New Tricks: Interpreting TCP/IP protocol by connecting to an instance

Recently, I am crazy about supplementing the foundation and looking at the TCP/IP protocol. However, the content in the book is too abstract, and there is no data instance. After reading it for a long time, I forget it. Therefore, we moved a sniffer and captured the data packets. Haha, I had to explain it in the book, and I understood it faster. I will add some basic knowledge.

Let's get started with the IP protocol.　

IP Protocol (Internet Protocol) is a network layer Protocol used on the Internet. TCP, UDP, ICMP, and IGMP data are all sent in the IP data format. The IP protocol provides unreliable and connectionless services. An IP packet consists of a header and a body. The main body is the transmitted data. We mainly understand the header data, from which we can understand the IP protocol.

IP packet header format RFC791)

Example Internet datasync Header

The above is the IP data Header Format. Here we will give a rough introduction.

The IP header consists of a fixed length of 20 bytes and an optional length part. It is transmitted from left to right in order of a large segment.

TCP protocol

Tcp transmission control protocol) is a transport layer PROTOCOL that provides services for the application layer. Unlike UDP, TCP provides reliable connection-oriented services. In RFC793, it is the basic TCP description. Description of the Header Format of the TCP protocol:

TCP Header FORMat

TCP Header FORMat

Similar to the IP header, the basic length is also 20 bytes. A tcp packet is contained in an IP data packet.

All right, so far. Let's take a look at the examples I captured. This is an FTP connection. It is the default FTP site of cuteftp. The IP address is 216.3.226.21. Assume that my IP address is 192.168.1.1. The following data is transmitted during the TCO/IP connection. We can analyze the data format of the TCP/IP protocol and the three-way Handshake ThreeWay-Handshake of the TCP/IP connection. The following hexadecimal data is only the TCP/IP protocol data, not the complete network communication data.

For the first time, I sent a connection request to the FTP site. I removed the optional portion of TCP data)

192.168.1.1-> 216.3.226.21

IP header: 45 00 00 30 52 40 00 80 06 2c 23 c0 a8 01 01 d8 03 e2 15

TCP Header: 0d 28 00 15 50 5f a9 06 00 00 00 00 70 02 40 00 c0 29 00 00

Let's see what the data in the IP header is.

The first byte, "45", where "4" is the Version of the IP protocol. "5" is the IHL bit, indicating the length of the IP header. It is a 4-bit field, and the maximum value is 1111. The value is 12, and the maximum length of the IP header is 60 bytes. The value "5" indicates 20 bytes. This is the standard IP header length, and no optional data is sent in the header message.

The next byte "00" is the Service Type of Service ). This 8-bit field is composed of 3bit priority subfields that have been ignored), 4-bit TOS subfields, and 1-bit unused fields that are currently 0. the 4-bit TOS sub-fields include: Minimum latency, maximum throughput, maximum reliability, and minimum cost. Up to one of the four 1bit bits can be 1, in this example, 0, indicates a General Service.

The next two bytes "00 30" are the total length of IP data packets, including the header and data, which are 48 bytes. These 48 bytes consist of a 20-byte IP header and a 28-byte TCP Header. The originally intercepted TCP Header should be 28 bytes, of which 8 bytes are optional and are saved ). Therefore, the maximum IP packet length is 65535 bytes.

Another two-byte flag Identification): "5252", converted to decimal is 21074. This allows the target host to determine which group the new segment belongs.

The next Byte "40" is converted to a binary value of "0100 0000". The first byte is the IP protocol, which is currently unavailable and is 0. Then there are two signs: DF and MF. If DF is set to 1, do not perform segmentation. If MF is set to 1, further segmentation is set to 0 in this example ). Then, "0 0000" is used to move the Fragment Offset in segments ).

The Byte "80" is TTLTime To Live), indicating the lifecycle of an IP data stream. The TTL value can be obtained using the Ping result, many articles refer to the use of TTL to identify the host type. Generally, the host has a default TTL value. The default value varies with different systems. For example, WINDOWS is 128. However, Ping is generally not the default value, because each time the IP packet passes through a router, the TTL is reduced by one. When the packet is reduced to 0, the packet will die. This is also the principle of Tracert. In this example, it is "80" and the conversion to decimal is 128. I use WIN2000.

Continue with "06", which indicates the Protocol type Protocol of the transport layer ). Defined in RFC790, 6 indicates that the transport layer is TCP.

The 16bit "2c 23" is the Header Checksum and Header Checksum ).

Next, "c0 a8 01 01", which is the Source Address), that is, my IP Address.

The IP address to be converted to decimal format is 192.168.1.1. Similarly, the 32-bit "d8 03 e2 15" that continues is the destination address, 216.3.226.21

Okay, so tired. I finally finished reading the basic 20-byte IP data header. Let's continue to look at the TCP Header, which is transmitted as part of the IP data packet.

TCP Header: 0d 28 00 15 50 5f a9 06 00 00 00 00 70 02 40 00 c0 29 00 00

First, it is a two-byte segment "0d 28", which indicates the local port number. The conversion to decimal is 3368. The second two-byte segment "00 15" indicates the target port. Because I am connecting to the FTP site, this is 21, and the hexadecimal format is of course "00 15 ".

The next four bytes "50 5f a9 06" are sequential Sequence Number), abbreviated as SEQ, SEQ = the four bytes below 1348446470 "00 00 00 00" is the confirmation Number Acknowledgment Number ), it is abbreviated as ACKNUM.

Continue two bytes, "70 02", convert to binary, "0111 0000 0000 ". These two bytes have a total of 16 bits. There are many things. The first 4-bit "0111" is the TCP Header length, which is 7 in decimal format. It indicates that 28 bytes have just been mentioned. I have omitted 8 bytes of option data, so you only saw 20 bytes ). The next 6 bits are not used in TCP now, and all are 0. The last 6bit "00 0010" is an important symbol of the six. This is a sign of data exchange between two computers. The receiving and sending disconnections determine the types of information flows based on these flags. The following are some introductions:

URG: Urgent Pointer field significant) Emergency Pointer. The value 1 is used to avoid TCP Data Stream interruption.

ACK: Acknowledgment fieldsignificant) indicates that the check number AcknowledgmentNumber is valid when it is set to 1. If it is set to 0, the data segment does not contain the confirmation information and the check number is ignored.

PSH: Push Function), the data of the PUSH flag. When set to 1, the request data segment can be directly sent to the application after the receiver receives the data segment, instead of waiting until the buffer is full.

RST: Reset the connection) is used to Reset the wrong connection caused by some reason, and to reject illegal data and requests. If an RST bit is received, some errors usually occur.

SYN: Synchronize sequence numbers) is used to establish a connection. In a connection request, SYN = 1, ACK = 0, and SYN = 1, ACK = 1 when the connection is responding. That is, SYN and ACK are used to differentiate Connection Request and Connection Accepted.

FIN: No more data from sender) is used to release the connection, indicating that the sender has No data to send.

Here are the six flag spaces. In this example, SYN = 1, ACK = 0, which indicates the connection request. We can note the two transformations in the following two processes.

The "40 00 c0 29 00 00" will not be mentioned later. Let's take a look at the data for the next two communications. Let's look at the connection process and some important changes.

The second time, the FTP site returns a connection signal.

216.3.226.21-> 192.168.1.1

IP header: 45 00 00 2c c6 be 40 00 6a 06 cd ba d8 03 e2 15 c0 a8 01 01

TCP Header: 00 15 0d 28 4b 4f 45 c1 50 5f a9 07 60 12 20 58 64 07 00

The third time, I confirm the connection. The TCP connection is established.

192.168.1.1-> 216.3.226.21

IP header: 45 00 00 28 52 53 40 00 80 06 2c 2a c0 a8 01 01 d8 03 e2 15

TCP Header: 0d 28 00 15 50 5f a9 07 4b 4f 45 c2 50 10 40 b0 5b 1c 00 00

Okay. Let's take a look at the entire Threeway_handshake process.

Step 1: Send a connection request. The TCP data is SEQ = 50 5f a9 06, ACKNUM = 00 00 00 00, SYN = 1, ACK = 0.

Step 2: The other party confirms that the connection can be established. The TCP data is SEQ = 4b 4f 45 c1, ACKNUM = 50 5f a9 07, SYN = 1, ACK = 1.

Step 3: confirm the connection. SEQ = 50 5f a9 07, ACKNUM = 4b 4f45c2, SYN = 0, ACK = 1.

Can you see any changes? What is the value of these connections?

I receive the following packet from 216.3.226.21-> 192.168.1.1:

SEQ = 4b 4f 45 c2, ACKNUM = 50 5f a9 07, SYN = 0, ACK = 1 are basic things and must be very familiar with writing something like sniffer. Here we only explain a little bit about the TCP/IP protocol, mainly the header data format.

Related Articles]

• TCP/IP protocol processing is changed from "soft" to "hard"
  

• Getting started with TCP/IP protocol 1
  

• Introduction to TCP/IP Protocol 2