how the ARP protocol works
ARP This protocol function is: when the source host know the destination host's IP address and do not know the other's MAC address can use ARP this broadcast protocol to obtain the other's MAC address, the reason for obtaining the hardware address is the host communication is through the MAC address to achieve.
This is the ARP message format in Ethernet.
(1): Ethernet Destination Address: is a hardware address that contains six bytes of address. For example: 1f 3c D1 B6 7d.
(2): Ethernet Source Address: Is the host address issued to the ARP packet. The format is the same as the destination address.
(3): Ethernet frame Type: Used to indicate the type of upper layer protocol, if it is the ARP protocol is: 0806.
The above three parts of the data link layer in the first format of the Ethernet frame, in fact, the end of the Ethernet frame has a field (not shown in the figure) is:
(4): Frame Check sequence: used for error checking of data in data frame.
In the ARP frame structure as shown in the figure:
Hardware type: If Ethernet, the hardware type is: 0001.
Protocol type: This is usually written here: 0800 is the IP type, and ARP is one of the IP protocol families.
Hardware address length: Refers to the length of the MAC address, the length is 6 units bytes.
Protocol address yield: If IP4, this value is 4 and the unit is byte.
OP is the operator: if 1 is the request packet, or 2 is the response package.
This assumes that the source host is: A, the destination host is: B. Neither the request nor the response is changed.
If it is a request package:
The destination MAC address for the Ethernet header is: FF:FF:FF:FF:FF:FF represents the broadcast packet.
The destination host MAC address fields in the ARP field are: 00:00:00:00:00:00 (hexadecimal representation) acts as a fill.
OP operator Field: 0001
If it's a response package:
The destination MAC address of the Ethernet header is: The MAC address of the source host.
The source host MAC address fields in the ARP field are: The MAC address of the destination host.
The OP operator field is: 0002.
Reference: http://blog.sina.com.cn/s/blog_66a13c610100hqr6.html
A complete ARP spoofing
The address of A is: ip:192.168.10.1 MAC:AA-AA-AA-AA-AA-AA
The address of B is: ip:192.168.10.2 MAC:BB-BB-BB-BB-BB-BB
The address of C is: ip:192.168.10.3 MAC:CC-CC-CC-CC-CC-CC
Communication between A and C. But at this point B sends a self-forged ARP reply, and the data in this answer is the sender IP address is 192.168.10.3 (the IP address of c), the MAC address is BB-BB-BB-BB-BB-BB (the MAC address of C should be CC-CC-CC-CC-CC -CC, it's been forged here.) When a receives a fake ARP response from B, it updates the local ARP cache (A is spoofed), and B is disguised as C. At the same time, B also sends an ARP response to C, The sender IP address in the reply packet is 192.168.10.1 (IP address of a), the MAC address is BB-BB-BB-BB-BB-BB (A's MAC address should be AA-AA-AA-AA-AA-AA), and when C receives a fake ARP reply, the local ARP cache is also updated (c is also spoofed) , then B pretends to be a. This way, hosts A and C are spoofed by Host B, and the data communicated between A and C goes through B. Host B is fully aware of what they say:). This is the typical ARP spoofing process.
Snap A and C communication, the realization principle: B to a send an ARP packet, the content is: C address is 00:00:00:00:00:00 (a wrong address), then a to C after the packet will be sent to 00, and this address is wrong, so the communication is interrupted, but pay attention to, Here is just a--and C interrupts, C--and A without interruption, so this is called one-way spoofing.
Break the communication between C and A, the principle of implementation and the first, as if with the first article, then A and C communication is completely interrupted, namely: a <--x--> C.
Sniffer A and C communication, the realization principle: B to a send an ARP packet, the content is: C address is AA:BB:CC:DD:EE:FF (b own address), that is, B to a said: I is C, so a to C send data sent to B, B to get the data can do whatever you like, Can be discarded directly, then the communication is interrupted, can also be forwarded to C, then the formation of a loop, B as a middleman, monitoring A and C communication. You can then use any of the Cain and other grab tools for local sniffing.
Reference: How the Http://hi.baidu.com/fycouk/item/47dfb689a7d92c59850fabd7 DHCP protocol works
How the DHCP protocol works
DHCP works differently depending on whether the client is logged on to the network for the first time. When you log in for the first time:
1 Finding the Server
When the DHCP client logs on to the network for the first time, that is, the customer discovers that there is no IP data set on the machine, it sends a DHCPDISCOVER packet to the network. Because the client does not yet know which network it belongs to, the packet's source address is 0.0.0.0, and the destination address is 255.255.255.255, and then the DHCPdiscover information is attached to the network for broadcast.
In Windows presets, DHCPdiscover's wait time is preset to 1 seconds, which is a second DHCPdiscover broadcast when the client sends the first DHCPDISCOVER packet out and does not get a response within 1 seconds. If there is no response, the client will have a total of four DHCPdiscover broadcasts (including the first one), except for the first time waiting for 1 seconds, the remaining three times the waiting time is 9, 13, 16 seconds respectively. If you do not get a response from the DHCP server, the client displays an error message announcing the failure of the DHCPdiscover. After that, based on the user's choice, the system will continue to repeat the DHCPdiscover process after 5 minutes.
2 provide IP leased address
When the DHCP protocol server hears the DHCPdiscover broadcast from the client, it selects the first vacant IP, along with other TCP/IP settings, from the address range that has not been leased, and responds to the client with a DHCPOFFER packet.
Because the client does not have an IP address at the beginning, it will have its MAC address information in its DHCPdiscover packet and a XID number to identify the packet, and the DHCPoffer packet that the DHCP server responds to will be passed to the client requesting the lease. Depending on the server-side settings, the DHCPoffer packet contains information about a lease term.
3 Accept IP Leases
If the client receives a response from multiple DHCP protocol servers on the network, it picks only one of the DHCPoffer (usually the one that arrives first) and sends a DHCPREQUEST broadcast packet to the network, telling all DHCP server It will specify the IP address to accept which server to provide.
At the same time, the client sends an ARP packet to the network, queries the network for any other machines that use the IP address, and if the IP is found to be occupied, the client sends a DHCPDECLIENT packet to the DHCP server, refuses to accept its DHCPoffer, and resend DHCPdiscover information.
In fact, not all DHCP clients accept the offer of a DHCP server unconditionally, especially if these hosts have other TCP/IP-related client software installed. The client can also use DHCPrequest to make DHCP choices to the server, which are filled in with different numbers in the Dhcpoption Field: In other words, the settings above the DHCP server are not necessarily all accepted by the client, and the client can keep some of its TCP /IP Settings. And the initiative is always on the client side.
Reference files: How the http://blog.csdn.net/daviwin/article/details/3365161 switch works the data on the network is a collection of MAC addresses, It can distinguish between the source MAC address and the destination MAC address in the frame, so it can establish a connection between any two ports, but the switch does not know the IP address, it only knows the MAC address.
The switch is developed according to the principle of the bridge, and the learning switch first recognizes two concepts:
1 Conflict domains
A conflict domain is the area where data is bound to be sent.
Hub is a non-intelligent signal driver, there must be out, the entire network composed of hub is a conflict domain.
The network under one interface of the switch is a conflict domain, so the switch can isolate the conflict domain.
2 broadcast Domain
The area that can be sent to when the data is broadcast is a broadcast domain.
Switches and hubs are transparent to broadcast frames, so a network consisting of switches and hubs is a broadcast domain.
The network under one interface of the router is a broadcast domain. So routers can isolate broadcast domains.
3 Working principle
Address Table
The Port Address Table records the MAC address of the host that is contained under the port. The Port Address table is automatically built after the switch is power-up,
Saved in RAM, and maintained automatically.
The principle of the switch isolation conflict domain is determined by its port Address table and forwarding decision.
4 Forwarding Decisions
The switch's forwarding decision has three operations: discard, forward, and spread.
Discard: Discarded when a host under this port accesses a host under a known port.
Forwarding: When a host under a port accesses a host that is known to be under a port.
Diffusion: When a host under a port accesses a host under an unknown port.
Each operation should record the MAC address of the client and prepare it for other hosts to access.
Survival time
How routers work
Router (Router): Works on the OSI third layer (network layer), has the ability to connect different types of networks, and is able to select the data transfer path of the network device.
Routers have three characteristics: work on the network layer, be able to connect to different types of networks, to choose the path of data transmission. It can understand the IP address in the data, if it receives a packet, it checks the IP address, if the destination address is the local network is ignored, if it is another network, the packet is forwarded to the local network.
What is the difference between a switch and a router?(1) Different levels of work
The initial switch is the data link layer (the second layer) that works in the OSI/RM open architecture, while the router is designed to work at the network layer of the OSI model. Since the switch works in the second layer of the OSI (data link layer), it works relatively simple, and the router works in the third layer of the OSI (Network layer), can get more protocol information, the router can make a more intelligent forwarding decision.
(2) different objects on which data is forwarded
A switch uses a physical address or MAC address to determine the destination address of the forwarded data. The router uses the ID number (i.e. IP address) of the different network to determine the address of the data forwarding. IP addresses are implemented in software, describing the network where the device resides, and sometimes these third-tier addresses are referred to as protocol addresses or network addresses. MAC addresses are usually hardware-brought, distributed by the manufacturer of the network card, and have been cured to the network card, which is generally non-changing. The IP address is usually assigned automatically by the network administrator or the system.
(3) The traditional switch can only split the conflict domain, cannot divide the broadcast domain, and the router can split the broadcast domain. The network segments connected by the switch still belong to the same broadcast domain, and broadcast packets propagate across all network segments connected to the switch, which in some cases can lead to communication advocacy and security vulnerabilities. Network segments connected to routers are assigned to different broadcast domains, and broadcast data does not pass through the router.
Although the third layer above the switch has the VLAN function, may also divide the broadcast domain, but each sub-broadcast domain is unable to communicate the communication, the communication between them still needs the router.
(4) The router provides the service of the firewall, it only forwards the packets of a specific address, does not transmit packets that do not support routing protocols and the transmission of knowledge destination network packets, which can prevent broadcast storms.
IP broadcast (mass): refers to the hub when sending data to the underlying device, regardless of where the original data came from, the resulting data to each port, if there are ports that require the source of data, will be in the receiving State, and the unwanted port is in a deny state.
For example, when client a sends a packet to client B in the net, the hub will send the data from a Baoqun to each port, at which point B is in the receive state, the other port is in a deny state, and so on, when client a sends the domain name "www.163.com", through the hub, The IP address (202.108.36.172) is then sent back to the hub by DNS domain name resolution. At this point, the hub is sent to all incoming ports, the machine that needs this address is in the Receive state (client A is in the receiving State), not the need to be in a deny state.
This should be the simplest of a noun, can also be understood as the operating frequency of the hub, such as the operating frequency of 33MHz hub, then the unit time in the hub can do what? I've given an example of the above in explaining the shared type, but one thing that needs to be explained is that we sometimes see that a is sending data to B "at the same time," and C is transmitting data to D, which seems a bit contradictory, and indeed, why does it look like 2 people are doing it at the same time? Because a in the first unit time to send data to B, for broadcast reasons, B, C, D in the first unit of time will be broadcast simultaneously, but C,d will start from the 2nd unit time to refuse to receive the data from a, because C and D have judged that the data is not the data they need. and in the 2nd unit time C also send a data broadcast, A,b,d are accepted, but only D will receive the data. These operations take only 2 to 3 units of time, but it's hard to see that it feels like we're doing it all at once.
Reference: Http://blog.csdn.net/clubsondy/archive/2005/12/03/542615.aspx
SSL Protocol
(1) The security mechanisms implemented by the SSL protocol include:
l Confidentiality of data transmission: Using symmetric key algorithm to encrypt transmitted data.
L Authentication mechanism: Based on certificates, the server and client are authenticated using the digital signature method, where authentication of the client is optional.
L Message Integrity Verification: The MAC algorithm is used during message transfer to verify the integrity of the message.
Symmetric key algorithms and Mac algorithms require that both parties have the same key, otherwise decryption or Mac value validation will fail. Therefore, to establish an encrypted channel or to verify message integrity, you must first deploy a consistent key on both sides of the communication.
(2) Handshake Protocol Process
1 building security capabilities
Action Both sides can know:
(1) SSL version
(2) Key exchange, information verification and encryption algorithm
(3) Compression method
(4) About two random numbers generated by the key.
2 server Authentication and key exchange
3 Client Authentication and key exchange
In the case of RSA, a new random number is generated as a premaster secret, which is encrypted via the public key in the certificate or the temporary RSA key within the Server_key_exchange message, which is sent past the client based on the Premaster secret. Clienthello.random, serverhello.random three values calculated as the master secret as the symmetric key server side received Premaster secret, the master secret is also calculated based on these three values.
If the use of DH, the certificate has included the DH algorithm required two integer p,g, directly through the algorithm according to the two random numbers have been exchanged to calculate the Premaster secret, the server can also calculate the same premaster secret.
4 End of termination
based on the negotiated results in the cipher suite, master secret does not have to encrypt the authentication password. It is necessary to integrate the dense material again to achieve two-way safety.
(3) Application technology and theory
Diffie-hellman: A way to ensure that a shared key securely crosses an unsecured network, which is an integral part of Oakley reference: http://blog.csdn.net/zhuyingqingfen/article/details/ 7610098 references: http://www.jb51.net/network/68136.html[-speaking code generation is good] reference: http://xeseo.blog.163.com/blog/static/ 5632431620132843532672/[Logic speaks better] references: http://mqc173.blog.163.com/blog/static/3089909320079232195306/ (most clearly the sum of the first two) SNMP protocol
http://www.doc88.com/p-695165344931.html SSH Protocol application payload: http://virtualadc.blog.51cto.com/3027116/648258 How Network Integrity Works
Ethernet frame: You can see the Mac
Network layer: Can see IP
TCP: You can see the port
Reference: http://ieee802.blog.hexun.com/17537283_d.html
References: Three handshakes and four waves in the TCP Protocol (illustration)
Reference: http://blog.csdn.net/chelp/article/details/12969907