Address Resolution Protocol ARP, Network layer protocol IP, ICMP protocol

Source: Internet
Author: User

Software download for analysis: Wireshark-win32-1.10.2.exe

Read the guided Tour

1. Analyze and apply the ARP protocol

2. Analyzing IP Protocols

3. Analyzing the ICMP protocol

1. Analysis of the format and content of ARP messages

(1) The ARP request message of ping 172.18.3.132:

000108000604000100e04c512ae8ac12038e000000000000ac120384

Physical network Type hardware type:0001-ethernet (1)

Protocol type Protocol TYPE:0800-IP (0x0800)

Physical Address length hardware size:06-6

Protocol Address Length Protocol size:04-4

Operation Opcode:0001-request (1):

Sender's physical address, sender, MAC addresses:

00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)

Sender IP Address Sender IP addresses:

ac12038e-172.18.3.142 (172.18.3.142)

Target Physical Address target MAC address:

000000000000-00:00:00_00:00:00 (00:00:00:00:00:00)

Target IP Address:

ac120384-172.18.3.132 (172.18.3.132)

(2) The ARP response message for ping 172.18.3.132:

000108000604000200e04cf0ca7eac12038400e04c512ae8ac12038e

Physical network Type hardware type:0001-ethernet (1)

Protocol type Protocol TYPE:0800-IP (0x0800):

Physical Address length hardware size:06-6

Protocol Address Length Protocol size:04-4

Operation Opcode:0002-reply (2)

Sender's physical address, sender, MAC addresses:

00e04cf0ca7e-realteks_f0:ca:7e (00:e0:4c:f0:ca:7e)

Sender IP Address Sender IP addresses:

ac120384-172.18.3.132 (172.18.3.132):

Target Physical Address target MAC address:

00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)

Target IP Address:

ac12038e-172.18.3.142 (172.18.3.142):

(3) ARP Request message for Ping 202.202.96.35 (Southwest University Homepage):

000108000604000100e04c512ae8ac12038e000000000000ac120381

Physical network Type hardware type:0001-ethernet (1)

Protocol type Protocol TYPE:0800-IP (0x0800)

Physical Address length hardware size:06-6

Protocol Address Length Protocol size:04-4

Operation Opcode:0001-request (1):

Sender's physical address, sender, MAC addresses:

00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)

Sender IP Address Sender IP addresses:

ac12038e-172.18.3.142 (172.18.3.142)

Target Physical Address target MAC address:

000000000000-00:00:00_00:00:00 (00:00:00:00:00:00)

Target IP Address:

ac120381-172.18.3.129 (172.18.3.129)

(4) The ARP response message for ping 202.202.96.35:

0001080006040002001906561e4bac12038100e04c512ae8ac12038e

Physical network Type hardware type:0001-ethernet (1)

Protocol type Protocol TYPE:0800-IP (0x0800):

Physical Address length hardware size:06-6

Protocol Address Length Protocol size:04-4

Operation Opcode:0002-reply (2)

Sender's physical address, sender, MAC addresses:

001906561E4B-CISCO_56:1E:4B (00:19:06:56:1E:4B)

Sender IP Address Sender IP addresses:

ac120381-172.18.3.129 (172.18.3.129):

Target Physical Address target MAC address:

00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)

Target IP Address:

ac12038e-172.18.3.142 (172.18.3.142):

Because 202.202.96.35 is not an intra-LAN IP, the request is sent through the gateway to the extranet, so the above operation is actually in communication with the gateway to get the MAC address of the gateway to establish the ARP cache.

(5) The ARP request message that is ping native IP (172.18.3.142) by his machine (172.18.3.134):

000108000604000100e04c501178ac120386000000000000ac12038e

Physical network Type hardware type:0001-ethernet (1)

Protocol type Protocol TYPE:0800-IP (0x0800):

Physical Address length hardware size:06-6

Protocol Address Length Protocol size:04-4

Operation Opcode:0001-request (1)

Sender's physical address, sender, MAC addresses:

00e04c501178-realteks_50:11:78 (00:e0:4c:50:11:78)

Sender IP Address Sender IP addresses:

ac120386-172.18.3.134 (172.18.3.134):

Target Physical Address target MAC address:

000000000000-00:00:00_00:00:00 (00:00:00:00:00:00)

Target IP Address:

ac12038e-172.18.3.142 (172.18.3.142):

(6) ARP response message for ping native IP (172.18.3.142) by his machine (172.18.3.134):

000108000604000200e04c512ae8ac12038e00e04c501178ac120386

Physical network Type hardware type:0001-ethernet (1)

Protocol type Protocol TYPE:0800-IP (0x0800)

Physical Address length hardware size:06-6

Protocol Address Length Protocol size:04-4

Operation Opcode:0001-request (1):

Sender's physical address, sender, MAC addresses:

00e04c512ae8-realteks_51:2a:e8 (00:e0:4c:51:2a:e8)

Sender IP Address Sender IP addresses:

ac12038e-172.18.3.142 (172.18.3.142)

Target Physical Address target MAC address:

00e04c501178-realteks_50:11:78 (00:e0:4c:50:11:78)

Target IP Address:

ac120386-172.18.3.134 (172.18.3.134)

2.analysis of the format and content of IP messages

(1) IP packet for ICMP echo request during ping 172.18.3.132:

4500003c1842000040010349ac12038eac120384

Version: 4

Header Length (headers length): 5-20 bytes

Service type (Differentiated Services Field): 00

-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))

Total Length: 003c-60

Identification (identification): 42-0x1842 (6210)

Flag (Flags): 00-0x00

Slice offset (Fragment offset): 0000-0

Lifetime (Time to live): 40-64

Protocol (PROTOCOL): 01-icmp (1)

Header checksum (header checksum): 49-0x0349 [Correct]

Origin IP address (source): AC 8e-172.18.3.142 (172.18.3.142)

Destination IP address (Destination): AC 12 03 84-172.18.3.132 (172.18.3.132)

(2) IP packet for ICMP echo response during ping 172.18.3.132:

4500003c2e9600004001ecf4ac120384ac12038e

Version: 4

Header Length (headers length): 5-20 bytes

Service type (Differentiated Services Field): 00

-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))

Total Length: 003c-60

Identification (identification): 2e 96-0x2e96 (11926)

Flag (Flags): 00-0x00

Slice offset (Fragment offset): 0000-0

Lifetime (Time to live): 40-64

Protocol (PROTOCOL): 01-icmp (1)

Header checksum (header Checksum): EC F4-0XECF4 [Correct]

Source IP Address: AC 12 03 84-172.18.3.132 (172.18.3.132)

Destination IP address (Destination): AC 8e-172.18.3.142 (172.18.3.142)

Data: for ICMP messages

(3) To access the IP message of a UDP protocol during the swu.edu.cn process:

450000240ef600004011bc0cac1203b5ffffffff

Version: 4

Header Length (headers length): 5-20 bytes

Service type (Differentiated Services Field): 00

-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))

Total Length: 00 24-36

Identification (identification): 0e F6-0x0ef6 (3830)

Flag (Flags): 00-0x00

Slice offset (Fragment offset): 0000-0

Lifetime (Time to live): 40-64

Protocol (PROTOCOL): 11-UDP (17)

Header checksum (header checksum): BC 0C-0XBC0C [Correct]

Origin IP address (source): AC b5-172.18.3.181 (172.18.3.181)

Destination IP address (Destination): FF FF FF ff-255.255.255.255 (255.255.255.255)

Data: for UDP messages

(4) An IP message that accesses an OSPF protocol during the swu.edu.cn process:

6e00000000245901fe80000000000000021906fffe561e4bff020000000000000000000000000005

Version: 6

Communication type (traffic Class): = e 0

Bit stream Kee (Flowlabel): 0 00 00

Load Length (Payload length): 00 24-36

Next header (Next header): 59-OSPF IGP (89)

Hop Limit: 01-1

Source IP Address: FE 1e 4b, the FF Fe, at the

-FE80::219:6FF:FE56:1E4B

Destination IP (Destination): FF 02 00 00 00 00 00 00 00 00 00 00 00 00 00 05

-Ff02::5

(5) To access the IP message of a TCP protocol during the swu.edu.cn process:

450000341c4d40004006fcbeac12038768190a06

Version: 4

Header Length (headers length): 5-20 bytes

Service type (Differentiated Services Field): 00

-0x00 (DSCP 0x00:default; Ecn:0x00:not-ect (not ecn-capable Transport))

Total Length: 00 34-52

Identification (identification): 1c 4D-0X1C4D (7245)

Flag (Flags): 40-0x02 (Don ' t Fragment)

Slice offset (Fragment offset): 0000-0

Lifetime (Time to live): 40-64

Protocol (PROTOCOL): 06-tcp (6)

Header checksum (header checksum): FC BE-0XFCBE [Correct]

Source IP Address: AC 12 03 87-172.18.3.135

Destination IP address (Destination): 0a 06-104.25.10.6

Data: For TCP messages

Analysis of the format and content of IP fragment packets

(1) IP shard packet for ICMP echo request during PING-L 4000 172.18.3.136:

This IP packet is divided into 3 pieces:

First Shard

45000034087340004006cacdac120387246e937c

df:0

Mf:1

Fragment offset:0

A second shard:

450005dc087420b94001ecc0ac120387ac120388

df:0

Mf:1

Fragment offset:1480

A third shard:

4500042c0874017240010db8ac120387ac120388

df:0

mf:0

Fragment offset:2960

(2) IP shard packet for ICMP echo request in Ping-l 5000 172.18.3.136 process

This IP packet is divided into 4 pieces:

First Shard

450005dc08d520004001ed18ac120387ac120388

df:0

Mf:1

Fragment offset:0

A second shard:

450005dc08d520b94001ec5fac120387ac120388

df:0

Mf:1

Fragment offset:1480

A third shard:

450005dc08d521724001eba6ac120387ac120388

df:0

Mf:1

Fragment offset:2960

Fourth Shard:

4500024c08d5022b40010e7eac120387ac120388

df:0

mf:0

Fragment offset:4440

(3) IP shard packet for ICMP echo request in Ping-l 2000 202.202.96.35 process

This IP packet is divided into 2 pieces:

First Shard

450005dc08db2000400171bfac120387caca6023

df:0

Mf:1

Fragment offset:0

A second shard:

4500022408db00b9400194beac120387caca6023

df:0

mf:0

Fragment offset:1480

(4) IP shard message for ICMP echo request 1 in Ping-l www.baidu.com (not ping) process

This IP packet is divided into 3 pieces:

First Shard

450005dc042320004001cb85ac120399b461216c

df:0

Mf:1

Fragment offset:0

A second shard:

450005dc042320b94001caccac120399b461216c

df:0

Mf:1

Fragment offset:1480

A third shard:

45000044042301724001efabac120399b461216c

df:0

mf:0

Fragment offset:2960

(5) IP shard message for ICMP echo request 2 in Ping-l www.baidu.com (not ping) process

This IP packet is divided into 3 pieces:

First Shard

450005dc042f20004001cb79ac120399b461216c

df:0

Mf:1

Fragment offset:0

A second shard:

450005dc042f20b94001cac0ac120399b461216c

df:0

Mf:1

Fragment offset:1480

A third shard:

45000044042f01724001ef9fac120399b461216c

df:0

mf:0

Fragment offset:2960

In the IP Fragment Message analysis experiment, the use of the Ping–l command to set the length of the appropriate IP packets to achieve different sharding effect.

3. Analyzing the format and content of ICMP messages

(1) The ICMP echo request message for ping 172.18.3.132 1:

08004a5c020001006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

Type (type): 08-Echo Request

Code: 00

Checksum (Checksum): 4a 5c

Logo Identifier (BE) Identifier (LE):

Ordinal Sequence number (BE), Sequence No. (LE):

Optional data (Date):

6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

(2) The ICMP echo response message for ping 172.18.3.132 1:

0000525c020001006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

Type: 00-loopback Answer

Code: 00

Checksum (Checksum): 5c

Logo Identifier (BE) Identifier (LE):

Ordinal Sequence number (BE), Sequence No. (LE):

Optional data (Date):

6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

(3) The ICMP echo request message for ping 172.18.3.132 2:

0800495c020002006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

Type (type): 08-Echo Request

Code: 00

Checksum (Checksum): 5c

Logo Identifier (BE) Identifier (LE):

Ordinal Sequence number (BE), Sequence numbers (LE):

Optional data (Date):

6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

(4) The ICMP echo response message for ping 172.18.3.132 2:

0000515c020002006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

Type: 00-loopback Answer

Code: 00

Checksum (Checksum): 5c

Logo Identifier (BE) Identifier (LE):

Ordinal Sequence number (BE), Sequence numbers (LE):

Optional data (Date):

6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

(5) ICMP echo request message 1 for 202.202.96.35 (Southwest University Homepage):

08003e5c02000d006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

Type (type): 08-Echo Request

Code: 00

Checksum (Checksum): 3e 5c

Logo Identifier (BE) Identifier (LE):

Ordinal Sequence number (BE), Sequence No. (LE):0d

Optional data (Date):

6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

(6) ICMP echo response message 1 for ping202.202.96.35 (Southwest University Homepage):

0000465c02000d006162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

Type: 00-loopback Answer

Code: 00

Checksum (Checksum): 5c

Logo Identifier (BE) Identifier (LE):

Ordinal Sequence number (BE), Sequence No. (LE):0d

Optional data (Date):

6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869

The above experiment shows that:

The identity of the paired ICMP request and reply message is the same as the ordinal field.

The ping command works based on the ICMP echo request and the reply message, and its role is to detect whether a destination station is available.

ICMP is used to solve control problems and implement error mechanisms, which can help maintain the Internet delivery order.

Address Resolution Protocol ARP, Network layer protocol IP, ICMP protocol

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.