Grab packet analysis extract five tuples

Reference: Http://ctf.idf.cn/index.php?g=&m=article&a=index&id=10 wrote a great number of articles listed in the door

The socket for each communication entity in the network is identified by a ternary group. Ternary groups are often referred to as semi-correlated

Ternary group refers to: protocol family (address family), network address, and Transport layer port (Ipv4). A connection between two communicating parties is identified by a network of five tuples, which is a combination of two local triples of the same protocol family. Five tuples are often referred to as fully correlated. The network five tuple refers to the protocol family (address family), the local network address, the local port, the remote network address, and the remote port. The set of interfaces is divided into several types, oftenSock_stream and sock_dgram. Sock_stream is a connection-oriented socket, the protocol used is TCP, the two sides of the communication through the three-time handshake to establish a virtual connection line, the process of communication is reliable. andSock_dgram is a non-connected socket, the protocol used is UDP, communication between the two parties in the form of data packets to communicate, the reliability of the communication can not be guaranteed. This project requires the use of sock_stream type.

Five tuple format (protocol, local IP, local port, remote IP, remote port) establishment process

Servers generally have two functions: monitoring and processing

While listening, the protocol /local ip/Local port (listening port) is determined, when receiving the client's message, the remote IP is the source IP address of the message , the remote port is the source port of the message, so that the five-tuple is determined.

Then the server into the processing phase, need to open a new thread to interact with the client, of course, it is necessary to determine a new five-tuple, when the protocol /local ip/remote ip/remote ports are from the monitoring stage determined by the five-tuple, and the local port will be 1024 The above is randomly selected (no listening port is used to listen for requests from other clients).

The client, on the contrary, uses a random local port when sending the request, while accepting the response takes the server's source port as a remote port.

1. Creating Sockets int socket (int family, int type, int protocol);the Socket function is used to establish a protocol family part in a ternary group. 2. Binding Socketsint bind (int sockfd, cost struct sockaddr * saddr, socklen_t Addrlen);The BIND function is used to establish the local IP address and the local port number portion of the ternary group. 3. Monitoringint Listen (int sockfd, int backlog);4. Accept the connectionint accept (int sockfd, struct sockaddr * client_addr, socklen_t *addrlen);5. Connect to the serverint connect (int sockfd, const struct SOCKADDR *serv_addr, socklen_t Addrlen);after connect completes the communication both sides two ternary group composed of five yuan set up. pcap file Format Analysis

PCAP file format is a commonly used data message storage format, mainstream capture software, such as Wireshark, tcpdump, etc. support this format.

The specific format is:

pcap File Header+ { Data message Information+ Data Messages}+.. Ii. File Header structure: 24 bytesSTURCT Pcap_file_header{dword Magic;//Identity bit, currently "D4 C3 B2 A1" WORD version_major;//major version number              WORD version_minor;//Sub-version number DWORD thiszone;//time zone DWORD sigfigs;//exact timestamp DWORD snaplen;//Packet Maximum length DWORD linktype;//link Layer type, 1 for Ethernet} third, the data Baotou structure: 16 bytesstruct pcap_pkthdr{struct timeval ts;//timestamp DWORD caplen;//Packet length DWORD len;//number According to the packet actual length} struct Timeval{dword gmttime;//second time DWORD microtime;//millisecond time} data packet, that is, the packet transmitted in the network, its specific format depends on the specific network protocol, such as a data message link layer using Ethernet protocol, the network layer uses the IP protocol, the transport layer uses the TCP protocol, then its content needs to be resolved in a layer. You can compare the protocol specifications to the Pcap file parsing.

Grab packet analysis extract five tuples