常見協(xié)議解碼詳解

1、常見協(xié)議解碼詳解l 數據包封包分層數據包解碼說明數據鏈路層 Data Link Layer如：設備驅動網絡層 Network Layer如：IP，ICMP，IGMP等傳輸層 Transport Layer如：TCP，UDP應用層 Application Layer如：FTP，HTTP，Email等下圖是對數據包的解碼圖，其中對數據包中的每一層協(xié)議分別進行了解碼分析：這里面，我們可以看到協(xié)議由外向內封裝，分別是：1. 數據鏈路層對應“Ethernet II”協(xié)議；2. 網絡層對應“IP”協(xié)議；3. 傳輸層對應“UDP”協(xié)議；4. 應用層對應“DNS”協(xié)議。下面我們就分別對這四層協(xié)議做詳細解釋。l

2、 以太網數據包結構協(xié)議結構為： 7166246-1500bytes4PreSFDDASALength TypeData unit + padFCS下圖是Ethernet II協(xié)議解碼后的內容，利用此實例進行說明：上層協(xié)議0x0800 (IP協(xié)議)目標MAC地址源MAC地址 目標MAC地址 0位開始/6 bytes長 源MAC地址 6位開始/6 bytes長 上層協(xié)議 12位開始/2 bytes長字段說明Destination addressDA，目標MAC地址6 字節(jié)Source addressesSA，源MAC地址6 字節(jié)ProtocolLength Type，承載的上層協(xié)議類型Data u

3、nit + pad，數據字段（46-1500bytes）FCS檢驗（4bytes）MAC地址：MAC地址為16進制編碼，在解碼中可以將前3 bytes代表廠商的字段翻譯出來，方便定位問題，如網絡上有兩臺設備IP地址沖突，可以通過廠商信息方便的將故障設備找到，如00e04C為TP-LINK，000AKB為迅捷，00A0C9為Intel等等，上層協(xié)議：Ethernet II 承載的上層協(xié)議主要包括0x800為IP協(xié)議和0x806為ARP協(xié)議。l IP協(xié)議結構IP頭的結構如下：48161932bitsVerIHLType of serviceTotal lengthIdentificationFla

4、gsFragment offsetTime to liveProtocolHeader checksumSource addressDestination addressOption + PaddingData下圖是IP層解碼后的內容，利用此實例進行說明：下面是IP協(xié)議解碼的對應字段解釋：字段說明Version: 4版本號為4，即IPv4協(xié)議，Header Length: 5頭部長度20字節(jié)，5 bitsType of service: 000 0000服務提供類型，顯示參數摘要。Precedence優(yōu)先路由信息Delay遲延Throughput吞吐量Reliability可靠性Total L

5、ength: 131總長131（單位字節(jié)，最長為65535字節(jié)）Identification: 10403標識Fragmentation Flags: 000. .標志Reserved:保留Fragment:片斷More Fragment:最后片斷Fragment Offset: 0偏移量Time to Live:TTL, 科來網絡分析系統(tǒng)5.0將丟棄TTL=0的數據包Protocol: 17是哪種協(xié)議，1ICMP，6 TCP， 17 UDP，89 OSPFCheck Sum: 0xCE73對IP協(xié)議頭的校驗合，0xCE73 為正確源IP地址目標IP地址l ARP協(xié)議結構以下是ARP協(xié)議結構：

6、81632 bits Hardware Type Protocol Type Hardware address lengthProtocol address lengthOpcodeSender Hardware Address Sender Protocol Address Target Hardware Address Target Protocol Address 下圖是對ARP協(xié)議進行解碼視圖：我們對上圖中的ARP字段進行詳細說明：字段說明Hardware Type:1（硬件類型) 占16 bits，用來定義運行ARP的網絡類型，每一個局域網基于其類型被指定一個整數，例如，以太網是類型

7、1，ARP可以使用在任何網絡上。Protocol Type: 0x0800（協(xié)議類型）占16 bits，用來定義協(xié)議的類型。如：0x0800代表IP協(xié)議，ARP可用于任何高層協(xié)議。Hardware Length: 6（硬件長度）占8 bits，用來定義物理地址和長度。以太網值為6。Protocol Length: 4（協(xié)議長度）占8 bits，用來定義物理地址和長度。IPv4值為4。Type: 1（操作類型）占16 bits，用來定義操作類型，請求為1，回答為2。Source Physics:00:A0:C9:BB:21:2A 源MAC地址Source IP: Source Ip源IP地址De

8、stination Physics: 00:00:00:00:00:00 目標MAC地址，對于ARP請求數據包，此值全為0，因為請求主機并不知道目標主機的MAC地址目標IP地址l TCP協(xié)議結構以下是TCP協(xié)議的結構：16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Reserved UAPRSFWindow Checksum Urgent pointer Option + Padding Data 下圖是對TCP協(xié)議進行解碼視圖：我們對上圖中的TCP字段進行詳細說明：字段

9、說明Source Port: 80源端口，HTTP為80端口Destination Port: 3406目標端口Sequence Number: 416175999032 bits. The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.Ack Numb

10、er: 032 bits. If the ACK control bit is set, this field contains the value of the next sequence number which the sender of the segment is expecting to receive. Once a connection is established, this value is always sent.Data Offset: 80Header Length: 804 bits. The number of 32-bit words in the TCP he

11、ader. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.Reserved: 06 bits. Reserved for future use. Must be cleared to zero. Urgent pointer:Urgent pointer field significant. Acknowledgment numberAcknowledgment field significant. Push Function:Push fun

12、ction. Reset the connection:Reset the connection. Synchronize sequence:Synchronize sequence numbers. End of data: No more data from sender.Window16 bits. It specifies the size of the sender's receive window, that is, the buffer space available in octets for incoming data.Check Sum:16 bits. The c

13、hecksum field is the 16 bit one¡¯s complement of the one¡¯s complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for check

14、sum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.Urgent Pointer16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The ur

15、gent pointer points to the sequence number of the octet following the urgent data. This field can only be interpreted in segments for which the URG control bit has been set.l DNS 協(xié)議結構以下是DNS協(xié)議的結構：1617212223242526272832IdentificationQROpcodeAATCRDRAZADCDRcodeQuestion countAnswer count Authority countA

16、dditional count 下圖是對DNS協(xié)議進行解碼視圖：我們對上圖中的DNS字段進行詳細說明：字段說明Identification: 43 標識，占16 bitsFlags:Query/Response: 1用于定義是Query還是Response。0為Query, 1為Response。Operator Code: 0占 4 bits，其對應代碼如下：0 QUERY, Standard query. 1 IQUERY, Inverse query. 2 STATUS, Server status request. 3 Reserved. 4 Notify. 5 Update. 6-1

17、5 Reserved.Authoritative Answer: 01-bit field. When set to 1, identifies the response as one made by an authoritative name server. 0 Not authoritative. 1 Is authoritativeTruncation: 01-bit field. When set to 1, indicates the message has been truncated. 0 Not truncated. 1 Message truncatedRecursion D

18、esired: 1 Recursion desired: 1-bit field. May be set in a query and is copied into the response. If set, the name server is directed to pursue the query recursively. Recursive query support is optional.0 Recursion not desired. 1 Recursion desired.Approve Recursion: 11 bit field. Indicates if recursi

19、ve query support is available in the name server.0 Recursive query support not available. 1 Recursive query support available.Reserved: 0 1 bit field. Indicates in a response that all data included in the answer and authority sections of the response have been authenticated by the server according t

20、o the policies of that server. It should be set only if all data in the response has been cryptographically verified or otherwise meets the server's local security policy.Respond code: 00 No error. The request completed successfully. 1 Format error. The name server was unable to interpret the qu

21、ery. 2 Server failure. 3 Name Error. 4 Not Implemented.5 Refused. 6 YXDomain. Name Exists when it should not. 7 YXRRSet. RR Set Exists when it should not. 8 NXRRSet. RR Set that should exist does not. 9 NotAuth. Server Not Authoritative for zone. 10 NotZone. Name not contained in zone. 11-15 Reserved. 16 BADVERS. Bad OPT Version.BADSIG. TSIG Signature Failure. 17 BADKEY. Key not recognized. 18 BADTIME. Signature out of time window. 19 BADMODE. Bad TKEY Mode. 20 BADNAME.Duplicate key name. 21 BADALG.Algorithm not supported. 22-38403841-4095 Privat