Capture and analyze protocol packets using network monitor (irsi)

Reprinted with the original address.

Experiment Name: understand the role of subnet mask, gateway, and ARP

I. Purpose and requirements of the experiment

(1) familiar with Iris

(2) verify the data packet formats of various protocols

(3) Learn to capture and analyze various data packets.

Ii. Main instruments and equipment

Environment: Windows XP

Software: Iris Software

Iii. experiment content and process

HOST 1: 192.168.2.110 (listener)

Host 2: 192.168.2.109 (listener)

(1) install Iris Software

(2) capture data packets and verify the packet formats of data frames, IP data packets, and TCP data segments.

Select the menu to view the IP addresses of Host 1 and host 2 added to the address book.

Set Filter

Before capturing data packets, clear the ARP cache table with ARP-D.

Click Start capture to enable the packet capture function.

Select menu filter à edit filter, set filter settings, and click OK after modification.

Select menu filter à ftp. FLT

Log On from HOST 1 to host 2's FTP (host 2 has an FTP server installed)

Stop packet capture and capture the results.

The above is the process of capturing data packets. Next, verify the Message format of the data frame, IP datagram, and TCP Data Segment.

We select the data packet number 4 for verification, and view its data header information on the MAC layer, IP layer, and TCP layer.

Verify the data frame format

00 24 1D 09 28 6B is the MAC address of the listener host.

00 24 1D AE 10 45 is the MAC address of the listened-on host

08 00 indicates the type field, indicating that the upper layer uses IP datagram.

 

Verify IP datagram format

We can see from the above two figures:

Version 4 indicates IPv4, 4 digits

The header length is 5 because the unit is 32 bits, so the IP datagram header length is 20 bytes.

Service 00 occupies one byte. 4 indicates the version, and 5 indicates the header length.

The total length 00 43 occupies two bytes, and 6c 49 occupies two bytes

The flag + slice offset of 40 00 occupies two bytes

Survival time: 128 hops

The upstream protocol is TCP.

The first check is 840

The source address is 192.168.2.109 and the destination address is 192.168.2.110.

Verify the Message format of the TCP Data Segment

The source port 00 15 is converted to a decimal value of 21, which is the default FTP port.

The destination port 0e 93 occupies two bytes.

21 7b 54 6C each occupies 4 bytes

The validation code 5A 1D 33 21 occupies 4 bytes

The header length is 5, and the offset is 18,

Among them, ack and PSH each occupy one position.

The first checksum is 7cc1, which occupies two bytes.

(3) capture and analyze ARP packets.

Run the ARP-D command on Host 1, set the capture ARP protocol in the menu filter à edit filter, and set the capture IP address packets between host a and host B, click start/stop capture to start capturing packets.

Run the ARP-D command first, and then Ping 192.168.2.109.

ARP packets captured

Analysis

First, after running the ARP-D command on Host 1, the ARP cache table on Host 1 is cleared. When we run the ping 192.168.2.109 command, because HOST 1 and host 2 are in the same network segment and Host 1 does not have the MAC address of host 2, it sends arp request packets in broadcast form, the ARP request message contains the source IP address and destination IP address. HOST 2 in the same network segment receives the packet and finds that the destination IP address is the same as its own address. Then, it sends the ARP response packet back to host 1, the physical address is encapsulated in the response message, so that host 1 can obtain the MAC address of host 2.

(4) capture and analyze ICMP packets during Ping.

Run the ARP-D command on host 2 to clear the ARP cache table.

Click start/stop capture to start capturing packets.

Edit the filter as follows:

Ping the IP address of host 2 on Host 1

Stop packet capture

Capture ICMP packets during Ping.

Analysis

From this we can see that we use the command Ping 192.168.2.109. After the press enter, the ping command will send an ICMP request ECHO packet to the destination host 2, because host 2 works normally and responds to this ICMP return request packet, so it sends back the ICMP reply message (numbers 1 and 2 can be seen ). Because HOST 1 sends four ICMP return request packets in a row, host 2, which works normally and can be reached, also responds to four corresponding ICMP return response packets, therefore, there are eight ECHO packets in the packet capture interface. The datagram in the first line (serial number 1) of the packet capture Interface contains three pieces of information: Ethernet, IP, and ICMP.

Ethernet header information. Its content is 00 24 1D AE 10 45 00 24 1D 09 28 6B 08 00

The first 6 bytes 00 24 1D AE 10 45 are the MAC address of destination host 2

The last 6 bytes 00 24 1D 09 28 6B is the MAC address of source HOST 1

The last two bytes 08 00 indicate that the package type is DOD IP

IP header information. Its content is

45 00 00 3C 1D be 00 00 80 01 96 D7 C0 A8 02 6e C0 A8 02 6d

It indicates that the IP version is 4, the header length is 5, the total length is 60 bytes, And the ID is 7614

The survival time is 128 hops. The upstream protocol is ICMP, and the first checksum is 9607.

The source address is 192.168.2.110 and the destination address is 192.168.2.109.

ICMP header information

The 08 at the beginning indicates the type, 00 indicates the code, 15 5C indicates the test, 34 00 indicates the serial number, and the rest indicates the data.

(5) capture and analyze ICMP packets during tracert.

Change filter settings

Start capturing data packets. The following figure shows the captured results.

Analysis:

It can be seen that the tracert command relies on the ICMP protocol. After a datagram is sent from a vro, the IP address of the vro is added to the option field of the datagram, when this message arrives at the target host, a new ICMP datagram is generated, which records the route information that has just passed and is returned to the source host, in this way, the source host will know the route information that has just passed. It indicates that because HOST 1 and host 2 are in the same network segment, the router is not needed. Therefore, when we use the tracert command to track, only the IP address of host 2 is displayed.

(6) capture and analyze the TCP three-way handshake to establish a connection.

Test example: download a file from host 2 to host 1 through FTP

 

Set the filter and select the filter.

HOST 1 first runs the ARP-D command, and then click start/stop capture"

Download a random folder on the FTP server to host 1

 

Capture results

Analysis

The numbers 1, 2, and 3 represent the three handshakes when the connection is established.

First handshake

Ack 00 00 00 00

SEQ 4D 7E C1 A8

Second handshake

Ack 4D 7E C1 A9

SEQ F1 59 F5 88

Third handshake

Ack F1 59 F5 89

SEQ 4D 7E C1 A9

First, HOST 1 sends a connection request message to host 2. At this time, a initializes an initial sequence number seq to 4D 7E C1 A8 and confirms that the signal is 0, when host 2 receives a request message from HOST 1, because 2 agrees to the connection, it sends a confirmation message to 1. At this time, 2 also initializes an initial sequence number seq to F1 59 F5 88, and confirm that ack is 1 and the seq + 1 of the datagram is 4D 7E C1 A9. When 1 receives 2 packets, it sends a confirmation signal to 2 again, at this time, 1 generates an initial serial number seq4d 7E C1 A9, and confirms that ack is the seq + 1 of the data packet sent by B, that is, F1 59 F5 89. Then, the TCP protocol establishes a connection.

(7) Select

TCP adopts a congestion control mechanism. In fact, TCP uses a slow start when sending data. Use the network monitor to observe TCP transmission and validation. After each confirmation arrives, what happens during the slow start process? (Selected)


Before TCP knows the round-trip time, TCP must re-Send the segment (used to open a connection segment ). How long should tcp wait to resend this paragraph? How many times should TCP be resold before it can be declared that it cannot open a connection? To find the result, try to open a connection to a non-existent address and use the network monitor to observe the TCP traffic. (Selected)


Try to use Winpcap to design and implement a simple network packet monitoring and capturing program. At the same time, analyze the captured data packets and display the results on the screen. See winpcapde related information http://winpcap.polito.it (after-school selection ).

(8) Attachment

Http://down.51cto.com/data/991237