常見協議解碼詳解_第1頁
常見協議解碼詳解_第2頁
常見協議解碼詳解_第3頁
常見協議解碼詳解_第4頁
常見協議解碼詳解_第5頁
已閱讀5頁,還剩8頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領

文檔簡介

1、常見協議解碼詳解數據包封包分層DataLinkLayerWetworkLayer數據鏈路層DataLinkLayer如:設備驅動網絡層NetworkLayer如:IP,ICMP,IGMP等TransportLayer傳輸層TransportLayer女口:TCP,UDPLApplicationLayer應用層ApplicationLayer如:FTP,HTTP,Email等F圖是對數據包的解碼圖,其中對數據包中的每一層協議分別進行了解碼分析:H-,H-H-a-a-s-:Num:54E:415PktLan:84CapLenzBOTime:ZQ0507Z410:E9:53.573thern.Des

2、:00:OA:IE:DA:7F:36Src:00:EO:4C:AO:S6:BDPro:OkOSOOVer:4HLen:5T03:00000000TLen:GGID:121Flags:000.Src:302:lres:E3Len:4Suhl:0k24SSID;41F;QwOiaaQD;1AM;口AU;0AB;0QS;FCS:0kB8A8106這里面,我們可以看到協議由外向內封裝,分別是:數據鏈路層對應“EthernetII”協議;網絡層對應“IP”協議;傳輸層對應“UDP”協議;應用層對應“DNS”協議。F面我們就分別對這四層協議做詳細解釋。以太網數據包結構協議結構為:7166246-1500b

3、ytes4PreSFDDASALengthTypeDataunit+padFCSF圖是EthernetII協議解碼后的內容,利用此實例進行說明:-A-Jacket-l-Ii.uik1巳r:Iacket.Lemt-h:Capt.ureL:limest.tLDipzEtlueriuetIIHeaderE1estinat.ionAiiiress:SourceAddress:1=P衛(wèi)rutCinul:IP-InternetProtocolOVersion:8480Z005-07-Z410:29z0000目標MAC:573086地址0/140:OAzEBzDA:7F:960/60:EO:4CzAO:S6

4、:BD.源“AC12/21OkOSOOL4/Z04上層協議地址.1F0CIO0AEBDA7F9G00E04CA086ED08001500SO118646匚CiAS010ZCOAS01010 x0800(IP協議)118S0024OOZA002901000001000000000000037777770C70726F74003FF636F6C61736503EE657400000101E_.Bl.-.J5.-.)linijTr.ILaslist-再目D已st-inationAddress:00:OA:EB:DA:7F:960/6目標MAC地址0位開始/6bytes長邑SourceAdireszQ

5、O:E0:4C:AO:S6:BD6/6源MAC地址6位開始/6bytes長1=FPrut-cicuL:QkOSOO上層協議12位開始/2bytes長字段說明DestinationaddressDA,目標MAC地址6字節(jié)SourceaddressesSA,源MAC地址6字節(jié)ProtocolLengthType,承載的上層協議類型Dataunit+pad,數據字段(46-1500bytes)FCS檢驗(4bytes)MAC地址:MAC地址為16進制編碼,在解碼中可以將前3bytes代表廠商的字段翻譯出來,方便定位問題,如網絡上有兩臺設備IP地址沖突,可以通過廠商信息方便的將故障設備找到,如00e0

6、4C為TP-LINK,OOOAKB為迅捷,00A0C9為Intel等等,上層協議:EthernetII承載的上層協議主要包括0 x800為IP協議和0 x806為ARP協議。IP協議結構IP頭的結構如下:48161932bitsVerIHLTypeofserviceTotallengthIdentificationFlagsFragmentoffsetTimetoliveProtocolHeaderchecksumSourceaddressDestinationaddressOption+PaddingDataF圖是IP層解碼后的內容,利用此實例進行說明:白IP-InternetPirotom

7、l.14/20Q14/1Oku口F口Versicn:iOHeaderLength.:520hT.rr.P514/1OxOLiOF0OTypeofSerir已:OOLIU00001-5/1Precedence:00LIroutinginf口ruiat-iuii16/10 x00E0:QDelay:-.0NurraaLielay16/1OkOOIO:QTlirougliput.:0.Normalthroughput16/10 x0008OB.pliatiilit.yz.0.Normalreliotiility16/10m0004Tut-llILct114t.il:13116/Z;-旨1Id&nti

8、ficatl已n:1040218/20Fi:ati_c-nFlag蘭:00LI20/1OwOOEO-:UResetwed:20/1LIkOOSO:UFraiipieiit:-0.MayfrairiLLent2.0/1Uz0040:UHereFr亠尹匹n匕:-a.LasttrELiiriiietit20/丄LIz0020-FraijTiieiitUtts己七:u2ij/2UkIFFFTiiiieTcLiwe:U2271:包Prc-tcicc1z17UI:I23/1:ClieckSi-iriizOxCE73Correct-24/EJSourceIF:L9Z16S.11MH寸IP:L9Z16S.1Z

9、30/JHqIPOptions:3/0-1TDFUserDatagram.Protocol:34/8:bourcppnrt:5334fl芒1F面是IP協議解碼的對應字段解釋:字段說明Version:4版本號為4,即IPv4協議,HeaderLength:5頭部長度20字節(jié),5bitsTypeofservice:0000000服務提供類型,顯示參數摘要。Precedenee優(yōu)先路由信息Delay遲延Throughput吞吐量Reliability可靠性TotalLength:131總長131(單位字節(jié),取長為65535字節(jié))Identifieation:10403標識FragmentationF

10、lags:000標志Reserved:保留Fragment:片斷MoreFragment:最后片斷FragmentOffset:0偏移量TimetoLive:TTL,科來網絡分析系統(tǒng)5.0將丟棄TTL=0的數據包Protocol:17是哪種協議,1ICMP,6TCP,17UDP,89OSPFCheekSum:0 xCE73對IP協議頭的校驗合,0 xCE73為正確SourceIP:源IP地址DestinationIP:目標IP地址ARP協議結構以下是ARP協議結構:81632bitsHardwareTypeProtocolTypeHardwareaddresslengthProtocoladd

11、resslengthOpcodeSenderHardwareAddressSenderProtocolAddressTargetHardwareAddressTargetProtocolAddressF圖是對ARP協議進行解碼視圖:-)AKP-AddressResolut-lonProtocol1-ocntarHF*咽咽U翊-1翊-lFC!IP14/28114/E0 x080016/E61S/L419/1120/Z00:AO:C9:BB:21:2A22/G152.1S.1.32S/400:00:00:00:00:0032/5192.16B.1.13B/4OkCGTEOEEFGalcnlated

12、|FFFFFFFFFF00AO匚9EEZLZAOB060001080006040000150100AOC9BE212ACOkS010200000000COASCil010000我們對上圖中的ARP字段進行詳細說明:字段說明HardwareType:1(硬件類型)占16bits,用來定義運行ARP的網絡類型,每一個局域網基于其類型被指定一個整數,例如,以太網是類型1,ARP可以使用在任何網絡上。ProtocolType:0 x0800(協議類型)占16bits,用來定義協議的類型。如:0 x0800代表IP協議,ARP可用于任何咼層協議。HardwareLength:6(硬件長度)占8bits,

13、用來定義物理地址和長度。以太網值為6。ProtocolLength:4(協議長度)占8bits,用來定義物理地址和長度。IPv4值為4。Type:1(操作類型)占16bits,用來定義操作類型,請求為1,回答為2。SourcePhysics:00:A0:C9:BB:21:2A源MAC地址SourceIP:SourceIp源IP地址DestinationPhysics:00:00:00:00:00:00目標MAC地址,對于ARP請求數據包,此值全為0,因為請求主機并不知道目標主機的MAC地址DestinationIP:目標IP地址TCP協議結構以下是TCP協議的結構:1632bitsSource

14、portDestinationportSequencenumberAcknowledgementnumberOffsetReservedUAPRSFWindowChecksumUrgentpointerOption+PaddingDataF圖是對TCP協議進行解碼視圖:-一;1TCPTiraibspoi?七GoiiXhoIPirotoucjl34/SourcePort:DestinationPort-:Seigi.ienceWi-Uiitisr:AckMi-ULLtier:=|;=-1111=-1111=-111ll-JIInll-Jllnl-HeaderLerngt-h:Eleservedz

15、Flags:QUitireritpointge:OACktii-T.TlGdgTiiStit1i1.UllL:i總it:QPushFi-uict-ioti:QP.esettirecotiiie匚七i口1丄zOSaicliuc-ij-izesele11cezOEnd口dat-az:-lpWiiAllow::-ClieckSujiz:-lpUriLreiit-p口iiit-:=BT口TCPOptioixs:日冷Exx-aD-at-a.:8034/2340636/E416175993038/404Z/4SO20bytes46/1OhOOFO046/ZOmOFCO00OLOCI47/1OmOOSF0.

16、-48/1OkOOZO.0-48/1OkOOLO-0.48/1OkOOCiS-丄-48/10h00Ci4-.0.48/1OhOOCiZ048/1OhOOCH04S/2:OxASFBCorrect-EO/2Ox0000E2/2:54/U54/600000015002ALiUE04CAU86ED000AEBI?A7F360U3406Bl8F31:-7896IECOAS01000000000040000A9FE000008004500OLi2800LIU40OZOO50OD4EF3OFGAF6e.EAUSAAA4141_4.-.=z.AA我們對上圖中的TCP字段進行詳細說明:字段說明SourcePo

17、rt:80源端口,HTTP為80端口DestinationPort:3406目標端口SequenceNumber:416175999032bits.Thesequencenumberofthefirstdataoctetinthissegment(exceptwhenSYNispresent).IfSYNispresent,thesequencenumberistheinitialsequencenumber(ISN)andthefirstdataoctetisISN+1.AckNumber:032bits.IftheACKcontrolbitisset,thisfieldcontainsth

18、evalueofthenextsequencenumberwhichthesenderofthesegmentisexpectingtoreceive.Onceaconnectionisestablished,thisvalueisalwayssent.DataOffset:80HeaderLength:804bits.Thenumberof32-bitwordsintheTCPheader.Thisindicateswherethedatabegins.ThelengthoftheTCPheaderisalwaysamultipleof32bits.Reserved:06bits.Reser

19、vedforfutureuse.Mustbeclearedtozero.Urgentpointer:Urgentpointerfieldsignificant.AcknowledgmentnumberAcknowledgmentfieldsignificant.PushFunction:Pushfunction.Resettheconnection:Resettheconnection.Synchronizesequence:Synchronizesequencenumbers.Endofdata:Nomoredatafromsender.Window16bits.Itspecifiesthe

20、sizeofthesendersreceivewindow,thatis,thebufferspaceavailableinoctetsforincomingdata.CheckSum:16bits.Thechecksumfieldisthe16bitone;-scomplementoftheonescomplementsumofall16-bitwordsintheheaderandtext.Ifasegmentcontainsanoddnumberofheaderandtextoctetstobechecksummed,thelastoctetispaddedontherightwithz

21、erostoforma16-bitwordforchecksumpurposes.Thepadisnottransmittedaspartofthesegment.Whilecomputingthechecksum,thechecksumfielditselfisreplacedwithzeros.UrgentPointer16bits.Thisfieldcommunicatesthecurrentvalueoftheurgentpointerasapositiveoffsetfromthesequencenumberinthissegment.Theurgentpointerpointsto

22、thesequencenumberoftheoctetfollowingtheurgentdata.ThisfieldcanonlybeinterpretedinsegmentsforwhichtheURGcontrolbithasbeenset.DNS協議結構以下是DNS協議的結構:1617212223242526272832IdentificationQROpcodeAATCRDRAZADCDRcodeQuestioncountAnswercountAuthoritycountAdditionalcountF圖是對DNS協議進行解碼視圖:DcnftazLnNamePi?ol3CJC:ol工

23、己已口匸ification:一古1Flags:OQuery/Resporis:OperatorCodsz:OAuthu匸itat.iLrsJuiswerzb-OTri-itinat-iuii:ORecursiondesiryii:bApprowep.pcurs1cui:P.eserv&ilRespondcode:QuestiOtis:Ai-Lsuers:Aij-t-horAddi_tianaliQi_ies七i二HI?oiiiain.ITaniez亭Type:=5Class:irFCS一FirameCheck.Sequerkce:步FCS:42/3E434Z/ZOKLIILILI44/Z0口e

24、ry44/10 x00800QUERY44/10 x00780Woaut-horitative44/1Oku0040Wotruncation44/1OxOOOZ1Recursion44/1LiKULiOl0Woapprove45/1OxLIOSO045/10 x00700Noerrcr45/10:-:i:ii:ii:iJ,146/204S/2050/2052/21-54/20t-tt-tt.t_ai.it口f:_匚匚1ILL.54/1G1A70/21Int-emet72/2A=UxAE1A09EACalculat-edZ.乂ACS6BE1OSUU45UU口03C:益X3OOOUIE0USO11

25、84ACOASU102COAS0101UE:CD003S0UZ8CO7C我們對上圖中的DNS字段進行詳細說明:字段說明Identification:43標識,占16bitsFlags:Query/Response:1用于疋義疋Query還疋Responseo0為Query,1為ResponseoOperatorCode:0占4bits,其對應代碼如下:0QUERY,Standardquery.IQUERY,Inversequery.STATUS,Serverstatusrequest.Reserved.Notify.Update.6-15Reserved.AuthoritativeAnswer

26、:01-bitfield.Whensetto1,identifiestheresponseasonemadebyanauthoritativenameserver.0Notauthoritative.1IsauthoritativeTruncation:01-bitfield.Whensetto1,indicatesthemessagehasbeentruncated.0Nottruncated.1MessagetruncatedRecursionDesired:1Recursiondesired:1-bitfield.Maybesetinaqueryandiscopiedintotheres

27、ponse.Ifset,thenameserverisdirectedtopursuethequeryrecursively.Recursivequerysupportisoptional.0Recursionnotdesired.1Recursiondesired.ApproveRecursion:11bitfield.Indicatesifrecursivequerysupportisavailableinthenameserver.0Recursivequerysupportnotavailable.1Recursivequerysupportavailable.Reserved:01b

28、itfield.Indicatesinaresponsethatalldataincludedintheanswerandauthoritysectionsoftheresponsehavebeenauthenticatedbytheserveraccordingtothepoliciesofthatserver.Itshouldbesetonlyifalldataintheresponsehasbeencryptographicallyverifiedorotherwisemeetstheserverslocalsecuritypolicy.Respondcode:00Noerror.Therequestcompletedsuccessfully.Formaterror.Thenameserverwasunabletointerpretthequery.Serverfailure.NameError.NotImplemented.Refused.YXDomain.NameExistswhenitshouldnot.YXRRSet.RRSetExistswhenitshouldnot.NXRRSet.RRSetthatshouldexistdoes

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯系上傳者。文件的所有權益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經權益所有人同意不得將文件中的內容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網僅提供信息存儲空間,僅對用戶上傳內容的表現方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
  • 6. 下載文件中如有侵權或不適當內容,請與我們聯系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論