Learning computer network for a long time, but always confined to the book knowledge, feeling get not focus. After senior proposal with Wireshark grab packet analysis look.
I have not done my own scratch bag analysis, so this blog post may have a lot of errors, but I own a record, the passing of the pro do not as a tutorial, so as not to go astray ....
TCP protocol Header:
Set in filter to:IP.DST = = 22.214.171.124 or ip.src = = 126.96.36.199
This address is what do not know, just with its interaction is particularly much, I chose him.
Analyze the first package:
SOURCE Address: My own computer's IP, will not put up
destination:188.8.131.52 Destination Address
TCP: Indicates a TCP protocol
Length: 66 indicates that the package is 66 bytes long ??
56739->443 : Indicates that port 56739 from the source address is sent to the destination address of port 443
[SYN] indicates that this is a TCP synchronization request and is the first step of the TCP handshake
seq=0: The sequence number in the TCP protocol, here is 0.
In TCP, the first SYN packet contains the sequence is random, and the first Syn+ack package sequence is also random, wireshark for you to observe all use relative values, initialize the two random values of 0, the following sequence and Acknowledge all over the top.
win=8192: The receiving window of one side of the sending paper. fields in the TCP protocol
len=0: The length of the datas segment of the TCP message segment of the sending file
mss=1460: Maximum packet length, which is the maximum length of the data field in each TCP message segment. It does not contain the first ministerial degree. is the field in the TCP header, option .
ws=256: Window enlargement factor; Can only be determined at the connection establishment stage; the new window value = the window value defined in the header is multiplied by 2 (window enlargement factor), because the window value is not sufficient. The fields in the options . ?? The book says that the window enlargement option accounts for 3 bytes, where one byte indicates a shift value of s,s maximum of 14, the new window value is equal to the number of window bits in the TCP header from 16 to (16+s). But how can ws be equal to 256 here??
A: Here's 256 refers to the window expands 256 times times, its s=8, 2 8 times = 256. Complies with S<=14. Open the detailed description of the TCP section below the software, which is described.
sack_perm=1: Allow selection confirmation. The fields in the TCP option.
Well, at least a little bit, this information is the content on the TCP protocol.
Below, analyze the detailed content, click on the above package, the following will appear detailed information, such as the following:
What do you mean by the distinction?
After I thought for a long while, only to realize that this is based on the network layered model display of the different layers of content.
Frame 551: Corresponding to the package of the summary information, there is whether we have to mark it, how to use color display and other content.
Ethernet II: corresponds to the network interface layer , indicating the use of Ethernet II in the standard frame format of the Web.
Internet protocal Version 4: Corresponds to the network layer , indicating the use of IPV4
transmission Control Protocol: Corresponds to the Transport layer , indicating the adoption of the TCP protocol.
Below, one at a point to open, to see the details inside.
You can see the hardware address of the source and destination.
Unicast represents unicast .
？？ That pile of ... What is it? What is LG IG?
A: Those points refer to the fields to be marked are not important information, the number of important bits is displayed.
First put the IP header format to help analyze:
Start by stating that the protocol version used is IPv4 and the header length is 20 bytes.
Differentiatedservices field: Differentiating service fields
(DSCP 0x00:default; ECN:0X00) represents an important level assigned by a particular upper layer protocol, the default DSCP value is 0, which is equivalent to trying to transmit, the ECN field is divided into ecn-capable Transport (ECT) bit and CeBIT, ECT bit is set to 0, Indicates that the transport protocol ignores the CE bit. The CE bit will be set by the router and set to 0 to indicate that the end node is not congested.
The total length of the IP packet is 52 bytes, and the flag field is 1302
The identifier field is 0x02, which indicates that there is no shard, the slice offset is 0, the survival time is 128, and the upper protocol is TCP
The first Test and the following good and bad are all false, and I understand that because this is the initial package, there is no validation problem.
Most of them are shown above. Note that the following window Scale:8, which corresponds to the above Scarlet Letter question 1 explanation.
"Computer network" Wireshark capture packet Analysis 1