A study of HTTP/TCP data report in one time

Explore the background: We often sayTcpis the Transport layer protocol,Ipis the network layer protocol,HTTPprotocol is the application layer protocol and so on, so how do they work together in harmony with the three? We're mainly here today to explore the experiment.Tcpand theHTTPHow exactly is the combination.

Lab Environment:

Server:192.168.254.136, using httpd as Web service, copy nginx homepage static page as demo

Client:192.168.254.1,wireshark grab Bag

Experimental steps:

from the Client Access server side, crawl the packet.

Message excerpt:

Message Analysis:

1, the first step, the old generation of the TCP three-time handshake mechanism, the first three handshake, and then establish a connection, here no longer unfold.

2.Next,the number 4 packet is a GET request that the client sends HTTP to the server , with a slight content.

3, and then this time I want to say the key part. Message Number 4 is the client sends a request to the server, then the 5 message begins to respond to this request, and the first TCP packet does not contain any payload, only a single byte of TCP head. We expand this message to see what the bytes contain.

Purpose mac:6B

Source mac: 6B

IPv4 type:2B

--------------------------------------------------------------------------------------------------------------- ---------------

IP version: 0.5B

head Length:0.5B

Service type:1B

total length: 2B

Logo: 2B

Logo:3bits offset:13bits Total 2B

TTL: 1B

protocol: 1B

Checksum: 2B

Source IP: 4 B

Purpose IP: 4 B

--------------------------------------------------------------------------------------------------------------- ----------------

Source port: 2B

Destination port:2B

Serial Number: 4 b

Confirmation Number: 4 b

head Length:0.5B

reserved fields:6bits

Urg/ack/psh/rst/syn/fin each 1bit

window Size:2B

Checksum: 2B

Emergency Hands:2B

--------------------------------------------------------------------------------------------------------------- -----------------

Padding:6B Fill field, placed in the data link layer.

IP Message Analysis:

4 -bit version number:IP Protocol (IPv4) version number bit 4

4 -bit head length: identifies how many 4 bytes The head has, that is, the maximum total of 15*4 bytes

8 -bit service type: Contains a 4 -bit Priority field: Minimum delay, maximum throughput, maximum reliability, and minimum cost.

Total Length: Indicates the length of the entire IP datagram, the maximum is 65535, but this value cannot be reached due to the MTU limit.

Identity: A unique identity datagram. The system uses the method of adding 1 to send edge assignment values.

3 -bit identification (reserved,DF Forbidden Shard,MF more shards): So this flag is present for the Shard,the DF is set to prohibit sharding so if the datagram is too large then the send fails. MF setting, if a shard is generated, other than the last Shard, this slice is 1.

partition offset: The offset at the beginning of the Shard relative to the original IP datagram.

8 -bit time-to-Live (TTL): The number of routed hops allowed before the datagram arrives at the destination. Jump minus 1, get 0 drop.

8 -bit protocol: used to differentiate the upper layer protocol (ICMP is 1,TCP is 6,UDP is ).

-bit head checksum: only the CRC algorithm is used to verify that the data header is damaged during transmission.

source IP and destination IP.

TCP Message Analysis:

the source port number and the destination port number for each .

Serial Number: a TCP communication process in one direction of a stream of bytes of each byte of the number, through this to confirm the sending of the data ordered, for example, the serial number is now , send the The next serial number is .

Confirmation Number: Used in response to the TCP message segment, the Received TCP message segment sequence number plus 1, three-grip to carry their own serial number.

4 -bit head length: identifies How many 4 bytes the TCP header has , representing the maximum 15*4=60 bytes in total . With the IP header.

6 -bit retention. 6 -bit flag. URG(whether the emergency pointer is valid)ACK(indicating whether the confirmation number is valid) PSH (indicates thatthe receiving application should read the data immediately from the TCP receive buffer)RST (indicates that the other party is required to reestablish the connection) the SYN (indicates the request toestablish a connection)FIN(indicates to notify the other side to close the connection)

The sizeof the window: a means of TCP traffic control that tells the peer TCP buffer how many bytes can be accommodated.

The parity checksum: is filled by the sender, and the receiving end executes the CRC algorithm on the packet segment to verify that the TCP segment is damaged in transit.

emergency pointer: a positive offset, which adds the value of the ordinal segment to the ordinal of the next byte of the last critical data.

After analyzing this byte of TCP message, then look at the number 6 message, which is also the server side sent to the client TCP message, and the previous message to see how different. Let's compare the above fields one by one.

The first is the whole The length of the IP datagram is not the same, one is the one is the 17800,then the logo is not the same, from the change to 17801, Verify the sort of self-increment that just said. Of course, the checksum certainly is not the same, so the IP data message only these two differences, not counted checksum.

The first part of the TCP message is the same as the checksum, except that a 1460 byte data field is appended at the end , so what is the connection between the multiple packets?

we look at 5-8 These packages separately, when the client makes a request, the server sends an empty TCP packet First, so Seq=1,len=0, the next package Seq is still 1, but the length becomes 1460, then the third TCP packet Seq is 1+1460, which is Seq2=seq1+len. and The ACK does not change, then the client accepts the Send Feedback packet,the Seq is the server-side ack number, and The ACK is the Seq+len of the previous packet. , that is, 1461+1460=2921.

then the server side continues to send data to the client,the sequence number of the 9 message is 2921, is theackin the client response message , the ACK is still 370, thelength is 1460. the seq is also the seq+len=2921+1460=4381 of the number 9 message, which is the client response message,seq Keep 370 unchanged ,Ack is 4381+1460=5841.

Similarly, the following three packets also conform to this rule. After the final transmission, the first packet consists of a complete HTTP message.

However, it is important to note that although the first package in Wireshark is written in HTTP, the packet is actually a TCP packet , which contains TCP data!

let's see, the first four lines are all normal. The TCP message is the same, and the length is 1431, insufficient 1460, indicating that the transmission is complete.

the last two lines are HTTP message, which means that all TCP transmission messages are received and merged into a complete HTTP reply message.

then TCP Four disconnects, no more detailed. The tip is thatthe package Seq is the Seq+len in the package :10192=8761+1431, the Ack is the seq+1 of the size pack.

A study of HTTP/TCP data report in one time