Introduction to the Wireshark grab kit and some meanings of the TCP three-time handshake

Wireshark is a very popular network packet analysis software, the function is very powerful. Various network packets can be intercepted to display details of network packets. People who use Wireshark must understand the network protocol, otherwise they can not understand Wireshark. For security reasons, Wireshark can only view packets, not modify the contents of the package, or send packets.

Wireshark can get HTTP, but also can get HTTPS, but can not decrypt HTTPS, so wireshark do not understand the contents of HTTPS, summary, if it is to deal with Http,https or fiddler, other protocols such as TCP,UDP Just use Wireshark.

　　Wireshark is a network packet that captures a NIC on a machine , and when you have multiple NICs on your machine, you need to select a NIC.

Wireshark Window Introduction

WireShark is mainly divided into these interfaces

1. Display filter (show filters) for filtering

2. Packet list Pane (packet list), displays the captured packets, the source address and destination address, and the port number. Different colors, representing

3. Packet details Pane (packet detail), showing the fields in the package

4. Dissector Pane (16 binary data)

5. Miscellanous (Address bar, miscellaneous)

Filter information:

A list of packages, the display of the panel in the package list, the number, the timestamp, the source address, the destination address, the protocol, the length, and the packet information. You can see that different protocols are displayed in different colors.

Packet Details:

This panel is the most important one for us to view each of the fields in the protocol.

Each line information is

Frame: Data Frame overview of the physical layer

Ethernet II: Data Link Layer Ethernet frame header information

Internet Protocol Version 4: Internet Layer IP packet header information

Transmission Control Protocol: Data segment header information for the Transport layer T, here is the TCP

Hypertext Transfer Protocol: Application layer information, here is the HTTP protocol

Each of the fields from the TCP package that you can see Wireshark captures:

An instance of a TCP three-time handshake:

I have seen this picture many times, this time we use Wireshark practical analysis of the three times the process of shaking hands.

Open Wireshark, open browser input http://www.9upk.com

Enter the HTTP filter in Wireshark, then select the record Get/tankxiao http/1.1, right-click on "Follow TCP Stream",

The purpose of this is to get the data packets associated with the Web browser opening, which will be as follows:

In the figure, you can see that the Wireshark intercepted three packets of three handshakes. The fourth package is HTTP, which means that HTTP is indeed a connection using TCP.

First-time handshake packet

The client sends a TCP, the flag bit is SYN, the sequence number is 0, which represents the client request to establish a connection. Such as:

Data packet for the second handshake

The server sends back a confirmation package with the flag bit syn,ack. Set the confirmation sequence number (acknowledgement numbers) to the customer's I S n plus 1 to. That is, 0+1=1, such as:

The third handshake Packet

The client sends the confirmation packet again (ACK) to the SYN flag bit for the 0,ACK flag bit of 1. and sends the server an ACK to the ordinal field +1, which is sent to the other party in the OK field. and write +1 of isn in the data segment, such as:

Brief analysis of Tcp:syn ACK FIN RST PSH Urg

  three-time handshake three-way handshake The establishment of a virtual connection is achieved by a three-time handshake .1. (B)--[SYN]--(A) if server A and client B are communicating. When a wants to communicate with B, B first sends a SYN (SYNCHRONIZE) token packet to A, which tells a request to establish a connection. Note: A SYN packet is a TCP packet with only the SYN flag set to 1 (see TCP header Resources). It is important to recognize that this is only possible if a receives a SYN packet from B, and there is no other way to establish the connection. Therefore, if your firewall discards all SYN packets destined for the extranet interface, you will not be able to allow any external hosts to actively establish a connection.

2. (B) <--[Syn/ack] <--(A) Next, a receives a confirmation packet (syn/ack) of the SYN packet back, indicates the acknowledgment of the first SYN packet, and continues the handshake operation. Note: The Syn/ack package is a SYN-only and ACK-marked 1 package.

3. (B)--[ACK]--(A) b receives the Syn/ack packet, B sends a confirmation packet (ACK), notifies a connection that it has been established. At this point, three handshake completed, one TCP connection completed The Note:ack package is a TCP packet with only ACK flags set to 1. Note that when three of these handshakes are complete and the connection is established, the ACK bit is set for each packet of the TCP connection

That's why connection tracking is important. Without a connection trace, the firewall will not be able to determine whether the received ACK packet belongs to an already established connection. General packet filtering (Ipchains) when receiving an ACK packet, it will pass through (this is definitely not a good idea). When a stateful firewall receives this kind of packet, it will first look in the connection table to see if it belongs to which connection, otherwise it discards the package

In the TCP layer, there is a flags field that has the following identifiers: SYN, FIN, ACK, PSH, RST, URG.
The five fields that are useful for our daily analysis are the previous one.

What they mean is:

Urg:urget pointer is valid (Emergency pointer field value is valid)

SYN: Indicates a connection is established

FIN: Indicates closing the connection

ACK: Indicates a response

PSH: Indicates data data transfer

RST: Indicates a connection reset.

Where the ACK is likely to be used in conjunction with Syn,fin, such as SYN and ACK may be at the same time as 1, it represents the response after the connection is established, if it is just a single SYN, it represents just the establishment of a connection. A few handshakes of TCP are represented by such an ACK. However, SYN and fin are not 1 at the same time, because the former represents a connection, and the latter represents a disconnection. The RST is typically 1 after fin, indicating a connection reset. Generally, when a fin or RST packet is present, we think the client is disconnected from the server side, and when the SYN and Syn+ack packets are present, we think that the client has established a connection with the server. PSH is 1, typically only in packets where the data content is not 0, meaning that PSH is 1 means that there is a real TCP packet content being passed.

Introduction to the Wireshark grab kit and some meanings of the TCP three-time handshake