Wireshark数据包分析之TCP协议包解读

作者: Mingo 分类: 数据包分析 发布时间: 2018-09-17 02:15

*此篇博客仅作为个人笔记和学习参考

 三次握手建立连接(SYN标志)

客户端发送链接请求,此时处于等待确认状态;服务端收到请求,回应确认请求;最后客户端确认;建立完毕,开始传输数据!

四次握手断开连接(FIN标志)

客户端发送断开请求,此时处于等待确认状态;服务端收到请求,回应确认请求,并再次确认是否断开;客户端最后确认;断开链接!

TCP协议包首部格式

三次握手建立连接—分析

第一次握手(SYN)

Transmission Control Protocol, Src Port: 52777 (52777), Dst Port: http (80), Seq: 0, Len: 0
#TCP,源端口:52777,目标端口:80#
Source Port: 52777 (52777) #源端口#
Destination Port: http (80) #目标端口#
[Stream index: 1] #流节点号#
Sequence number: 0 (relative sequence number) #序列号#
Acknowledgment number: 0 #确认编号#
Header Length: 32 bytes #首部长度#
Flags: 0x002 (SYN) #标志#
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set #紧急指针#
…. …0 …. = Acknowledgment: Not set #确认编号#
…. …. 0… = Push: Not set #紧急位#
…. …. .0.. = Reset: Not set #重置#
…. …. ..1. = Syn: Set #SYN标志位#
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] #专家信息#
[Connection establish request (SYN): server port 80] #消息#
[Severity level: Chat] #安全级别#
[Group: Sequence] #组#
…. …. …0 = Fin: Not set #FIN标志位#
Window size value: 8192 #窗口大小#
[Calculated window size: 8192] #估计的窗口大小#
Checksum: 0x0a48 [unverified] #校验和#
Urgent pointer: 0 #紧急指针#
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项#
Maximum segment size: 1460 bytes #最大段大小#
No-Operation (NOP) #无操作指令#
No-Operation (NOP) #无操作指令#
No-Operation (NOP) #无操作指令#
TCP SACK Permitted Option: True #TCP SACK允许选项#

第二次握手(SYN/ACK)

Transmission Control Protocol, Src Port: http (80), Dst Port: 52777 (52777), Seq: 0, Ack: 1, Len: 0
#TCP,源端口:80,目标端口:52777#
Source Port: http (80) #源端口#
Destination Port: 52777 (52777) #目标端口#
[Stream index: 1] #流节点号#
Sequence number: 0 (relative sequence number) #序列号#
Acknowledgment number: 1 (relative ack number) #确认编号#
Header Length: 32 bytes #首部长度#
Flags: 0x012 (SYN, ACK) #标志#
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set #紧急指针#
…. …1 …. = Acknowledgment: Not set #确认编号#
…. …. 0… = Push: Not set #紧急位#
…. …. .0.. = Reset: Not set #重置#
…. …. ..1. = Syn: Set #SYN标志位#
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] #专家信息#
[Connection establish request (SYN): server port 80] #消息#
[Severity level: Chat] #安全级别#
[Group: Sequence] #组#
…. …. …0 = Fin: Not set #FIN标志位#
Window size value: 8192 #窗口大小#
[Calculated window size: 8192] #估计的窗口大小#
Checksum: 0x0a48 [unverified] #校验和#
Urgent pointer: 0 #紧急指针#
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项#
Maximum segment size: 1460 bytes #最大段大小#
No-Operation (NOP) #无操作指令#
No-Operation (NOP) #无操作指令#
No-Operation (NOP) #无操作指令#
TCP SACK Permitted Option: True #TCP SACK允许选项#
[SEQ/ACK analysis] #序列号 确认编号分析#
[This is an ACK to the segment in frame: 4]
[The RTT to ACK the segment was: 0.170392000 seconds]
[iRTT: 0.170478000 seconds]

第三次握手(ACK)

Transmission Control Protocol, Src Port: 52777 (52777), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
#TCP,源端口:52777,目标端口:80#
Source Port: 52777 (52777) #源端口#
Destination Port: http (80) #目标端口#
[Stream index: 1] #流节点号#
Sequence number: 0 (relative sequence number) #序列号#
Acknowledgment number: 0 #确认编号#
Header Length: 32 bytes #首部长度#
Flags: 0x010 (ACK) #标志#
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set #紧急指针#
…. …1 …. = Acknowledgment: Not set #确认编号#
…. …. 0… = Push: Not set #紧急位#
…. …. .0.. = Reset: Not set #重置#
…. …. ..0. = Syn: Set #SYN标志位#
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] #专家信息#
[Connection establish request (SYN): server port 80] #消息#
[Severity level: Chat] #安全级别#
[Group: Sequence] #组#
…. …. …0 = Fin: Not set #FIN标志位#
Window size value: 8192 #窗口大小#
[Calculated window size: 8192] #估计的窗口大小#
Checksum: 0x0a48 [unverified] #校验和#
Urgent pointer: 0 #紧急指针#
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted #选项#
Maximum segment size: 1460 bytes #最大段大小#
No-Operation (NOP) #无操作指令#
No-Operation (NOP) #无操作指令#
No-Operation (NOP) #无操作指令#
TCP SACK Permitted Option: True #TCP SACK允许选项#
[SEQ/ACK analysis] #序列号 确认编号分析#
[This is an ACK to the segment in frame: 13]
[The RTT to ACK the segment was: 0.000061000 seconds]
[iRTT: 0.168388000 seconds]

四次握手断开连接—分析

基本同上,SYN变成FIN,值为1;
Flags: 0x011 (FIN, ACK)
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgment: Set
…. …. 0… = Push: Not set
…. …. .0.. = Reset: Not set
…. …. ..0. = Syn: Not set
…. …. …1 = Fin: Set

TCP重置—分析

基本同上,SYN变成RST,值为1;
Flags: 0x014 (RST, ACK)
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgment: Set
…. …. 0… = Push: Not set
…. …. .1.. = Reset: Set

世界如此美好,不如赏我几块钱~