Wireshark (II): Use Wireshark to observe the basic network protocol

Source: Internet
Author: User

Source: EMC Chinese support forum

TCP:

TCP/IP creates a connection through three handshakes. Three packets in this process are SYN, SYN/ack, and ack.

The first step is to find the first SYN Packet sent from the PC to the network server, which indicates the start of TCP three-way handshake.

If you cannot find the first Syn packet, selectEdit-> Find PacketMenu options. Select display filter and enter TCP. Flags. A flag list is displayed for selection. Select the appropriate flag, TCP. Flags. Syn, and add = 1. Click find. The first Syn packet in the trace is highlighted.

Note: Find packet can also be used to search for hexadecimal characters, such as malware signals or search strings, such as protocol commands in a packet capture file.

A quick way to filter TCP packet streams is inPacket list panelAnd selectFollow TCP stream. This creates an automatic filter condition that only displays TCP session packets.

In this step, a session display window is displayed. By default, the ASCII code of the TCP session is contained. The client message uses red to indicate that the server message is blue.

The window is similar, which is very helpful for reading protocol payload, such as HTTP, SMTP, and FTP.

Change to the hexadecimal dump mode to view the hexadecimal code of the load, as shown in:

Close the pop-up window. Wireshark only displays the selected TCP packet stream. Now we can easily identify three handshakes.

Note: Wireshark automatically creates a display filter for this TCP session. In this example: (IP. addr eq 192.168.1.2 and IP. addr eq 209.85.227.19) and (TCP. Port EQ 80 and TCP. Port EQ 52336)

SYNMessage:

The figure shows that the 5th packet is the SYN Packet sent from the client to the server. This packet is used to establish synchronization with the server to ensure that the communication between the client and the server is transmitted in order. The Syn packet header has a 32-bit serial number. The bottom dialog box shows some useful messages, such as the message type and serial number.

SYN/ACK packets:

Message 7 is the response of the server. Once the server receives the SYN packet from the client, it reads the serial number of the packet and uses the serial number as the response. That is to say, it notifies the client that the server has received the SYN packet, by adding a serial number of the original SYN Packet and using it as the response number, the client then knows that the server can receive communications.

ACKMessage:

The 8 th packet is the confirmation message sent from the client to the server, telling the Server Client to receive the SYN/ACK packet, and the client also adds the serial number as in the previous step. This packet is sent completely, the client and server enter the established status and complete the three-way handshake.

ARP & ICMP:

Enable Wireshark packet capture. Open the windows Console window and use the ping command line tool to view the connection status with the adjacent machine.

Wireshark is shown in.

ARP and ICMP packets are relatively difficult to recognize. When creating a filter condition that only displays ARP or ICMP packets.

ARPMessage:

Address Resolution Protocol (ARP) is a TCP/IP protocol for obtaining physical addresses based on IP addresses. The host broadcasts ARP requests to all hosts on the network, receives the returned messages, determines the physical address of the target IP address, and saves the IP address and hardware address to the local ARP cache, the ARP cache is directly queried in the next request.

Initially, the MAC address of the IP address 192.168.1.1 is determined from the ARP request sent by the PC, and the ARP reply is received from the adjacent system. After the ARP request, the ICMP message is displayed.

ICMPMessage:

Internet Control Message Protocol (ICMP) is used to send control messages in TCP/IP networks. It provides feedback on various problems that may occur in the communication environment, the administrator can diagnose the problem and take appropriate measures to solve the problem.

The PC sends an echo request and receives an echo response, as shown in. The Ping packet is marked as type 8, and the reply packet is marked as Type 0.

If you ping the same system multiple times and delete the ARP cache on the PC, a new ARP request will be generated after the following ARP command is used.

C: \> Ping 192.168.1.1

... Ping output...

C: \> ARP-D *

HTTP:

HTTP protocol is currently the most widely used basic protocol, thanks to the fact that many applications are Web-based, easy to implement, and easy to deploy and deploy software without additional clients, use a browser. This process starts when the server is requested to transfer network files.

The visible message contains a GET command. After HTTP sends the initial GET command, TCP continues the data transmission process, in the next link process, HTTP requests data from the server and uses TCP to send the data back to the client. Before transmitting data, the server sends an http OK message to inform the client that the request is valid. If the server does not have the permission to send the target to the client, 403 forbidden is returned. If the server cannot find the target requested by the client, 404 is returned.

If there is no more data, the connection can be terminated, similar to the SYN and ACK packets of the TCP three-way handshake signal. Here the fin and ACK packets are sent. When the server stops transmitting data, it sends FIN/ack to the client. This message indicates that the connection is terminated. Next, the client returns the ACK packet and Adds 1 to the serial number in FIN/ack. This terminates the communication from the server. To end this process, the client must re-initiate this process to the server. The FIN/ack process must be initiated and confirmed on both the client and server.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.