I. Preface
At present, the speed of network development is very fast, and more people are learning the network. People with a little knowledge about the network know that the TCP/IP protocol is the basis of the network and the language of the Internet, it can be said that there is no Internet today without the TCP/IP protocol.
At present, there are a lot of people who are known to be engaged in the Internet. Many people are connected to the network from a clamp and a tester. If they are just playing online, just know a few Ping and other commands, if you want to develop more in the network, whether it is black or red, you must understand the TCP/IP protocol.
Many people who have learned the TCP/IP protocol have a feeling that this is too abstract and there is no data instance. I forgot it soon after reading it. This article will introduce an intuitive learning method, using protocol analysis tools to learn TCP/IP, in the process of learning can intuitively see the specific data transmission process.
To make it easier for beginners to understand, this article will build a simple network environment that does not contain subnets.
Ii. Test Environment
1. Network Environment
1.
| Figure 1 |
For ease of expression, machine 208 is the computer with the address 192.168.113.208 and machine 1 is the computer with the address 192.168.113.1.
2. Operating System
Both machines are Windows 2000 and machine 1 are used as servers to install the FTP service.
3. Protocol Analysis Tools
Common tools in Windows include Sniffer Pro, Natxray, Iris, and network monitor in windows 2000. This document uses Iris as a protocol analysis tool.
Install IRIS software on the client machine 208.
Iii. Test process
1. test example: download a file from machine 1 to machine 208 through FTP.
2. IRIS settings.
Because IRIS has the network listening function, if there are other machines in the network environment that will capture many other data packets, this will bring a lot of inconvenience to learning, to clearly understand the transmission process of the above example, IRIS is set to capture only data packets between machine 208 and machine 1. The procedure is as follows:
1) press the shortcut key CTRL + B to display the address table, and enter the IP address of the machine in the table. Do not add the host name for the captured package ), close this window after setting.
| Figure 2 |
| Figure 3 |
3. packet capture
Click Start in the IRIS toolbar. Enter FTP: // 192.168.113.1 in the browser, find the file to be downloaded, right-click the file, and select copy to folder in the pop-up menu to start downloading, click the button in the IRIS toolbar to stop packet capture. Figure 4 shows the entire FTP process. Next we will analyze this process in detail.
| Figure 4 |
Note: To capture ARP packets, run arp-d in WINDOWS 2000 to clear arp cache.
Iv. Process Analysis
1. Basic principles of TCP/IP
Although the focus of this article is to resolve TCP/IP Based on the instance, it is necessary to briefly describe the basic principles of TCP/IP.
A. The network is layered, and each layer is responsible for different communication functions.
TCP/IP is generally regarded as a layer-4 protocol system, and the TCP/IP protocol family is composed of a group of different protocols. Although this protocol family is usually called TCP/IP, TCP/IP and IP are only two of them, as shown in table 1. Each layer is responsible for different functions:
| Table 1 |
The concept of hierarchy is very simple, but it is very important in practical applications. It is well understood in network settings and troubleshooting, it will be of great help to the work. For example, if you want to set a route for the network layer IP protocol, you need to find that the MAC address is the link layer ARP, And the commonly used Ping command is done by the ICMP protocol.
Figure 5 shows the relationship between protocols at different layers. Understanding the relationship between them is very important for the following protocol analysis.
| Figure 5 |
B. Data is sent from top to bottom, and coded layer by layer. Data is received from the bottom up and decoded layer by layer.
When an application transmits data over TCP, the data is sent to the protocol stack, and then passes through each layer one by one until it is sent to the network as a string of bit streams. Each layer adds some header information to the received data, and sometimes adds tail information. This process is shown in Step 6. The data unit sent from TCP to IP is called the TCP packet segment or the TCP segment for short. The data units that I P sends to the network interface layer are called IP datagram. A bit stream transmitted over Ethernet is called a Frame ).
The data is sent from top to bottom according to Figure 6, and the data is received from bottom up and decoded layer by layer.
| Figure 6 |
C. Logically, communication is completed at the same level.
The vertical structural hierarchy is a common process of data processing. Each layer has interfaces with its adjacent layers. For communication, the two systems must transmit data, commands, addresses, and other information between different layers. The logical flow of communication is different from that of real data streams. Although the communication process passes through various layers vertically, each layer can communicate directly with the corresponding layer of the remote computer system logically.
As shown in figure 7, communication is actually performed in the vertical direction, but logically the communication is performed at the same level.
| Figure 7 |
2. process description
For better analysis protocols, we will first describe the data transmission steps in the above example. 8:
1) the FTP client requests TCP to establish a connection with the server IP address.
2) TCP sends a connection request segment to the remote host, that is, an IP datagram is sent using the above IP address.
3) if the target host is on the local network, IP datagram can be directly sent to the target host. If the target host is on a remote network, you can use the IP address routing function to determine the next route address on the local network and forward the IP data. In both cases, IP datagram is sent to a host or router located on the local network.
4) in this example, the sender host must change the 32-bit IP address to a 48-bit ethernet address, also known as the MAC address, it is the world's only hardware address written to the NIC at the factory. It is done by ARP to translate the IP address to the corresponding MAC address.
5) as shown in the dotted line, ARP sends an Ethernet data frame called an ARP request to each host on the Ethernet. This process is called broadcast. The ARP request data frame contains the IP address of the target host, which means "if you are the owner of this IP address, please reply to your hardware address ."
6) After receiving the broadcast, the ARP layer of the target host identifies the IP address that the sender is asking for, and sends an ARP response. This ARP response contains the I P address and the corresponding hardware address.
7) after receiving the ARP response, the IP packet for ARP request-response exchange can be transmitted now.
8) send IP data to the target host.
| Figure 8 |
3. instance analysis
Next, we will analyze the TCP/IP working process using the packets captured by iris. In order to better explain the data transmission process, we captured four groups of data at different stages of transmission, find the server, establish a connection, data transmission, and terminate the connection. For each group of data, follow the three steps below.
Show data packets
Interpret this packet
Analyze the packet header information by Layer
First group search Server
1) displays data in rows 1 and 2.
| Figure 9 |
2) interpret data packets
The two rows of data are the process of finding the server and server response.
In row 3, the MAC address of the source host is 00: 50: FC: 22: C7: BE. The MAC address of the target host is FF: FF. This address is expressed in hexadecimal notation, and F is converted to binary 1111, the address in full 1 is the broadcast address. The so-called broadcast is to send information to each network device on the Internet. Each Ethernet interface on the cable must receive and process the data frame. This line reflects Step 5) ARP sends an Ethernet data frame called an ARP request to each host on the Ethernet. Each Nic In the network receives the following message: "Who is the owner of the IP address 192.168.113.1? Please tell me your hardware address ".
Row 2nd reflects the content of Step 6. Each machine on the same Ethernet will "receive" this packet. However, in normal conditions, other hosts except HOST 1 will ignore this packet, when the arp layer of host 1 receives the broadcast packet, it identifies the IP address that the sender is asking for. Therefore, it sends an ARP response. Inform yourself of the IP address and MAC address. Line 2nd clearly shows the information of the No. 1 answer _ your MAC address 00: 50: FC: 22: C7: BE.
These two lines reflect the Q & A communication process between the data link layer. This process is like finding a person named "James" in a classroom filled with people and shouting "James" at the door. Everyone heard this, this is called broadcast. After hearing this, James responded, and others did not respond, so she got in touch with Michael.
3) header information analysis
As shown in the left column, the 1st packet contains two headers: Ethernet) and ARP.
| Figure 10 |
Table 2 in the following table lists the Ethernet header information. The numbers in the brackets indicate the number of bytes occupied by this field. The first two fields in the Ethernet header are the Ethernet source address and destination address. The special address with the destination address of all 1 is the broadcast address. All Ethernet interfaces on the cable must receive broadcast data frames. Two bytes long Ethernet frame types indicate the type of the subsequent data. For an ARP request or response, the value of this field is 0806.
As shown in row 2nd, although ARP requests are broadcast, the destination address of the ARP response is 00 50 FC 22 C7 be of host 1 ). ARP responses are directly sent to the Request Host.
Table 3 contains the ARP header information. The hardware type field indicates the hardware address type. The value 1 indicates the ethernet address. The protocol type field indicates the Protocol address type to be mapped. The value 0800 indicates the IP address. The value is the same as the value of the type field in the Ethernet data frame containing the I P datagram. The following two 1-byte fields indicate the length of the hardware address and the Protocol address respectively, in bytes. For ARP requests or responses from IP addresses over Ethernet, their values are 6 and 4, respectively. Op indicates the operation of Opoperation. 1 indicates the ARP request, 2 indicates the ARP response, 3 indicates the RARP request, and 4 indicates the RARP response. 2 indicates the response. The following four fields are the sending hardware address, sending IP address, destination hardware address, and destination IP address. Note that there is some duplicate information: both the Ethernet data frame header and the ARP request data frame have the sending hardware address. For an ARP request, all fields except the target hardware address have a fill value.
As shown in table 3, when the system receives an ARP request message from the local machine, it fills in the hardware address, then replace the two sender addresses with the two destination addresses, set the operation field to 2, and send it back.
| Table 3 |
The second group establishes a connection
1) displays 3-5 rows of data.
| Figure 11 |
2) interpret data packets
The three rows of data are the process of establishing a connection between the two machines.
The core meaning of these three lines is the three-way handshake of the TCP protocol. TCP data packets are transmitted through the IP protocol. However, the IP protocol only sends data out, but it cannot ensure that the IP datagram can successfully reach the destination, and the reliable data transmission is completed by the TCP protocol. When the receiving end receives a message from the sending end, the receiving end sends a short response message, which means: "I have received your message ." The third group of data will be able to see this process. TCP is a connection-oriented protocol. Before sending data to the other party, a connection must be established between the two parties. The process of establishing a connection is the process of three handshakes.
This process is like asking me to borrow some books from Zhang Weidong. Step 1: I said, "Hello, I am the burden." Step 2: Zhang San said, "Hello, "I'm James," said the third step. "I want to borrow some books from you." In this way, the identity of the other party is confirmed through the Q & A and the contact is established.
Next we will analyze the three-way handshake process in this example.
1) the requester sends an initial sequence number SEQ to machine 1.
(2) After Server 1 receives this serial number, it adds 1 to 987694419 as the response signal ACK) and generates an initial sequence number SEQ) 1773195208, the two signals are sent back to the requester's server 208 at the same time, which means: "The message has been received. Let's start with the number of data streams 1773195208."
(3) After receiving the request server 208, set the validation sequence number to the initial sequence number of the server SEQ) 1773195208 and 1 to 1773195209 as the response signal.
The three handshakes are completed in the preceding three steps. Both parties have established a channel for data transmission.
The following analysis of the TCP header information shows that the relevant fields of the TCP Header have also changed during the handshake process.
3) header information analysis
As shown in figure 12, the 3rd packet contains three headers: Ethernet) and IP and TCP.
The header information is less ARP than IP and TCP, and the following process is not involved in ARP. It can be understood that in the LAN, ARP is responsible for finding the desired computer among many networked computers, and finding the job is complete.
The difference between Ethernet header information and 1st and 2 is that the frame type is 0800, indicating that the frame type is IP.
| Figure 12 |
Related Articles]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
