desired:1-bit field. May be set in a query and is copied into

31、 the response. If set, the name server is directed to pursue the query recursively. Recursive query support is optional.0 Recursion not desired.1 Recursion desired.Approve Recursion: 11 bit field. Indicates if recursive query support is available in the name server.0 Recursive query support not avai

32、lable.1 Recursive query support available.Reserved: 01 bit field. Indicates in a response that all data included in the answer and authority sections of the response have been authenticated by the server according to the policies of that server. It should be set only if all data in the response has

33、been cryptographically verified or otherwise meets the servers local security policy.Respond code: 00 No error. The request completed successfully.1 Format error. The name server was unable to interpret the query.2 Server failure.3 Name Error.4 Not Implemented.5 Refused.6 YXDomain. Name Exists when

34、it should not.7 YXRRSet. RR Set Exists when it should not.8 NXRRSet. RR Set that should exist does not.9 NotAuth. Server Not Authoritative for zone.10 NotZone. Name not contained in zone.11-15 Reserved.16 BADVERS. Bad OPT Version.BADSIG. TSIG Signature Failure.17 BADKEY. Key not recognized.18 BADTIM

35、E. Signature out of time window.19 BADMODE. Bad TKEY Mode.20 BADNAME.Duplicate key name.21 BADALG.Algorithm not supported.22-38403841-4095 Private use.4096-65535Questions: 116-bit field that defines the number of entries in the question section.Answers: 216-bit field that defines the number of resou

36、rce records in the answer section.Authority: 016-bit field that defines the number of name server resource records in the authority section.Additional: 016-bit field that defines the number of resource records in the additional records section.Question: 数据结构1 1617 32Query NameTypeClass我们对上图的Ques tio

37、n进行说明：字段说明Domain Name: .请求的域名。Type: 11 为 A, IPv4 address.Class: 11 为 IN, Internet.Answer: 数据结构1 1617 32NameTypeClassTTLRdata Length我们对上图的Answer进行说明：字段说明Domain Name: .解析的域名。Type: 11 为 A, IPv4 address.Class: 11 为 IN, Internet.Time to Live: 1200生存周期为1200秒Data Length 4数据长度为4字节IP Address: 206.132.220.203IP 地址为 206.132.220.203