ethereal協(xié)議分析報(bào)告

1、實(shí)驗(yàn)5用ethereal進(jìn)行協(xié)議分析5.1實(shí)驗(yàn)性質(zhì)本實(shí)驗(yàn)為操作分析性實(shí)驗(yàn)。5.2實(shí)驗(yàn)?zāi)康?. 掌握ethereal軟件的基本使用方法2. 掌握基木的網(wǎng)絡(luò)協(xié)議分析方法3. 通過抓包工貝，分析mac幀的格式、arp分組的格式、ip數(shù)據(jù)報(bào)的格式、icmp報(bào)文 的格式、tcp報(bào)文段的格式、udp數(shù)據(jù)報(bào)的格式。5.3實(shí)驗(yàn)環(huán)境1. 分組實(shí)驗(yàn)，每組4飛人2. 設(shè)備：計(jì)算機(jī)臺(tái)3. 網(wǎng)絡(luò)環(huán)境：lan或internet4. ethereal 軟件5.4實(shí)驗(yàn)用時(shí)180分鐘(4學(xué)時(shí))。5.5實(shí)驗(yàn)內(nèi)容與要求5.5.1 下載、安裝 etherealethereal 卜載網(wǎng)址：hmp:www.e(到ethereal的站站后

2、，點(diǎn)擊download,接著選擇要安裝的系統(tǒng)平臺(tái)，如windows或linux (red hat/fedora),然后點(diǎn)擊下載鏈接即可進(jìn)行下載。ethereal 裝菲常簡(jiǎn)單，只耍執(zhí)行下載的軟件(如ethereal-setup-0.99.0.exe),然后按提示 操作。注意：安裝時(shí)，要勾選 install winpcapo winpcap 是 libpeap library 的 windows 版本。 ethereal可透過winpcap來劫取網(wǎng)絡(luò)上的數(shù)據(jù)包。在安裝ethereal的過程中也會(huì)一并安裝 winpcap,不需要再另外安裝。5.5.2 啟動(dòng) etherealethereal啟動(dòng)后,如

3、圖所示:5.5.3抓包點(diǎn)擊capture菜單，選interfaces項(xiàng)。打開如f圖所示窗口。選擇要抓包的接口右邊的capture按鈕，本例選擇了抓取ip地址為6的接口。 點(diǎn)擊capture按鈕后將啟動(dòng)抓包過程。注意：為配合抓包，需要進(jìn)行網(wǎng)絡(luò)通信。1 ）要抓arp分組的包、icmp報(bào)文的包、udp數(shù)據(jù)報(bào)，可以在cmd窗口中，使 用命令arpd刪除當(dāng)前arp緩存，使用ping命令ping某臺(tái)主機(jī)ip地址（例如ping 網(wǎng)關(guān)ip地址），使用tracert命令跟蹤分組從源點(diǎn)到終點(diǎn)的路徑（例如tracert網(wǎng) 關(guān)ip地址）。2）要抓取tcp報(bào)文段，需打開ie瀏覽器，訪問一個(gè)www網(wǎng)

4、站（例如 ）。將窗口切換到ethereal,可以看到抓到了tcp、udp、icmp、arp白勺包，如下圖 所示。ethereal: capture fromrunning 00:01:33stop下血分析所丿li到的包，其抓包的環(huán)境是:(1)實(shí)驗(yàn)計(jì)算機(jī)所女裝操作系統(tǒng)為windows2003 server,網(wǎng)卡mac地址是 00:17:42:41 :cb:be, ip地址是210. 30. 12.46 (子網(wǎng)掩碼255. 255. 255.0)，默認(rèn)網(wǎng)關(guān) 210. 30. 12.254;(2)在cvid窗口運(yùn)行“arp -d”命令刪除arp緩存，用以抓取arp分組;(3)在cmd窗口運(yùn)行 “pi

5、ng 210. 30. 12.254” ,用以抓取icmp報(bào)文;(4)在cmd窗口運(yùn)行“tracert 210. 30. 12. 254",用以抓取udp數(shù)據(jù)報(bào)和icmp報(bào)文;在瀏覽器窗口打開http:/ww» baidu. com網(wǎng)站,用以抓取tcp報(bào)文段。點(diǎn)擊stop按鈕完成抓包。如下圖所示。 (untitled) - etherealfile edit view go capture analyze statistics help不坐w圜丨致eilter亍 | expression. i qlearl fipply itimesourcedestinationprot

6、ocolinfoos 丄 xud.wozo1 kjigd-dyild；od；oi dr uducdb i632 105.49430 2634 106.49768, fujianst_24:de:51 giga-byt jla:67:1c 63 5 106.49769' 2c broadcastarpw耐ilastewnu nab 丄y乙丄oo乙.qo i reri丄刁乙丄oo乙丄倉icmp echo (pfng) reply636 106.777331 211.1

7、41.72.221637 106.77751： 211 141 72.221arp icmp icmpicmp1o.2oo.253.254 is at 00:d0:f8:24:de:51 echo (ping) requestecho (ping) replyecho (ping) request£1r. frame 633 (42 bytes on wire, 42 bytes captured)e ethernet ii, src: giga-byt_ia:67:1c (00:of:ea:la:67:lc), dst: broadcast (ff:ff:f

8、f:ff汁f:ff)address resolution protocol (request)000000100020ff ff ff ff ff ff 00 of ea la 67 lc 08 06108 00 06 04 00 01 00 of ea la 67 lc 0a c8 fd 07 00 00 00 00 00 00 0a c8 fd fe|ethernet (eth). 14 bytes| p: 3204 d: 3204 m: 0 drops: 05.5.4分析1. 分析mac幀（以太網(wǎng)幀）格式點(diǎn)擊窗口中arp請(qǐng)求分組所在的行，展開下面的ethernetllo分析mac幀的格式

9、，如下圖所i ±lethernet ii, src: gga-byt-la:67:1c (00:0f:ea:1a:67:1c), dst: broadcast (ff:ff)00100020ea la 67 lc 0a c8 fd 07 fd fe|ethernet (eth), 14 bytesp: 3204 d. 3204 m: 0 drops: 08 c o a o o lo o o oo oo 04m 60 o o oo oo 8 o o ogfilter | i expression i clear 1 apply 1no. >timesourcedestinatio

10、nprotocolinfof32丄u3 4y45u匕丄丄丄4丄./zzz丄丄u.zuu.z5s. imp-匕str ptngjr repiy1633106.49688giga-bytjla:67:1cbroadcastarpwho has 54 tell _j634106.4976&fujianst.24:de:51giga-byt 二la :67:1carp1o.2oo.253.254 is at 00:d0:f8:24:de:5163 5106.497691 10.200 253721icmpecho (pin

11、g) request636106.7773312icmpecho (ping) reply637106.77751： 21icmpecho (ping) request二1638107.0573612icmpecho (pinq) replyl frame 633 (42 bytes on wire, 42 bytes captured)日 dqst t rm "ion: br oadcast (f f k 汁口 f f 汁尸：干干)曰

12、鮒匕* 了 廣address : broadcast (件:件汁化怦：打:ff) 曰町吃壩(丿) 1=multicast: this is a multicast frame1 =locally administrated address: this is not a factory default address b source: giaa-bvta:67:1c (00:0f :ma:la:67:：lc)( qq - of；ea:1a:67:1c)address: giga-bytjla:67:1c (00:of:ea:1a:67:1c)0=multicast: this is a uni

13、cast frame0=locally admlnlsxrated address: this is a factory default addrmss type： arp (0x0806) 類型 arp (0*0806)田 mqwsjrehm才“ pro"® (mquest)-(心請(qǐng)承分血；三8字節(jié))一目的地址(廣播地址):destination :broadcast2. 分析arp請(qǐng)求分組和應(yīng)答分組格式點(diǎn)擊窗口屮arp請(qǐng)求分組所在的行，分析所捕獲的arp請(qǐng)求分組。如下圖所示。eilter:expressi on timesourcedestinatio nprotoco

14、l±u.zuu. z 35. z.4 y4 5 u丄4丄./nzz丄635 106.49769' 21icmpecho(ping) cping)request636 106.77733» 2icmpechoreply637 106.77751： 21icmpecho(ping) (pinq)request638 107.05736« 2icmpechoreplyi

15、nfoicmptchongjrep lytzzjis frame 633 (42 bytes on wire, 42 bytes captured) ie?ehernet ii, src: (5iga-bytjla:67:ic:ea:la:6/:icj, bst: roadcas'fie destination: broadcast (ff:ff:ff:ff:ff:ff)匕 source: gga-byta:67:1c (00:0f:ea:1a:67:1c)ff:ff:ff:ff:ff:ff)mac幀頭rsaaresresctuonprotoctrequeshardware type:

16、 protocol type: hardware size: protocol size:ethernet (0x0001)ip (0x0800)64opcode: request (0x0001) sender mac address: giga-byt_la:67:1c (00:of:ea:1a:67:1c)sender ip address: ()tarciet mac address: 00:00:00_00:00:00 (00:00:00:00:00:00)target ip address: 54 (10.2

17、00.253.254)54的 mac 的 地址是什么？0000ff ft ff ft ft ff 00 of 00100020g00 06 04 00 01 00 of00 00 00 00 00 oa c8id 6? ic gnree oo oila 67 lc oa c8 fd 07 fetype (eth.type), 2 bytes|p: 3204 d： 3204 m o drops： 0點(diǎn)擊窗i i屮arp應(yīng)答分組所在的行，分析所捕獲的arp應(yīng)答分組。如卜圖所示。filter: | expression. i clear i apply itimesource

18、desti nationprotocolno. qsz 丄uh494,u z丄丄丄4丄/zzz丄±u.zuu.z 35. /infotcmptcnotpn tig丿rspryalarp who has 54? tell 633 106.49688 giga-bytj.a:67:1c broadcastbbmpwbguk跑顧i 屮 hfifhf 卄.羈販!«5同筋匝gfcebgl22icmpecho(ping)requesticm

19、pecho(ping)replyicmpecho(ping)requesticmpecho(pinq)reply63 5 106.497691 636 106.77733* 21637 106.77751： 638 107.05736* 211je frame 634 (60 bytes on wire, 0 bytes captured)e ethernet ii, src: fujianst_24:de:51 (00:d0汁8:24:de:51), dst: giga-bytj.a:67:1c

20、(00:of:ea:la:67:1c) 田-destination: giaa-bvta:67:1c (00:0f :ma:la:67:lc) 堂垮(00:0f:ea:1a:67:1c )的螢田 source: fujanst 24:mr: 51 (00:40汁8:24 :de： 51_)type: arp (0x0806)trai1 er: 000000000000000000000000000000000000 address resolution protocol (reply)isgndmr ip add廠rss: 10200253254 (10200253.254)sender ma

21、c address: fujjanst_24:d己：51 (00:d0:f8:24:dw:51)54的應(yīng)咎:我的mac地址是： :d0:f8:24:de:51ip (0x0800)64opcode: rmply (0x0002)hardware type: ethernet (0x0001)protocol type:hardware size:protocol size:target mac address: giga-bytjla:67:1c (00:0f:ea:1a:67:1c)tarnpt tp rnn廠1 n ?nn7 fin ?nn7、00000010002

22、000300 8 0 0uooo干of oo o o o3 4 3 0 lolo36 3 0 e o e oc 2 c o lolo7 0 7 06 0 6 0oba ooslo o437 o2k1o otbooy bo o1 eo of o odo of os8o cogsender mac address (arp.src.hwmac). 6 bytesp： 3204 d: 3204 m:0 drops: 03.分析ip數(shù)據(jù)報(bào)格式點(diǎn)擊icmp報(bào)文所在的行，展開internet protocol。分析ip數(shù)據(jù)報(bào)。如下圖所示。x他昌鳥香盤|w s致丨孚frame 717 (82 bytes o

23、n wire, 82 byres captured) | expression. | qlear i apply ienter:ethernet ii, 5rc: gdga-byra:67:1c (00:0f :ea:：la:67:：lc), dst: fujar»st_24 :de: 51 (00:d0:f8:2451)o0 12 3 4 5 oooooo oooooo.ii】d00of4d 84 d 66166odb 40 166o 2d 68 0 6601006e672 9f 83 2 6 6laslc0880090 7 63617167 hq073 6 6 2 0 8 6 7

24、 6一5 3 5 5 84 d 6 7 2ll田 destination: fuj1anst_24:de:51 (00:d0:f8:24:de:51j田 source: giga-bytj.a:67:1c (00:of:ea:la:67:lc)type: ip(qxq8qq)machglp/00800s inrernet protocol, src: 10?20d. 23.7 (k dst: 211.141. 72.221 (211.141. 72.221) n: 4本直為4 601已/4header jenath: 20 bytms首部喪度20字節(jié)(無可變部分)f d

25、iffererrcuateci services field: 0x00 (d5cp 0x00: defaultecn： 0x00)tqta"!上fngtlj: 68總弓度號(hào)字節(jié)i denti-fi cat ion: 0xe3f6 (58358) 標(biāo)識(shí) 廠數(shù)掘 捋首邛ri flags: 0x00全為o 道臥df=o不i分片 mf=0壬宜堂分片)fragmerrc offset: 0jtime to live: 128/protocol: icmp (0x0g 協(xié)議cmp (op1)/田 header checksum: 0x3288 correct首部檢驗(yàn)和source: 1o.2o

26、o.253.7 clo. 200. 253.7)源destrnatfon: 211 141.72.221, (21114：l72221)屯址田 工rrternet control mrssage protocol jft據(jù)部分(icmp報(bào)文)14 bytes|p: 3204 d： 3204 m:0 drops： 04. 分析i cmp報(bào)文格式點(diǎn)擊icmp報(bào)文所在的行，展開internet control message protocol分析icmp報(bào)文。如下圖 所示。eilterj上xpression . | clearj applytimesourcedestination°rot

27、ocolno.info.1.141. 72.221icmp1 a "a -)2711efi frame 717 (82 bytes on wire, 82 bytes captured)ethernet ii, src: giga-byt_la:67:1c (00:of:ea:la:67:1c), dst: fujianst_24:de:51 c00:d0:f8:24:de:51)e destination: fujianst_24:de:51 (00:d0:f8:24:de:51)!r source: giga-bytjla:67:1c (00:0f:ea:la:67:lc)typ

28、e: ip (0x0800)e internet protocol, src: (), dst: 21 (21)internet uontrol message protocoltwa： 8 (匚cho ("r>a) rmauest) code: 0類型為8表示是.回送（echo ）請(qǐng)求checksum: 0xld93 correct identifier: 0x0200 sequence number: 0x2900 data (40 bytes)o o o o o o0 12

29、3 4 5 o o o o o o o o o o o o000048ro4dho4d68616624f6圉oor一l6b641ohss5 o tamdeala67lc080045003288oac8fd07d38d29006162636465666f707172737475766869670000002862internet control message protocol (icmp). 48 bytesip: 3204 d: 3204 m:0 drops: 05.分析udp數(shù)據(jù)報(bào)格式點(diǎn)擊dns協(xié)議所在的行，展開user datagram protocol 0分析u）p數(shù)據(jù)報(bào)格式。如卜圖所

30、示。1 (untitled) - etherealfilter:x他e 鳥q瞬no.timesourcedestinationdrotocolinfop77 10uui o a a j a n twvow 110wt w t jn j jr r | expression. | clear i apply i100 36.936720 giga-byt_la:67:be broadcast101 37.011806 giga-bytjla:69:co broadcast102 37.064057 giga-bytjla:68:b8 broadcastarp arp arparpwho who w

31、hohas has hasd - r i 54? t8? te80 t 30? tdnsifil104 37.106912 105 37.147926 10.2002538106 37.148127 1ft7 q7.1 4rm 6cj4si65 1 10. 700. r210.30.0dns tcpdnsdns儺血和ememfsbie涮潞甲仙 standard query response a 1796 >

32、; http syn seq=0 le standard query a hdn601andard nuprv 廠awncnva ag frame 103 (75 bytes on wire,75 bytes captured)s ethernet ii, src: giga-byt_19:93:12 (00:0f:ea:19:93:12), dst: fujianst_24:de:51 (oo:do:f( destination: fujianst.24:de:51 (oo:do:f8:24:de:51)田 source: giga-bytj.9:93:12 (00:0f:ea:19:93:

33、12)type: ip (0x0800)田 internet protocol, src: (), dst: ()日 user datagram protocol, src port: 49912 (49912), dst port: domain (53)source port: 49912 (49912) 左口號(hào)為49912 .這是一個(gè)無法交付的數(shù)據(jù)報(bào).tracert用它獲得機(jī)路由信息destination port: domai n (53)目的塢口號(hào)為 53 ( dns )length: 417

34、checksum: oxlbld correct11日 domain name system (query)2j00000010002000300040t 1 9 8 o 0 12 6 0 0 0 0 6 0 0 8 0 0 01 o 5 o e 5 0 3 0 6 e o o o 3 d o o o 64 d 8 o 22 2f o o 8f 2 o 7 f a c o 6 od 1 od d 3 o o 6 0 0 0 0 9 0 0 0 0 6o e 1 e 0 10 65 2 0 8 4d o 70 8 0 5 o o o o 8dll of o 32 8 6 11 c o 33 7

35、5 19 o c 3 o9 2 deo 19160 a 1 b 4 1 eb 1 6 oe.hdn511.xn fhe：-c:wcume-1admini-1l0cals-1tempether><>00<hi. |p: 2677 d: 2677 m: 2 drops 06.分析tcp報(bào)文段格式點(diǎn)擊dns協(xié)議所在的行，展開user datagram protocolo分析tcp報(bào)文段的格式。如下圖所 7j o (unt it led) 一 ethereal認(rèn)飆覷謝磁；已i0x購呂 冋妙香楚iw3 i q.no.timesourcedestinati onprotocolin

36、fo113 37.166946 dnsdns83tcptcpdnsdnsstandard query a hdnlll.xn112 37.166435 114 37.167974 116 37.169340 117 37.169829 it standard query a hd27.xiao_ standard query response a 1802 > http

37、 syn seq=0 lestandard query responsm a 二|j 2jpi frame 115 (62 bytes on wire, 62 byres captured)source port: 1804 (1804)destinarion port: http (80)5eauence number: 0 (felattve seauence numbm廠) 序列號(hào)為0頭長(zhǎng)度（數(shù)據(jù)侯移）000000100020003000 do f8 24 de 51 00 of6 0 4 o e o o a 28 3 0 o o o0 5 0 o o o4 0 09 c 64 0 9t 7 5 a o 6 o 4f3 af- olf offea 19 93 12 08 00o d 2 olo5 c o 4 3 78 0 2 o o o d o 4 f o o 801 coo aol o o o c a 4 ebb 5 5 5 1 ao$q.p：p.eethernet ii, src: giga-bytl9:93:12 (00:0f: