Before going to college, I learned the network protocol, for the format of the header, is completely puzzled by its meaning, just swallowed remember the way to take the exam.
Later work in the guidance of predecessors began to learn the "TCP/IP Details", but at that time on the network programming experience is not, just built the example to fill in the code, so although read through, but did not see almost nothing different-because can not understand.
Now back to read again, found a lot of things are basically able to understand, even if there is not understand, more than 2 times also understand. It is a good book to be able to explain the confusion of these agreements, and it is no wonder that many people have recommended me to read it before.
Book-based, combined with grab bag, record notes.
Link layer cannot catch the package, temporarily just understand the basic knowledge, plagiarism a few sentences:
"Maximum Transmission Unit MTU
Ethernet and 802.3 have a limit on the length of the data frame, with a maximum value of 1500 and 1492 bytes, respectively. This feature of the link layer is called the MTU, the maximum transmission unit. Most of the different types of networks have an upper limit. If the IP layer has a datagram to be transmitted, and the length of the data is larger than the MTU of the link layer, then the IP layer needs to be fragmented (fragmentation), the datagram is divided into several slices, so that each piece is less than the MTU.
Path MTU
When two hosts on the same network communicate with each other, the MTU of the network is very important. However, if the communication between the two hosts passes through multiple networks, then the link layer of each network may have different MTU. What is important is not the MTU value of the network on which the two hosts are located, but the minimum MTU in the two communication host path. It is called the path MTU.
The path MTU between the two hosts is not necessarily a constant. It depends on the route that was selected at that time. Routing is not necessarily symmetric (routes from A to B may differ from B to a), so the path MTU is not necessarily consistent in two directions.
”
Starting with the third chapter IP protocol.
-------------------------------------------------------------------------------
The transmission of IP packets is unordered, regardless of the order. Is unreliable, such as router buffers full, directly discarding IP packets, and sending ICMP error messages.
The 4-bit ministerial level of IP, combined with the 4-bit version in a single byte.
The current version number is 4.
The number of 4-bit ministers is not how long the header is, but the number of 4 bytes. For example, if the IP has no option, its value is 5, then the header length is 5 times 4 to 20 bytes.
Because there are only 4 bits, the maximum value is 15, which causes the IP header to be up to 60 bytes long.
The TOS service type for IP, which is ignored for most protocols. It's basically 00.
The total length of the message will be filled, such as the ARP packet (length 42), whether it is sent by the router or other PC sent to me, will automatically fill it to 60, but their own native virtual machine, is still 42, not clear why. Therefore, the total length is required to confirm the valid values.
16-bit flag, which is a single host all processes send IP packets to form a queue, each sending an IP packet is added 1. The flags of the 2 computers that interact are independent. But from the grab bag to press, the other side QQ sent to my IP packet, this value has been 0.
If a UDP datagram carries more than 1472 of the content, it will be fragmented, the IP packets are split, their 16-bit flags are the same. The 3-bit flag is used to confirm that it is the first packet 0x02, subsequent packet 0x00, followed by a 13-bit offset showing the head position of the IP packet carrying the data to the actual content of the first few. For example: The first packet, IP packet length (IP header 20 bytes), 3-bit flag 0x02,13 bit offset is 0, carrying data length 1480 (8 bytes of UDP header, 1472 actual content), the second packet, IP packet length 48, 3 bit flag 0x00,13 bit offset to 1480, Carry data Length (28 actual content, no UDP header).
If no shards are required, the 3-bit flag is 0x04.
-------------------------------------------------------------------------------
Chapter III ARP
The request packet for ARP must be a broadcast address.
The PC machine will periodically go to ARP's own gateway address.
Caught in the packet found that my router will be 42 bytes of ARP packets filled into 60 bytes, followed by the addition of "0000+16 bytes of Request packet header." (The virtual machine for this machine is not populated, it is still 42 bytes, the other PC is 60 bytes)
Another router, and found that the returned ARP packet was appended with 18 bytes of full 0, and is estimated to vary depending on the router settings.
This is because the Ethernet data frame length has a minimum length, and the data over Ethernet is populated to this minimum length.
If it is the native ARP native virtual machine, only through the network card, not through the Ethernet, then also for the original length.
For ES5, deleting an ARP address will still exist with incomplete, or ping a non-existent IP address, and incomplete will appear.
However, for XP, there is no record of such an incomplete cache.
Free ARP is not a message for itself to get its own IP address, but 2 functions:
1, if you receive a reply, the IP address conflict.
2, self-modification IP address, will send this message to notify other machines, replace the cache content, this message does not have any reply.
In the actual capture package, if you modify the IP address of the machine, you will certainly catch the message of free ARP, the purpose, source IP, source Mac are their own, the purpose of the Mac is empty.
-------------------------------------------------------------------------------
Fourth Chapter Rarp
Rarp Not all machines can answer this request message, but need a dedicated RARP server to answer, if there are multiple RARP servers, by setting different response delay time to separate.
-------------------------------------------------------------------------------
Fifth Chapter ICMP
Type 0,8 is the ping service.
The identifier and sequence number of the ICMP are returned as-is in the reply for matching.
One of the rules of UDP: receiving a request that is inconsistent with the port used by this process, returning an ICMP unreachable message () The traceroute is using this implementation. )
UDP port Unreachable packets, four bytes after the ICMP header is full 0, only the Type 3 code 4 o'clock value.
There is a place where the grab bag does not match the original book. ICMP Unreachable messages do not simply return a 8-byte UDP header, but all UDP packets, such as using TFTP to access a nonexistent server, will also return the contents of the TFTP message. The use of the server is ES5.
Later switched to the router, the results found that the return is only 8 bytes UDP header, is estimated to be set on the router.
-------------------------------------------------------------------------------
Seventh Chapter Ping
Ping uses ICMP's 0,8 implementation.
The identification number is 04, the sequence number of each request is added 1, is not clear zero, the next time you re-ping the operation, continue to add.
Ping carries data of 32 characters: A-Z a-i
With regard to the operation of carrying a crossing IP, XP and ES5 commands are different and carry information differently.
The Xp:ping-r (1-9) host can adjust the number of IP,XP to be carried without filling in its own ingress IP when receiving a return message. In the request message of XP, PTR is requested to be 4 without its own export IP.
Es5:ping-r host cannot be adjusted, fixed 9 IP. Fill in your own ingress IP when sending a return message. In the request message, PTR is requested to be 8, carrying its own export IP.
Generally speaking, ping with R router is out of the way, the basic is completely limited.
While Ping can set the package size (but certainly less than 65535) in win and Linux, if the packet length is greater than the MTU, the ICMP packets in the actual send are fragmented.
This article from the "Flying Justice Blog" blog, reproduced please contact the author!
"TCP/IP detailed" study note one (1-7)