Analysis of TCP/IP packet based on Jpcap (I.)

Source: Internet
Author: User

Analysis of TCP/IP packet based on JPCAP
Original: Zhao Hui
Chapter One structure of Ethernet and TCP/IP
1.1 Structure of the Ethernet
1.1.1 Ethernet based on network architecture
Data exchange of 1.1.2 Ethernet
1.1.3 Structure of Ethernet frames
1.2 The composition of IP datagrams
1.2.1 IP Address
1.2.2 Routing
1.2.3 The composition of IP datagrams
1.2.4 Other message structures
1.3 tcp/udp
The role of 1.3.1 TCP/UDP
1.3.2 structure of TCP and UDP packets
Chapter II Jpcap Class Library
Use of 2.1 jpcap
Installation of the operating environment of the 2.1.1 Jpcap
Installation of the development environment of the 2.1.2 Jpcap
2.2 Jpcap Introduction
2.2.1 Packet base class and its subclasses
Main functions of 2.2.2 Jpcap
Chapter Three design of the data Packet Listener program
3.1 Data Packet monitoring principle
3.2 Resolution of Ethernet frames
3.2.1 Get MAC Address
3.2.2 Data Packet type judgment
3.3 Monitoring of IP datagrams
Parsing of 3.3.1 IP datagram
3.3.2 Arp and ICMP datagram parsing
3.4 TCP and UDP snooping
Parsing of 3.4.1 TCP datagram
Parsing of 3.4.2 UDP datagram
Chapter Fourth Packet analysis
4.1 Flow Analysis
4.1.1 Representation of packet size
4.1.2 Packet Traffic Observation
4.2 Packet Classification Analysis
4.2.1 Packet filtering
4.2.2 using packet analysis to solve network problems
Fifth Packet sending
5.1 Construct Send IP packets
5.1.1 IP Packet Construction and dispatch
5.1.2 Send Results analysis
5.2 Construct Send TCP packet
5.2.1 TCP packet Construction and dispatch
5.2.2 Send Results analysis
Chapter One structure of the Web and TCP/IP
1.1 Structure of the Ethernet
Ethernet is the most common communication protocol standard used by existing LANs today. This standard defines the type of cable and signal processing method used in the local area network (LAN). Ethernet transmits packets between interconnected devices at a 10~100mbps rate, and twisted-pair cables with a Base T Ethernet for low cost High reliability and 10Mbps speed are the most widely used Ethernet technologies. Many manufacturers offer products that can be communicated using a common software protocol, with the best openness. Ethernet, which is a network low-level protocol, usually in the OSI (Open system interconnect Reference model) The physical layer and Data link layer operations of the models. It is the most common coaxial cable system with a data rate of 10Mbps (megabits per second) in the General line protocol.
1.1.1 Ethernet based on network architecture
In the computer network composition, the use of protocol is generally used to communicate between layer and layer. The protocol level is divided into seven tiers in the usual OSI. The first layer is the physical layer, which processes the network protocol on the hardware. The seventh layer is the application layer, which processes the protocol for the application. The second to sixth layers are set in sequence.
Provisions of the content
Seventh floor
Application Layer
Protocols for applications such as mail, news, etc.
Sixth floor
Presentation Layer
Data Syntax Protocol
Fifth Floor
Session Layer
Network-based Management dialogue protocol
Fourth floor
Transport Layer
Add third-tier functionality to reliably transfer data between two computers
Third floor
Network layer
Select a computer as a communication object from multiple computers on the network
Second floor
Data Link Layer
Single-to-one data communication on two computers
First floor
Physical Layer
Electrical signals, connector specifications, etc. about hardware protocol
OSI Reference Model
Ethernet was designed by the Palo Alto Institute of Xerox (Xerox) in the 1970s, followed by Xerox, Intel, DEC (later acquired by Compaq), in 80, to summarize the set of protocols for local area network (LAN) three. And the Ethernet specification is by the American Society of Electrical and Electronics Engineers (Institute of Electrical and Electronics Engineers), the 802 committee devoted to the specification, began its standardization discussions in 1980. and IEEE802.3 as standard specification, followed by ISO ( International standard Organization) to use it as a ISO802.3.
The old Ethernet device uses a coaxial cable as the transmission medium. Ethernet using coaxial cable, the connection between devices does not require a network hub, but must be connected on the coaxial cable, is the coaxial cable to become a bus to share signals between multiple devices (bus), this form of network connection is called the total Linetype. Now, The widely used transmission medium is twisted pair. Usually used is called the fifth class twisted pair, has the 100mbit/s communication speed. Use a device called a network hub when connecting with a twisted pair. It is a connection for multiple computers, A device that connects the Dogan twisted pair to each other. In a network that uses a network hub, the computer is radially connected as a network hub, which is known as a star network.
Because of the forwarding function of the hub in Ethernet, the packet monitoring can be carried out on the LAN. The packet listeners in this article are all in the LAN. Of course, packet monitoring can also be carried out in the import and export of packets such as gateways.
Data exchange of 1.1.2 Ethernet
In Ethernet, the data is exchanged in units of a data structure called frames. The unit of data structure that is usually exchanged on a computer network is a packet, The packets used in the Ethernet are referred to as frames. The packet contains the header part of the necessary information sent to the other party and the part of the message that records the content of the message sent to the receiving end. The header contains the address of the receiving end, the address of the sending end, Error check and correction code necessary for data error checking and correction. The packet is transmitted to the network and transmitted to the receiving end via a network relay device.
A frame is a carrier-listening multi-access (Csma/cd:carrier sense Multiple Access with collision Detection) called with collision detection. In CSMA/CD technology, if there is no data on the network, The data can be sent out at any time. Therefore, the network device that transmits the data, first of all to confirm whether the data on the network is transmitting. If there is no data, you can send the data to the network. If the network is used, wait until the network is idle and send it. The work above is equivalent to csma/ The CSMA part of the CD. In this method, the network device that sends the data simultaneously considers the network to be idle, resulting in a send conflict. Therefore, in CSMA/CD technology, data conflicts are often detected while data is being sent. If a conflict is detected, in order to emphasize the occurrence of a conflict, To wait for the time required to send the 32-bit data, wait for a randomly determined time, and then resend it. In this way, the two network devices that start sending at the same time, the network devices with random numbers are sent in the advanced line, and the network devices with random numbers are not sent until the network is idle. This wait time is called compensation time.
Network congestion and repeated collisions can result in data not being sent. Therefore, in order to effectively utilize network resources, the maximum number of waits is adjusted when the network is idle and congested. When Idle is the case of fewer collisions, reduce the maximum waiting time; when congestion and conflict occur frequently, Increase the maximum value of the wait time. The maximum value of the wait time can be expressed in the following formula:
TS is the time required to send 512-bit data (called slot time), and K is the smallest number in the number of collisions and numbers 10.
In this way, in the case of CSMA/CD technology, the data can be sent out at any time, and the frame can be resent in the event of a conflict causing the sending to fail. So CSMA/CD is an efficient communication protocol when the network is relatively idle.
But in the case of network congestion, it is the opposite. CSMA/CD in the event of a conflict, waiting and re-sending, and other aspects of spending too much time, will cause the network repeatedly send useless data, network equipment and transmission lines and other network resources are in vain, resulting in reduced communication efficiency.
In the frequent collisions of Ethernet, CSMA/CD communication efficiency is very low, because there is no way to predict when the conflict, so there is no guarantee that the other party within a certain limit of time to receive the data. In this way, in the case of real-time communication of multimedia data such as sound and image, which have strong temporal dependence, There is a fatal flaw. Therefore, Ethernet with CSMA/CD can not be used for multimedia data communication.
Frames are transmitted over the network and received by the NIC. In general, the network card has several receiving data frame status, such as unicast,broadcast,multicast,promiscuous, unicast refers to the network card at work to receive the destination address is the native hardware address of the data frame. Broadcast is a data frame that receives all types of broadcast messages. Multicast refers to receiving specific group broadcast text. Promiscuous is usually said to be promiscuous mode, refers to the message in the destination hardware address without any check, all receive mode of operation.
When the host in the LAN is connected through the hub, and so on, is generally referred to as a shared connection, this shared connection has a very obvious feature: The hub will receive all the data to each port on the hub forwarding, that is, when the host based on the MAC address packet sent, Although the sending host informs the destination host of the address, this does not mean that the other hosts in one network cannot hear the communication between the sending and receiving ends, but only under normal circumstances other master opportunities to ignore these communication messages! If these hosts are unwilling to ignore these messages, If the network card is set to promiscuous state, then, for this host's web interface, any information transmitted within the LAN can be heard.
1.1.3 Structure of Ethernet frames
The structure of the Ethernet frame is like this. The starting 64 bits are the pre-sync code (preamble) and the first frame delimiter (start frame delimiter). The pre-sync code is a signal that enables the sending and receiving sides to unison on the handover of the data. Send end to 56 bits (10101010 ... 10) Send 1 and 0 signals over and over again. After receiving this signal, the receiver is ready to read the signal sent.
The 8 bits (10101011) that represent the real start of the frame are ranked after the end of the pre-sync code. The first delimiter is the address, and so on. The first delimiter is the MAC address of the receiving end and the sending side. Only the MAC address of the receiving side is the MAC address of the receiver, the frame can be received; If the MAC address is another machine, the frame will not be received. But when the receiving end address is all 1 o'clock, all devices connected within the same Ethernet receive the frame. MAC addresses with all 1 addresses are called broadcast addresses.
The MAC address of the receiving end and the sender is followed by a 16-bit type field. The Type field holds the kind code for the upper layer protocol that transmits data in an Ethernet frame. The packet portion of the Ethernet frame can hold up to 12,000 bits, That is, 1500 bytes. Ethernet is the protocol of the physical layer and the data link layer. The data transmitted by the Ethernet frame is the packet specified by the network layer. If you want to use an IP network protocol, the IP packet will be stored at the Ethernet frame's message.
The end of the frame is the error check and correction code that checks for data errors. The general error test method has parity, but often uses cyclic redundancy check (crc:cyclic redundancy check) in Ethernet for error checking. In the CRC, the list of frames is represented as a polynomial. The result of dividing the polynomial with the specific polynomial that is prepared is sent with the data. A division is re-performed at the receiving end, with the result confirming that the transmitted data is correct or not. Using the CRC not only can check for errors, It can also fix errors on the receiving side. However, when an Ethernet error is checked, the frame is deleted and sent again.
Forwarding a network hub is a MAC address that is not recognized, and it relays the Ethernet frame to all ports. The switch network hub is also known as a two-layer switch. This is because the switch network hub interprets the Ethernet frames according to the Data Link layer protocol, the second Layer protocol. Using a switch network hub with the computer one-to-one connection, The communication line is also completely one-to-one. That is, the conflict that CSMA/CD is expected to occur. The reception and transmission are parallel, and such communication is called full-duplex communication. The common Ethernet communication line is called half-duplex communication. Because in full-duplex communication, receive and send can be parallel, so the communication speed is half duplex twice times .
1.2 The composition of IP datagrams
Data segments in Ethernet frames are typically IP datagrams or other IP-related protocols, including ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol), and so on.
1.2.1 IP Address
Generally speaking, the IP address refers to the fourth version of the Ipv4 address protocol that is currently in use. The IP is represented by a 32-bit binary number. Usually 8 bits are divided into 4 segments, denoted by a decimal value, The middle is separated by dots. Therefore, the value of the IP address can be from to
The computer address can be used in addition to the 0 and all 1 values. The computer address is 0 o'clock and is specified in the network address to point to the net itself. The computer address is all 1 o'clock, and the network address is designated as a communication broadcast to the entire network. How many bits a network address uses depends on the number of computers that a LAN can hold. So, The number of bits in the network address determines the classification of IP addresses.
The network address in a class address has 7 bits, and the computer address is assigned to 24 bits. That is, a network with Class A addresses is only around 100, and is capable of accommodating 16 million computers. Class B address is easy to use, the number of networks and the number of hosts can be more appropriate, resulting in a lack of class B address resources, application allocation is very difficult. There is a large amount of surplus for Class C addresses, but because one unit uses a Class C address, it is often not possible to accommodate all of the computers on your network and therefore must be assigned to multiple Class C addresses. In this case, you need to use Classless Inter-domain Routing (CIDR) that uses these computers as a network: Classless Inter-Domain Routing) technology that uses addresses that are not subject to the original category. Redistribution of address space will increase the use of network addresses, In this case, the network assigned is called a subnet. You cannot differentiate from the IP address category on which part of the IP address is the network address when using subnets. Class D addresses are multicast addresses that transmit IP datagrams to multiple parties. The broadcast transmits IP datagrams to all network devices, However, multiple computers that want to receive data in multicast can receive IP datagrams. This multicast can transmit sound, image, etc. to multiple network devices simultaneously, so it is often used on applications that use the network for broadcast.
The IP addresses that are used in the Internet are not duplicated worldwide. But there is no connection between the Internet's non-public IP address and the duplication in other networks. Therefore, as an internal private address that is not disclosed, it is required to specify its scope of use. The rules for private addresses in RFC1918 are:
Therefore, the IP in the internal private network will often be within the above range.
The next generation IP address has a IPV6,IP address of 128 bits, and the number of IP addresses can be as high as 296 times times. This will solve the problem of insufficient Ipv4 address resources, and IP address will be the domain network structure corresponding to improve the efficiency of the route.
1.2.2 Routing
A router is a packet-forwarding device that works on the third layer of the OSI Reference Model-the network layer. Routers enable network interconnection by forwarding packets. Although routers can support protocols such as Tcp/ip,ipx/spx,appletalk, the vast majority of routers in our country run TCP /IP protocol. Routers typically connect two or more logical ports identified by an IP subnet or point-to-Point protocol, with at least one physical port. The router determines the output port and the next hop address based on the network layer address received in the packet and the routing table maintained inside the router. and rewrite the link layer header to implement forwarding packets. The router maintains the routing table by dynamically maintaining the routing table to reflect the current network topology and by exchanging routing and link information with other routers on the network.
In IP, routers are used to communicate between more than two networks. Routers have connections between two or more two network interfaces. Routers can relay IP datagrams on the Internet. The router obtains the IP datagram from the network device directly connected to it, Properly adjust the direction of transmission of IP datagrams sent out. Because the IP datagram itself does not contain information on how the transmitted path to the destination computer arrives on the internet, the IP datagram relies on the IP address information of the receiving end and transmits the IP datagram relay through multiple routers.
Routers have two major functions. Data path function: For each packet that arrives at the router, it is responsible for finding the path without loss. This feature mainly includes: forwarding decision, through the Backplane output link queue scheduling. The forwarding function is implemented through specialized hardware, This operation is performed for each packet packet that passes through the router. The data path function is important for improving the performance of the router. Control function: mainly including the management of routing table and the configuration and management of the system, as well as the exchange of routing table information with neighboring routers, through software implementation. These functions are not for each packet, Therefore, the frequency of use is relatively low.
Routers want to identify the packet packets that arrive and classify them to determine the type of service they should accept. Initially, the scenario is to identify the packet at the core of the network, based on the TOS (Type of Service) domain of the IP header, but in the course of the Internet's development, with "best effort" transmission, Since the terminal does not consider TOS when sending IP packets, the TOS has not been functioning. Currently in Edge devices, the packet is identified based on the IP packet source IP address, destination IP address, source port number, destination port number, and Transport layer protocol type. In addition, IP teaming also needs to be recognized in order to implement the firewall functionality.
At the time of recognition, each recognition rule adopts the source IP address, the destination IP address, the source port number, the destination port number, and the Transport Layer protocol type. In the above identification rules, each domain can be a range. For example, there is a rule of identification "202.66.83.x,202.66.72.x,x,23, TCP "(x is arbitrary), this rule identifies Telnet data from network 202.66.83.X to network 202.66.72.X. From a geometric point of view, if discriminant uses the K-domain of the IP header, the problem is actually that there are many overlapping entities in a K-dimensional space ( Each discriminant rule corresponds to an entity, and whenever a packet arrives, the group is equivalent to a point on a k-dimensional space, and the discriminant is actually to find the entity with the highest precedence that contains the point.
IP datagram routing is arranged according to the routing table. The routing table records the data structures that a network device transmits IP datagrams to other network devices. Not only routers have routing tables, but all network devices that use the Network layer protocol have routing tables. Includes computers, routers, and L3 switches (router groups).
In the routing table, the IP address of the IP datagram to be transmitted to the destination computer is recorded as a group and the IP address of the router that must pass to reach the final destination. For example, this routing table below the computer in this network
Receiving end
Next Send Address
Send directly to the receiving end computer
Default (Defaults)
routing table
This means that if the IP address of the receiving end belongs to its own local area network, then the IP datagram is sent directly to each other using the function of the Data Link layer protocol, and if it is otherwise, the IP datagram is routed to the router that exists in the LAN. The routing table that the router has is very complex. In the example above, Computers connected on both sides of the router can communicate directly using their own data Link layer protocol. In addition to the computer communication, it is also necessary to send IP datagrams to the neighboring routers and relay the IP datagram.
After the router receives the packet, it finds the corresponding route entry based on the destination address in the packet, and if a matching route is found, the packet is processed according to the route, or the packet is discarded by default
The routing table has two kinds of static routes and dynamic routes. When static routing is used to manually record routing tables for small LANs, a little increase in network size can become cumbersome and requires manual modification when the network changes. Dynamic routing is the automatic exchange of routing information, Generates a routing table. The protocol for dynamic routing has an internal gateway protocol (IGP) used within the network and an external Gateway Protocol (EGP) used between networks.
In the past, routers were considered to be the best hardware for forwarding packets, and the software provided only the capabilities of the monitors. But with the development of routers, software plays a more and more important role in routers. In fact, real-time operating systems (e.g., PSOs and VxWorks in the field of communication) Choice is critical for a communications product. If you want to develop efficient software, you need the support of the operating system vendor. Like Cisco, we develop dedicated router operating systems and application software. If this trend continues to evolve, The end user can easily load various application software modules on the router in the future, so that the router can provide the functions of firewall, traffic management policy, special application signaling, routing strategy and so on.
The router's datagram processing power has a great impact on the processing power of the network, so a device that uses hardware for high-speed routing is developed. Such routers are the additional routing feature in the switch network hub, known as the L3 switch.
1.2.3 The composition of IP datagrams
The IP datagram is the first to hold the version of the IP. The Ipv4 version is stored as 4.
Next IHL is a character, which is a unit of 32 bits that holds the length of the header from the beginning of the version to the end of the fill. The shortest case has no option, which is the value of IHL 5.
The Service Type field (type of service) represents the quality that the IP datagram requires when it is delivered. The seventh bit is the extension bit reserved for the future.
The Datagram Length field (total length) is a unit of 8 bits, that is, the length of the IP datagram. The next Identification field (identification), the identification number of the IP datagram when called from the upper layer protocol such as TCP.
The flag field (flags) and block offset (fragment offset) are used to handle data block offsets. IP datagram to the data link layer in the Protocol under the provisions of the message to be loaded into the frame, because the IP datagram, the message portion of the largest 65535, the data link layer of the frame is not fully accommodated, so the use of a method called chunking. The segmented data is called a fragment. The flag of the IP datagram indicates whether there are fragments, Block offsets are used to ensure that the data block offsets are processed in the correct order.
The TTL field is designed to prevent erroneous IP datagrams from looping over the network, giving IP datagrams a certain lifespan. The IP datagram sets its lifespan in the TTL field when it is sent. The value of the TTL field is attenuated once every time the IP datagram passes through the router. When it is 0 o'clock, The IP datagram is deleted. Usually set to the maximum value of 255.
The Protocol field (protocol) holds the value of the upper layer protocol that represents IP such as TCP. including ICMP,TCP,EGP,IGP,UDP.
After checking for the wrong header checksum (header checksum) is the send End address and destination address, they are all 32 bits in the Ipv4. The last place is the option and the remaining bits after the 32-bit integer of the header is placed.
Type of service
Total length
Fragment Offset
Header Checksum
96 Guests
Structure of the IP data header
1.2.4 Other message structures
It is more important to have address Resolution Protocol and Internet Control Information protocol. The Address Resolution protocol (Arp:address Resolution Protocol) is connected to the network layer and the data link layer, and there is no direct connection to IP, it is the necessary protocol in IP network with Ethernet.
The processing in ARP is the physical address (MAC address) and IP address that corresponds to Ethernet. When transferring IP datagram to another computer, the physical address of each other is queried from the other's IP address, and a new Ethernet frame is established using the other's physical address. When using IP for communication, You must know the IP address and the corresponding MAC address. First, the Ethernet broadcast function, the IP address of the network device that will query the MAC address is notified to other network devices. The network device that gets the message is matched, Match your MAC address back to the past. The corresponding relationship between the IP address and the MAC address obtained from ARP is maintained for a period of time for communication and is deleted after a period of time. The ARP in turn considers the IP address from the MAC address to be queried with Rarp (Reverse ARP), The RARP package and ARP packets have the same structure, except that the ARP package's operation number is not the same. The operation number of the ARP is 1 (request) and 2 (response), the MAC address of the object is empty when the query is requested, the Rarp operation number is 3 (request) and 4 (response), the IP address of the request is empty.
On-line communication, the possibility of a variety of circumstances caused the packet to be destroyed, causing the packet to circulate on the network, the router and other network devices will delete the packet, The packet is then sent back to the sender. This means of communication is determined by ICMP. ICMP is a message that is loaded into an IP datagram. In this sense, ICMP is the same as TCP,UDP, which is the protocol of the Transport layer. But the functionality of ICMP has the function of supplementing the IP.
ICMP is an abbreviation for Internet Control message Protocol (Internet controlled Messaging protocol). It is a sub-protocol of the TCP/IP protocol family that is used to pass control messages between IP hosts and routers. The control message is that the network does not pass through, Whether the host is available, whether the route is available, and so on. These control messages, while not transmitting user data, play an important role in the delivery of user data.
1.3 tcp/udp
The role of 1.3.1 TCP/UDP
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are protocols used on the Internet by the transport layer. Using the IP protocol of the network layer, you can find specific communication objects from any computer in the world. and send data to it. The Protocol for the Transport layer provides a connection that specifies the specific application to run on the opposing computer and the network service that you want to get.
The concept of ports is used in TCP and UDP to differentiate programs on the computer. The port is the data input output that the application uses on the network communication. When a network client uses a service program on another computer, the service computer is specified based on the IP address, A recognized port number for the assigned service program is also specified. This allows you to take advantage of the specific network service that corresponds to the port number.
TCP/UDP Data Report
IP datagram
The usual procedure is as follows: The client program obtains the DNS name of the computer running the server program and the application name of the server program from the user. The client program retrieves the DNS server by using the DNS name obtained from the user. Gets the IP address of the computer that is connecting to the object. and retrieves the accepted port number of the server program from the application name. Then decide from the application name whether to use TCP or UDP as the Transport layer protocol. Then from each other's IP address, their IP address, the other side's port number and specify TCP or UDP, Establish an IP datagram that stores TCP or UDP to the message. The operating system then assigns the appropriate port on the communication to the client program. This determines the world's non-repeatable data mix consisting of an IP address, a port number, and TCP or UDP. The client program contains tcp/ The IP datagram of the UDP packet is sent out, and the service program sends the response to the client program as well.
The TCP protocol is a connection-based protocol, which means that a reliable connection must be established with the other party before the data is formally sent and received. A TCP connection has to go through three "dialogues" to build up, the process is very complex, we only do simple, image introduction, You just have to be able to understand the process. Let's take a look at the simple process of these three conversations: Host A sends a connection request packet to Host B: "I want to send you data, OK", this is the first conversation; Host B sends a consent connection to host A and requires synchronization (synchronization is two hosts one in the send, one in the receiving coordinated work) The packet: "Can, when do you send", this is the second dialogue; Host A then sends a packet to confirm that Host B's requirements are synchronized: "I'll send it now, you go on!", this is the third dialogue. Three times the purpose of the "conversation" is to synchronize the sending and receiving of packets, after three "conversations", Host A does not formally send data to Host B.
TCP and UDP provide port communication functionality to the application. But TCP and UDP differ in nature. TCP complements the network functionality that IP does not provide, providing a full-duplex communication line with no errors between two programs. All applications that use TCP as the Transport layer protocol are very convenient to use the network. Processing of data is sent again, error handling and packet arrival order control are processed in the TCP processing Section , no related processing is required on the application. However, in order to provide advanced connectivity-oriented features, TCP is very heavy and slow for computer systems.
It is a non-connected protocol that does not establish a connection with the other, but sends the packet in the past directly. UDP simply appends the function of the IP to the simple structure of the port function. Therefore, the transport layer functionality is provided for applications that require processing speed. Functions such as connection in UDP and sequential control of data are performed by the application. This nature is known as no connection. So in a small number of errors in the local environment and require fast application, commonly used UDP to implement. UDP is suitable for applications where only a small amount of data is transmitted at a time, which is less reliable. For example, we often use " Ping "command to test the TCP/IP communication between the two hosts is normal, in fact, the principle of" ping "command is to send UDP packets to the other host, and then the other host to confirm the receipt of the packet, if the packet arrives timely feedback back, then the network is through. For example, in the default state, A "ping" operation sends 4 packets. The number of packets sent is 4 packets, and 4 packets are received (because the host receives a confirmed packet after receiving it). This fully illustrates that the UDP protocol is for non-connected protocols and there is no process for establishing a connection. Because the UDP protocol is not connected, So its communication effect is high, but because of this, it is less reliable than the TCP protocol. QQ uses UDP to send messages, so there are cases where messages are not received.
1.3.2 TCP/UDP Message structure
The TCP header begins with the port number (destination port) of the sending port (source port) and the receiving port, and the sequence number (sequence) The values are stored in the order in which they are sent. The value that is used to represent the number of bytes of data bits in a message segment that are added to a specified offset at the time of communication.
The acknowledgment number is the sequential number of the data block state received by the receiving end for the sender. A data offset field with 4 bits is a numeric value that holds the length of the header in 32-bit units. From the TCP
Source Port
Destination Port
Acknowledgment number
Urgent pointer
Options, padding
96 Guests
1:data offset 2:reserved 3:control bits
Structure of the TCP data header
The portion of the beginning of the message segment to the data offset x4 bytes is stored in the TCP message portion.
The 6-bit field that is used for the extension is followed by the control bits. The control bit is a collection of 6-bit flags that indicate what state the TCP communicates with. The position of the control bit at 1 is Urg, indicating that the emergency data pointer is valid, the control bit is in 2 ack, the confirmation number is valid, and the control bit is PSH. Indicates the transfer force function; The control bit is RTS in 4, which indicates that the request connection is reset, the control bit is SYN in 5, the request sequence number is synchronous, and the control bit is fin at 6, which indicates the end of send.
window represents the value of the receive-side cache. Next, check the error checksum (checksum) and the emergency data pointer (urgent pointer) configured for handling emergency data, and finally the selection and fill (options, padding)
UDP datagram construction is relatively straightforward. The UDP datagram contains the port number fields, datagram lengths, and check codes for error checking that are required to receive as a transport layer protocol. UDP can carry out high-speed information transfer, but the work of the datagram sequence control is done by the application. UDP This protocol only adds the concept of port to the function provided by IP, it is a simple transport layer protocol.
Source Port
Destination Port
Structure of UDP datagrams

Analysis of TCP/IP packet based on Jpcap (I.)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.