| Internet is something that relies on practice. It is impossible to read books only. I attended the Computer Network Architecture class taught by Professor Shi meilat and Professor Zhang gongzhong at the school. I used the computer network architecture class written by tanabaum and scored more than 90 points for the test, however, the difference between TCP and UDP is not clear, that is, it is just a dead end. By the time of graduation, it is basically forgotten, and after work, it is equal to re-coming. I have to learn about Linux and network from the ground up when I go to work in Linux. The programming part mainly focuses on the books of Richard Steven S: apue, UNP, TCP/IP route straion, etc, I have read a lot about Linux, and I have read a variety of Linux entry books on the market. I am used to reading books in a bookstore. I love reading books, but I don't like to buy books, sweat ,, then, I went to various BBS and forums to download all of their vertices and watched them and practiced them. Basically, I was familiar with Linux operations within a month. I was reading a book at the beginning of learning network protocols, but I was not very impressed after reading them. It was really hard to remember those things by memorizing them. Then I found a good way to write a sniffer by myself, write a protocol analyzer by yourself. First, learn how to capture packets. Then, read the source code of tcpdump. Then, read the source code of libpcap and find out what is the mixed network card mode. Then, you will soon be able to capture packets on the network card. The next step is to analyze the package as a TCP/IP route straion, from the Ethernet header, ARP/IP, ICMP/IGMP/TCP/UDP, HTTP/FTP/Telnet/SMTP and other 1.1 points, one field and one field analysis, soon I understood what the so-called TCP/IP is. In addition, in order to learn the TCP status transition table, the current status of both parties is analyzed based on the TCP flag of the captured packets. At the beginning, the analysis can only start with sending Syn packets from the first party, later, the TCP status of both parties can be gradually determined from the connection of the slab, such as hand. Basically, the status transfer of TCP is completely clear, later, it was easy to understand the firewall's status detection principle. In addition, in order to thoroughly grasp the IP fragmentation during the analysis process, we also specially ping the large package to capture and reorganize the captured package, I figured out how to use the segment offset field of the IP header. After capturing packets, I began to learn how to create a packet to "interfere" with "normal communication". I started to learn how to send a TCP RST packet to cut off a normal TCP connection, I learned how to calculate the IP header checksum, TCP Checksum, know that the TCP checksum and the IP pseudo-header data must be added, and then the serial number and validation number are correctly calculated, now that we know that the SYN and fin flags are regarded as one bit, the most important thing is to understand what the network sequence is and what the host sequence is. Now we basically take ntohs (L), htons (l) processing has become an instinct for programming. After you have learned to use RST to cut off TCP, you can directly send a page message to tell the client that illegal information is accessed, that is, the rejected screen displayed by the client when URL filtering is implemented in the future. Later, I learned to send ARP information to randomly advertise the MAC address, that is, the source of the previously written ARP attack. Later, the protocol analyzer I wrote is gradually improved. If it can be parsed, it will be parsed. If it cannot be parsed, it will print the hexadecimal number and printable characters, I have almost understood the HTTP, FTP, POP3, SMTP text protocols. For non-text protocols, such as DNS, they are also resolved according to the protocol, in addition, I had to use recursive methods that I never liked to program DNS resolution. With the increase of network applications, Protocol Resolution is performed before use. In addition to various TCP and UDP protocols, resolution processing for BPDU, pppoe, OSPF, ESP, ah, Ike, and so on is also added, now, my protocol analyzer can analyze hundreds of protocols. I only need to capture packets at ordinary times. tcpdump is basically no longer used. After all, I write more clearly, if there is a reproduction that cannot be parsed, add it. When learning new protocols, we often first capture packets to see the basic data format of the protocols, and then look at the RFC for details. At the beginning, I was reading a book. Later I had to learn more about or catch up with the latest developments. I had to read the RFC. After all, the online things have changed too fast, and the books are just getting started, maybe it will be new soon, and now I have read hundreds of RFC articles. I learned the Protocol through programming analysis. It took me more than a month to learn the Protocol slowly. However, I feel that I have learned a lot from it. Although it has been several years since, what fields of the IP header and TCP header can be said at a moment is helpful in understanding the principles of various network attacks and thus preventing them, I think this method is very effective for me. If anyone thinks there is a more effective learning method, they can share it with each other. |
|
