Software download for analysis: Wireshark-win32-1.10.2.exe
Read the guided Tour
1. Analyze and apply the ARP protocol
2. Analyzing IP Protocols
3. Analyzing the ICMP protocol
1. Analysis of the format and content of ARP messages
(1) The ARP request message of ping 172.18.3.132:
000108000604000100e04c512ae8ac12038e000000000000ac120384
Physical network Type hardware type:0001-ethernet (1)
Protocol type Protocol TYPE:0800-IP (0x0800)
Physical Address length hardware size:06-6
Protocol Address Length Protocol size:04-4
Operation Opcode:0001-request (1):
Sender's physical address, sender, MAC addresses:
00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)
Sender IP Address Sender IP addresses:
ac12038e-172.18.3.142 (172.18.3.142)
Target Physical Address target MAC address:
000000000000-00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP Address:
ac120384-172.18.3.132 (172.18.3.132)
(2) The ARP response message for ping 172.18.3.132:
000108000604000200e04cf0ca7eac12038400e04c512ae8ac12038e
Physical network Type hardware type:0001-ethernet (1)
Protocol type Protocol TYPE:0800-IP (0x0800):
Physical Address length hardware size:06-6
Protocol Address Length Protocol size:04-4
Operation Opcode:0002-reply (2)
Sender's physical address, sender, MAC addresses:
00e04cf0ca7e-realteks_f0:ca:7e (00:e0:4c:f0:ca:7e)
Sender IP Address Sender IP addresses:
ac120384-172.18.3.132 (172.18.3.132):
Target Physical Address target MAC address:
00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)
Target IP Address:
ac12038e-172.18.3.142 (172.18.3.142):
(3) ARP Request message for Ping 202.202.96.35 (Southwest University Homepage):
000108000604000100e04c512ae8ac12038e000000000000ac120381
Physical network Type hardware type:0001-ethernet (1)
Protocol type Protocol TYPE:0800-IP (0x0800)
Physical Address length hardware size:06-6
Protocol Address Length Protocol size:04-4
Operation Opcode:0001-request (1):
Sender's physical address, sender, MAC addresses:
00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)
Sender IP Address Sender IP addresses:
ac12038e-172.18.3.142 (172.18.3.142)
Target Physical Address target MAC address:
000000000000-00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP Address:
ac120381-172.18.3.129 (172.18.3.129)
(4) The ARP response message for ping 202.202.96.35:
0001080006040002001906561e4bac12038100e04c512ae8ac12038e
Physical network Type hardware type:0001-ethernet (1)
Protocol type Protocol TYPE:0800-IP (0x0800):
Physical Address length hardware size:06-6
Protocol Address Length Protocol size:04-4
Operation Opcode:0002-reply (2)
Sender's physical address, sender, MAC addresses:
001906561E4B-CISCO_56:1E:4B (00:19:06:56:1E:4B)
Sender IP Address Sender IP addresses:
ac120381-172.18.3.129 (172.18.3.129):
Target Physical Address target MAC address:
00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)
Target IP Address:
ac12038e-172.18.3.142 (172.18.3.142):
Because 202.202.96.35 is not an intra-LAN IP, the request is sent through the gateway to the extranet, so the above operation is actually in communication with the gateway to get the MAC address of the gateway to establish the ARP cache.
(5) The ARP request message that is ping native IP (172.18.3.142) by his machine (172.18.3.134):
000108000604000100e04c501178ac120386000000000000ac12038e
Physical network Type hardware type:0001-ethernet (1)
Protocol type Protocol TYPE:0800-IP (0x0800):
Physical Address length hardware size:06-6
Protocol Address Length Protocol size:04-4
Operation Opcode:0001-request (1)
Sender's physical address, sender, MAC addresses:
00e04c501178-realteks_50:11:78 (00:e0:4c:50:11:78)
Sender IP Address Sender IP addresses:
ac120386-172.18.3.134 (172.18.3.134):
Target Physical Address target MAC address:
000000000000-00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP Address:
ac12038e-172.18.3.142 (172.18.3.142):
(6) ARP response message for ping native IP (172.18.3.142) by his machine (172.18.3.134):
000108000604000200e04c512ae8ac12038e00e04c501178ac120386
Physical network Type hardware type:0001-ethernet (1)
Protocol type Protocol TYPE:0800-IP (0x0800)
Physical Address length hardware size:06-6
Protocol Address Length Protocol size:04-4
Operation Opcode:0001-request (1):
Sender's physical address, sender, MAC addresses:
00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)
Sender IP Address Sender IP addresses:
ac12038e-172.18.3.142 (172.18.3.142)
Target Physical Address target MAC address:
00e04c501178-realteks_50:11:78 (00:e0:4c:50:11:78)
Target IP Address:
ac120386-172.18.3.134 (172.18.3.134)
2.analysis of the format and content of IP messages
(1) IP packet for ICMP echo request during ping 172.18.3.132:
4500003c1842000040010349ac12038eac120384
Version: 4
Header Length (headers length): 5-20 bytes
Service type (Differentiated Services Field): 00
-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))
Total Length: 003c-60
Identification (identification): 42-0x1842 (6210)
Flag (Flags): 00-0x00
Slice offset (Fragment offset): 0000-0
Lifetime (Time to live): 40-64
Protocol (PROTOCOL): 01-icmp (1)
Header checksum (header checksum): 49-0x0349 [Correct]
Origin IP address (source): AC 8e-172.18.3.142 (172.18.3.142)
Destination IP address (Destination): AC 12 03 84-172.18.3.132 (172.18.3.132)
(2) IP packet for ICMP echo response during ping 172.18.3.132:
4500003c2e9600004001ecf4ac120384ac12038e
Version: 4
Header Length (headers length): 5-20 bytes
Service type (Differentiated Services Field): 00
-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))
Total Length: 003c-60
Identification (identification): 2e 96-0x2e96 (11926)
Flag (Flags): 00-0x00
Slice offset (Fragment offset): 0000-0
Lifetime (Time to live): 40-64
Protocol (PROTOCOL): 01-icmp (1)
Header checksum (header Checksum): EC F4-0XECF4 [Correct]
Source IP Address: AC 12 03 84-172.18.3.132 (172.18.3.132)
Destination IP address (Destination): AC 8e-172.18.3.142 (172.18.3.142)
Data: for ICMP messages
(3) To access the IP message of a UDP protocol during the swu.edu.cn process:
450000240ef600004011bc0cac1203b5ffffffff
Version: 4
Header Length (headers length): 5-20 bytes
Service type (Differentiated Services Field): 00
-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))
Total Length: 00 24-36
Identification (identification): 0e F6-0x0ef6 (3830)
Flag (Flags): 00-0x00
Slice offset (Fragment offset): 0000-0
Lifetime (Time to live): 40-64
Protocol (PROTOCOL): 11-UDP (17)
Header checksum (header checksum): BC 0C-0XBC0C [Correct]
Origin IP address (source): AC b5-172.18.3.181 (172.18.3.181)
Destination IP address (Destination): FF FF FF ff-255.255.255.255 (255.255.255.255)
Data: for UDP messages
(4) An IP message that accesses an OSPF protocol during the swu.edu.cn process:
6e00000000245901fe80000000000000021906fffe561e4bff020000000000000000000000000005
Version: 6
Communication type (traffic Class): = e 0
Bit stream Kee (Flowlabel): 0 00 00
Load Length (Payload length): 00 24-36
Next header (Next header): 59-OSPF IGP (89)
Hop Limit: 01-1
Source IP Address: FE 1e 4b, the FF Fe, at the
-FE80::219:6FF:FE56:1E4B
Destination IP (Destination): FF 02 00 00 00 00 00 00 00 00 00 00 00 00 00 05
-Ff02::5
(5) To access the IP message of a TCP protocol during the swu.edu.cn process:
450000341c4d40004006fcbeac12038768190a06
Version: 4
Header Length (headers length): 5-20 bytes
Service type (Differentiated Services Field): 00
-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))
Total Length: 00 34-52
Identification (identification): 1c 4D-0X1C4D (7245)
Flag (Flags): 40-0x02 (Don ' t Fragment)
Slice offset (Fragment offset): 0000-0
Lifetime (Time to live): 40-64
Protocol (PROTOCOL): 06-tcp (6)
Header checksum (header checksum): FC BE-0XFCBE [Correct]
Source IP Address: AC 12 03 87-172.18.3.135
Destination IP address (Destination): 0a 06-104.25.10.6
Data: For TCP messages
Analysis of the format and content of IP fragment packets
(1) IP shard packet for ICMP echo request during PING-L 4000 172.18.3.136:
This IP packet is divided into 3 pieces:
First Shard
45000034087340004006cacdac120387246e937c
df:0
Mf:1
Fragment offset:0
A second shard:
450005dc087420b94001ecc0ac120387ac120388
df:0
Mf:1
Fragment offset:1480
A third shard:
4500042c0874017240010db8ac120387ac120388
df:0
mf:0
Fragment offset:2960
(2) IP shard packet for ICMP echo request in Ping-l 5000 172.18.3.136 process
This IP packet is divided into 4 pieces:
First Shard
450005dc08d520004001ed18ac120387ac120388
df:0
Mf:1
Fragment offset:0
A second shard:
450005dc08d520b94001ec5fac120387ac120388
df:0
Mf:1
Fragment offset:1480
A third shard:
450005dc08d521724001eba6ac120387ac120388
df:0
Mf:1
Fragment offset:2960
Fourth Shard:
4500024c08d5022b40010e7eac120387ac120388
df:0
mf:0
Fragment offset:4440
(3) IP shard packet for ICMP echo request in Ping-l 2000 202.202.96.35 process
This IP packet is divided into 2 pieces:
First Shard
450005dc08db2000400171bfac120387caca6023
df:0
Mf:1
Fragment offset:0
A second shard:
4500022408db00b9400194beac120387caca6023
df:0
mf:0
Fragment offset:1480
(4) IP shard message for ICMP echo request 1 in Ping-l www.baidu.com (not ping) process
This IP packet is divided into 3 pieces:
First Shard
450005dc042320004001cb85ac120399b461216c
df:0
Mf:1
Fragment offset:0
A second shard:
450005dc042320b94001caccac120399b461216c
df:0
Mf:1
Fragment offset:1480
A third shard:
45000044042301724001efabac120399b461216c
df:0
mf:0
Fragment offset:2960
(5) IP shard message for ICMP echo request 2 in Ping-l www.baidu.com (not ping) process
This IP packet is divided into 3 pieces:
First Shard
450005dc042f20004001cb79ac120399b461216c
df:0
Mf:1
Fragment offset:0
A second shard:
450005dc042f20b94001cac0ac120399b461216c
df:0
Mf:1
Fragment offset:1480
A third shard:
45000044042f01724001ef9fac120399b461216c
df:0
mf:0
Fragment offset:2960
In the IP Fragment Message analysis experiment, the use of the Ping–l command to set the length of the appropriate IP packets to achieve different sharding effect.
3. Analyzing the format and content of ICMP messages
(1) The ICMP echo request message for ping 172.18.3.132 1:
08004a5c020001006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
Type (type): 08-Echo Request
Code: 00
Checksum (Checksum): 4a 5c
Logo Identifier (BE) Identifier (LE):
Ordinal Sequence number (BE), Sequence No. (LE):
Optional data (Date):
6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
(2) The ICMP echo response message for ping 172.18.3.132 1:
0000525c020001006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
Type: 00-loopback Answer
Code: 00
Checksum (Checksum): 5c
Logo Identifier (BE) Identifier (LE):
Ordinal Sequence number (BE), Sequence No. (LE):
Optional data (Date):
6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
(3) The ICMP echo request message for ping 172.18.3.132 2:
0800495c020002006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
Type (type): 08-Echo Request
Code: 00
Checksum (Checksum): 5c
Logo Identifier (BE) Identifier (LE):
Ordinal Sequence number (BE), Sequence numbers (LE):
Optional data (Date):
6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
(4) The ICMP echo response message for ping 172.18.3.132 2:
0000515c020002006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
Type: 00-loopback Answer
Code: 00
Checksum (Checksum): 5c
Logo Identifier (BE) Identifier (LE):
Ordinal Sequence number (BE), Sequence numbers (LE):
Optional data (Date):
6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
(5) ICMP echo request message 1 for 202.202.96.35 (Southwest University Homepage):
08003e5c02000d006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
Type (type): 08-Echo Request
Code: 00
Checksum (Checksum): 3e 5c
Logo Identifier (BE) Identifier (LE):
Ordinal Sequence number (BE), Sequence No. (LE):0d
Optional data (Date):
6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
(6) ICMP echo response message 1 for ping202.202.96.35 (Southwest University Homepage):
0000465c02000d006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
Type: 00-loopback Answer
Code: 00
Checksum (Checksum): 5c
Logo Identifier (BE) Identifier (LE):
Ordinal Sequence number (BE), Sequence No. (LE):0d
Optional data (Date):
6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869
The above experiment shows that:
The identity of the paired ICMP request and reply message is the same as the ordinal field.
The ping command works based on the ICMP echo request and the reply message, and its role is to detect whether a destination station is available.
ICMP is used to solve control problems and implement error mechanisms, which can help maintain the Internet delivery order.
Address Resolution Protocol ARP, Network layer protocol IP, ICMP protocol