A實(shí)驗(yàn)二協(xié)議分析軟件基礎(chǔ)實(shí)驗(yàn)指導(dǎo)

1、實(shí)驗(yàn)二協(xié)議分析軟件基礎(chǔ)(實(shí)驗(yàn)指導(dǎo))一、實(shí)驗(yàn)?zāi)康?掌握如何利用協(xié)議分析工具分析tp數(shù)據(jù)報(bào)報(bào)文格式，體會(huì)數(shù)據(jù)報(bào)發(fā)送、轉(zhuǎn)發(fā) 的過(guò)程。在學(xué)習(xí)的過(guò)程中可以直觀地看到數(shù)據(jù)的具體傳輸過(guò)程。通過(guò)分析截獲tcp報(bào)文首部信息，理解首部屮的序號(hào)、確認(rèn)號(hào)等字段是tcp 可靠連接的基礎(chǔ)。通過(guò)分析tcp連接的三次握手建立和釋放過(guò)程，理解tcp 連接建立和釋放機(jī)制。.進(jìn)一步熟悉wireshark軟件的使用方法；2. 利用 wireshark (ethereal)抓包；3. 對(duì)抓取到的包進(jìn)行分析，通過(guò)分析鞏固對(duì)ethernet ii封包、arp分組及 ip、icmp數(shù)據(jù)包的認(rèn)識(shí)。二、實(shí)驗(yàn)內(nèi)容和要求1. 學(xué)習(xí)協(xié)議分析工具wir

2、eshark (ethereal)的基木使用方法；2. 利用wireshark (ethereal)進(jìn)行ip數(shù)據(jù)報(bào)報(bào)文的抓取;3. 對(duì)抓取到的數(shù)據(jù)報(bào)文進(jìn)行分析，體會(huì)數(shù)據(jù)報(bào)發(fā)送、轉(zhuǎn)發(fā)的過(guò)程。三、實(shí)驗(yàn)主要儀器設(shè)備和材料pc 機(jī)，windows； wireshark 軟件實(shí)驗(yàn)方法、及結(jié)果測(cè)試1. ping命令網(wǎng)絡(luò)數(shù)據(jù)包的跟蹤1)首先運(yùn)行 wireshark (ethereal),在菜單 capture 下點(diǎn)擊 interfaces,選 取要抓包的網(wǎng)卡，這里選取地址為192. 16& 111. 124的這個(gè)網(wǎng)卡抓取數(shù)據(jù)包，如圖 1.1:圖11選擇抓収數(shù)據(jù)包網(wǎng)卡2) z后在主操作系統(tǒng)中命令行界面

3、使用ping www. 163. com的命令，來(lái)ping 163 的網(wǎng)站。如圖1.2所示；圖1.2 ping網(wǎng)易的網(wǎng)站地址3）如圖1.3所wireshark抓取了很多的網(wǎng)絡(luò)數(shù)據(jù)包，從圖1. 3可見包括 ssdp廣播包、arp、dns、icmp等類型的數(shù)據(jù)包。capturing from amd pcnet family ethernet adapter - wireshark- xhe ea view go captire analyze satistics telephony tools helpa « « « « b x 0 a q令珍®

4、春殳 gja qq®門 回阿獺 回6 0.08179211507 0.19519211508 0.195395192.16509 0.196154115010 0.197075115011 7.262866 卬-linkt.82:25:14 lntelcor_2c:98:lc12 18.362717 cadmusco.bf:62:fl broadcast

5、13 18.364261 tp-linkt.82:25:14 cadmusco.bf:62:fl14 18.364277 2415 18.376541 2416 18.379313 244517 18.415784 4 5192.16&1ll：l2418 19.387343 244519 19.416530 452420

6、 19.999996 115021 20.015073 1150p p p p psdsdsdsdsdrpp s s s s s ap p p p p p krpnsnscsdsda ddiiiissnotify * http/1.1notify * http/1.1notify * http/1.1notify * http/1.1notify http/1.111 1s at 00:23:cd:82:25:14who has 192.168.111.tell 1

7、2411 is at 00:23:cd:82:25:14standard query a standard query response cname ww cache.wangsu.echo (ping) echo (ping) echo (ping) echo (ping)request reply request reply(1d-oxo2oo,(1d-oxo2oo, (1d-oxo2oo, (仙0x0200,notify “ http/1.1seq(be/le)-102seq(be/le)»102 seq(be/le)»

8、;128 seq(be/le)»128notify “ http/1.1fter: eession. gearapplytimesourcedestinabonprotocolinfo1 0.0000001150ssdpnotify * http/1.12 0.015049192.16& 111.11150ssdpnotify * http/1.13 0.032087192.16 & 111 .11150ssdpnotify * http/1.14 0.048938

9、192.16& 111.11150ssdpnotify * http/1.15 0.0655271150ssdpnotify * http/1.122 20.031805 1150 ssdp notify http/1.1 frame 15: 215 bytes on wire (1720 bits), 215 bytes captured (1720 bits)profie: debitl u j .) cr.rc.rwf a a r r c一c、獷 v

10、r 辰 v f cc ac r r f& “、0000080027bf62fl0023cd82251408004500£001000c9a9e900007d11efofdd049701coa800206f7c0035c75000b5637327ac81800001o|.5.p. cs*003000050000000003777777033136330363w163 c00406f6d0000010001co0c00050001000000omaacarc1 u2777777acalaog匸277© amd pcnet famiy ethernet adapter:

11、<live capt. packets: 218 displayed: 218 marked: 0圖1. 3 wireshark抓取到的網(wǎng)絡(luò)數(shù)據(jù)包4)在剛才的ping命令中主要包含了兩種數(shù)據(jù)包:dns、icmp,為了分析剛才的ping命 令，我們需要進(jìn)一步對(duì)數(shù)據(jù)包進(jìn)行過(guò)濾處理，以確定該命令所產(chǎn)生的具體的網(wǎng)絡(luò)數(shù)據(jù)包，并 対這些數(shù)據(jù)包進(jìn)行進(jìn)一步的分析。我們可以在圖1. 4所示的橢圓標(biāo)記的輸入框中輸入合適的 過(guò)濾條件就可以準(zhǔn)確地將特定的網(wǎng)絡(luò)數(shù)據(jù)包過(guò)濾出來(lái)，圖1.4所過(guò)濾出來(lái)的就是，剛才ping 命令所產(chǎn)生的2個(gè)dns數(shù)據(jù)包和8個(gè)icmp數(shù)據(jù)包。capturing from amd pcnet

12、family ethernet adapter wiresharkfoe edit vew go capture analyze statistics telephony tools help國(guó)q, q 乞回啊并i目rce15 18 376541192.16& 111.224dnsstandard query response cname www.cachewangsu16 18. 3793132445icmpecho (ping) request(1d-0x0200,seq(be/le)-10217 18.415

13、7844524icmpecho (ping) reply(1d-0x0200,seq(be/le)-10218 19 3873432445icmpecho (ping) request(1d-0x0200,seq(be/le)-12819 19 4165304524icmpecho (ping) reply(1d-0x0200,seq(be/le)-12830 20.3878752445icmpe

14、cho (ping) request(1d-0x0200,seq(be/le)-15331 20.4205844524icmpecho (ping) reply(1d-0x0200tseq(be/le)-15332 21.3904682445icmpecho (ping) request(1d-0x0200fseq(be/le)-17933 21.4207714524icmpecho (ping) reply(1d-0x0200tseq(be/l

15、e)-179appjyprotocol info14 18.364277 192.168124expression. geardnsstandard query a desbnabonfilter:p.addr- 24frame 17: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)ethernet iit src: tp-llnkt.82:25:14 (00:23:cd:82:25:14), dst: cadmusco.bf:62:fl (08:00:27:bf:62:fl)i

16、nternet protocol, src: 45 (45), dst: 24 (24) internet control message protocol0000 08 00 27 bf 62 fl 00 23 cd 82 25 14 08 00 4 5 00 0010 00 3c 72 a4 00 00 2e 01 e8 a8 70 5a 90 f5 co a8 0020 6f 7c 00 00 4f 5c 02 00 04 00 61 62 63 64 65 66 0030 67 68 6

17、9 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 vr pn o|oabcdef gh1jklmn opqrstuv wabcdefg hi圖1.4過(guò)濾wireshark所抓的網(wǎng)絡(luò)數(shù)據(jù)包2 arp報(bào)文分析如圖1.3,從wireshark的第11欄中,我們看到這是個(gè)arp解析的廣播包，。 由于這個(gè)版本的wireshark (ethereal)使用的是ethernet ii來(lái)解碼的,我們先 看看ethernet ii的封裝格式。如下圖1. 5：以尢網(wǎng)時(shí)畫(“ci m441500孑節(jié)氣d的老址1五址

18、crc6624500nr圖1. 5以人網(wǎng)封包格式注意這個(gè)和802.3是有區(qū)別的,802.3的封包格式如圖1.6：ei旳堆址游電址 rai387492,41500字節(jié)ip做僧狠38-1492圖1.6 802.3封包格式盡管ethernet ii和802. 3的封包格式不同,但wireshark (ethereal)在 解碼時(shí)，都是從“類型”字段來(lái)判斷一個(gè)包是ip數(shù)據(jù)報(bào)還是arp請(qǐng)求/應(yīng)答或rarp 請(qǐng)求/應(yīng)答。從ethernet tt知道了是arp解析以后,我們來(lái)看看wireshark (ethereal) 是如何判斷是arp請(qǐng)求呢還是應(yīng)答的。我們先復(fù)習(xí)一下以太網(wǎng)的arp請(qǐng)求和應(yīng)答的分組格式，如

19、圖1.7。1昊亂真專¥廠發(fā)送吻 以大網(wǎng)屯址1左m 11牝址1口的i;丈網(wǎng)霜6以丈網(wǎng)貝恭 一2 21211:6 曲字節(jié)47諭*岱？6件老址長(zhǎng)良圖1. 7分組格式從上圖中我們了解到判斷一個(gè)arp分組是arp請(qǐng)求還是應(yīng)答的字段是“op”，當(dāng)臣值為0x0001時(shí)是請(qǐng)求，為0x0002時(shí)是應(yīng)答。如圖1.8、1.9。 ping - ethereal«ioix|f 乂edit wn go capture armyx statmios help回巴|爲(wèi)山翩曰且|引|劃劄劉創(chuàng)q險(xiǎn)i膽i刪囲諷©if*tri sourcedenrarionprotocol infobroadcast丄

20、zb0 000000arp who has 192.1田 frame 1 (42 bytes on wire, 42 bytes caotured)曰 ethernet il9 sre: oo:!o:56:co:oo:olt d5t: ff:ff:ff:ff:ff:ffdestination: ff:ff:ff:ff:ff:ff (broedcast)source： 00：bq：bb：c0：00：01type: arp (0x0806) address resolution protocol (request)hardware type: ethe-net (0x0001)protocol t

21、ype: ip (3x0800)hardv/are size: 6protocol size: 4g： equest (0x)001sender mac address: oo:5o:56:co:oo:c«l (192.168.126-1)render ih address: (192.1*8.126.1)target mac address: 00:00:00:00:00:00 (00:00:00.00:00:00)target ip address: 28 (28)ft 04 00f- ft ft08

22、 00 0600 00 0000000010002056 co 00 91 08 06 00 01 p v 56 co 00 01 co a8 7e 01 v 7e 80 oxo*). 2 bytsp: 20 d; g 00085 5 30000“一餾圖1. 8 arp請(qǐng)求© ping - etherealjnl xihk edit 3 oo cvtm arolyt* statistics help囲 匕隠i x |購(gòu)歸|回2|。|細(xì)香世|致|q險(xiǎn)| gbsschir|wy|/i am exprw血fht«r:s frame 2 (42 bytes on wire>

23、42 bytes captured) ethernet ii, src: 00:0c:29：94 汁8:22. dst: 00:5o:56:co:oo:oldestination: 00:50:56:c0:00:01 (192-168.126-1) source: 00:0c:29:94:f8:22 (28)type： arp (0x0806) address resolution protocol (reply)hardware type: ethernet (0x0001) protocol type: ip (0x0800) hardware protocols

24、ize: 6 size: 4opcode: reply (0x0002)mac address: 00:0c:29:94 :f8:22 (192.16&126.128)ip address: 28 (28)sendersendertarget mac address: 00:50:56:co:oo:ol ()target ip address: ()00000010002000 5056co0(，0100oc08 0 0060400oc00 5056co0

25、001coa8o e 0768 o a80 o c2 22 28 8 ff94940199 e2 2 7.pv/ am &pfe$sion. ckyj 印p»y|：| p: m 0: 29 m 0opcode (vp opcode 2 bytes圖1.9 arp應(yīng)答3. icmp報(bào)文分析如圖1. 10所示的報(bào)文是一個(gè)有ping命令產(chǎn)生icmp報(bào)文: etherealauf：i no . j tim«/ add expression.sourcedestinaiionprotocolinfo|曰圃x|他|曰回2片|釗劄殳iiq險(xiǎn)i料刪圏炭|3 o.oo1.2o2192

26、 168.126 1192.168.l26.128 ichp echo s勺nq) rgquesw0 frame 3 (74 bytes on wire, 74 bytes captured) ethernet ii, src: 00:50:56:co:oo:ol, dst: 00:0c:29:94:f8:22destination: 00:0c:29:94:f8:22 (28)source: oo:5o:56:co:oo:ol (192.168.126-1) internet protocol. src addr : 192.16&126.1 (192.16

27、8.126.1), version: 4header length: 20 bytes0 differentiated services field: 0x00 (dscp 0x00: default; differemiated services codepoint: default ecn-<apable transport (ect): 0 ecnye： 0dst addr: 192.16(000000.0 0ecn： 0x00) (0x00)total length: 60tripnrifirrinn: oyo?a (r10)0000000c29射f822005056c00031

28、0010003c032a00008001b9c4coa8/e00207e800800315b0300190161526300306768696a6b6c6d6e6f707172735 0 554 c67lkd :jc b ha gwp<r )rypt («hlyptx 2 byt”圖 1. 10 icmp ping 包同樣，我們先復(fù)習(xí)一下ip包的封包格式，如圖1.11：4位4位首部版本長(zhǎng)8位限務(wù)類型 （tos）16位總長(zhǎng)度（字節(jié)數(shù)）16位標(biāo)識(shí)諜】3位片偏移8位生存時(shí)間chl）8位協(xié)議16位首部檢裁和32位淋p地址o15 163132位rmip垃址20字節(jié)選項(xiàng)（如果有）圖1. 1

29、1 tp封包格式關(guān)于tp封包各字段的內(nèi)容及意義，這里就不再詳述了，可以參見三卷木的tcp/tp, o我們主要看看ttl,從圖1. 12和1. 13的比較來(lái)看，圖1. 12中的ttl是128, ifij圖1. 13 中的ttl卻是64,什么原因呢?原來(lái)圖1.12中的主機(jī)是windows2000 ,而1. 13中的主機(jī)是linux,看來(lái)不同操作系 統(tǒng)的ttl是不同的。9 3 0d01202 192.16&1264 192.168.126428 icmp echo (pttig) request田 frame 3 (74 byres on wire, 74 bytes captured)e

30、ethernet ll. src: 00:50:56:c0:00:01t dst: 00:0c：29：94:f8:22b internet protocol. src addr: (). ost addr: 28 version: 4header length: 20 bytes differentiated services field: 0x00 (dscp 0x00: oefault; ecn： 0x00)0(x)0 06. - differentiated services codepoint: defau

31、lt (0x00)0. ecn-capable transport (ect): 0 0 ecn-ce： 0total length: 60identification: oxo32a (810)e) flags: 0x000 reserved bit: not set0 don't fragment: not set.0. more fragments: not setfragment offset: 0tfme toprotocol: icmp (0x01)header checksum: 0xb9c4 (correct)source: (192.168

32、.126.1)destination: 28 (28)曰internet control message protocoltype: 8 (echo (ping) request)code: 0checksun: 0x315b (correct)identifier: 0x0300sequence number: 0x1901data (32 bytes)圖 1. 12 windows 主機(jī)的 ttlq 4 0.001727 28 icmp echo (ping) reply3 frame

33、 4 (74 byres on wire, 74 bytes captured)3 ethernet ii, src: 00:0c:29:94:f8:22, dst: 00:50:56:co:00:01b internet protocol, src addr: 28 (28), dst addr: version: 4header lengxh: 20 bytes differentiated services field: 0x00 (dscp 0x00: default; ecn： 0x00)0000 00.

34、 differentiated services codepolnt: default (0x00)0. ecn-capable transport (ect): 0 0 ecn-ce： 0total length: 60identification: 0x4a04 (18948)b flags: 0x000 reserved bit: not set.0. don*t fragment: not set0 more franents: not setfragmem offset: 0time to live: 64protocol:(oxoijheader checksum: 0xb2ea

35、(correct)source: 28 (28)destination: ()3 internmt control message protocoltype: 0 (echo (ping) reply)code: 0checksum: 0x395b (correct)identifier: 0x0300sequence nunber: 0x1901data (32 bytes)圖1. 13 linux主機(jī)的ttl好了我們來(lái)看看icmp報(bào)文吧，先看看它的封包格式，如圖1. 14：07b位類型

36、8 28位代碼ior16位檢程和7環(huán)同類型和代碼冇不冋的內(nèi)容）/圖1. 14 icmp封包類型關(guān)于icmp的“類型”和“代碼”字段，這里有一個(gè)表，如圖1. 15：類購(gòu)代碼崔述00回顯應(yīng)答（p啞應(yīng)答3目的不可達(dá)：0網(wǎng)絡(luò)不可達(dá)1主機(jī)不可達(dá)>協(xié)反不可達(dá)3端口不可達(dá)4需要進(jìn)行分片但設(shè)鶯了不分片比轉(zhuǎn)5掠站選路尖敗6目的網(wǎng)絡(luò)不認(rèn)識(shí)7目的主機(jī)不認(rèn)識(shí)8棵主機(jī)被隔禺（作股不用）9目的網(wǎng)絡(luò)被強(qiáng)制禁止10目的主機(jī)被強(qiáng)制禁止ii由干服務(wù)類型tos,網(wǎng)絡(luò)不可達(dá)12由干眼務(wù)類鳴tos,主機(jī)不可達(dá)13由干過(guò)濾.遙信被強(qiáng)制禁止14主雌枚15優(yōu)先權(quán)中止生效40源端被關(guān)閉（基本滝控制50對(duì)網(wǎng)絡(luò)碇向1對(duì)主機(jī)祈定立2對(duì)眼務(wù)類和網(wǎng)絡(luò)用定向3對(duì)眼務(wù)類址和主機(jī)現(xiàn)定向s0済求回界（p