The linux OSI Layer-7 model, TCP/IP protocol stack, and the structure of each layer reveal big secrets. The osi protocol stack
When I learn Linux, I know the OSI model even if I am a little cute. What ?! You don't know !!! Okay, this secret is taken away. Thank you ~~~
I,Two protocols
(1OSI protocol model (layer-7) International ProtocolPDU: The data unit transmitted between peer-to-peer layers.
OSIProtocol (Layer 7) International Agreement |
PDU Unit |
Function |
Instance |
7Application Layer Application |
Message |
Provides network services for application processes (such as mail and terminal anti-counterfeiting;User access interface Provide User Authentication |
HTTP Telnet |
6Presentation Layer Presention |
Message |
Make sure that the receiving system can read the data. Format data and encode Build data and provideEncryption and decryption;CompressionExtract Data transmission syntax used for negotiation at the application layer |
ASCLL, EBCDIC JPEG |
5Session Layer Session |
Message Message |
Establish, manage, and terminateSessions between applicationsSession |
Operating System Application read |
4 Transport Layer Transport |
Data Network Segment |
Terminal-to-Terminal; Ensures data transmission reliability Establish, maintain, and terminate a virtual circuit Error Detection and recovery Information Flow Control to ensure reliability |
TCP and UDP |
3Network Layer Network |
Data Packets Packet/package |
SupportedLogical addressingAnd Path Selection Route Selection Select transfer data and Path |
IP |
2Data Link Layer Data link |
Frame |
UseMAC (physical) AddressAccess Media, error detection and correction |
802.3/802.2 HDLC |
1Physical Layer Physical |
Data bit Byte |
BinaryTransmission. electrical specification, mechanical Specification, process specification, and functional specification are defined for the initiation, maintenance, and closure of physical links. |
EIA/TIA-232 V.35 |
Operation Model:
(2)TCP/IP protocol stack (Layer 4)Is a default mainstream protocol for both LAN and Internet
Protocols on cat/etc/protocols Query System (linux)
(3) similarities
Both are based on the concept of protocol stack.
Protocols in the protocol stack are mutually independent.
The lower layer provides services to the upper layer. Each layer has tags that distinguish the upper layer.
Differences
OSI is a first-in-first model; TCP/IP is a first-in-one protocol, followed by a model
OSI applies to various protocol stacks; TCP/IP applies only to TCP/IP Networks
Different Levels
(4) Each layer has its own structure. The following table is a simple example.
Data link layer frame |
Internet IP protocol |
Transport Layer TCP protocol |
Application Layer |
Target mac Address |
Source mac Address |
Source IP Address Address |
Target IP Address Address |
Source Port |
Target Port |
App |
Data Date |
II,Data link layer frame
(1)Ethernet FrameEthernet frameIEEE sets international standards
(2) Ethernet Frame (difference between EthernetII and 802.3) (data link layer)
Ethernet length: 72-1526 (Packet Capture: 60-15 14, excluding the last 4 bytes of the first 8)
EthernetII
8 |
6 |
6 |
2 |
46-1500 |
4 |
Preface Preamble |
Target physical (Mac) Address |
Source mac address |
Type Upper layer type |
Data (including upper-layer protocol header information) |
Check data packet failure |
IEEE 1, 802.3
7 |
1 |
6 |
6 |
2 |
46-1500 |
4 |
Preface Preamble |
S O F |
Target physical (Mac) Address |
Source mac address |
Length Length |
Data (including upper-layer protocol header information) |
Check data packet failure |
EthernetII has the upper-layer file Type of the identifier Type, and IEEE 802.3 does not (problem exists)
(3) packet capture instance
(4) the mac address (48 bits) has different meanings in different places. media access control MAC
48 for 1 (12 F): Broadcast
Iii. Transport Layer, TCP and UDP protocols
(1) Differences Between TCP reliability and UDP Efficiency
Differences |
TCP Reliability |
UDP Efficiency |
Connection Type |
Connection-oriented Connection-oriented |
Non-connection-oriented Connectionless |
Serialization Sequencing |
Yes |
No |
Uses |
Email File sharing Downloading... |
Voice streaming Video streaming |
(2)TCP
1. Features
Working at the transmission layer to the connection protocol
Full Duplex Protocol
Semi-closed (when breaking up)
Error Check
Package data into segments, sorting, and serial numbers
Validation mechanism
Data Recovery and retransmission
Traffic control, sliding window
Congestion Control, slow start and congestion avoidance algorithms (slow start)
2.TCP Header(20 fixed [+ 40 option])
① Source port and target port: Processes on the computer need to communicate with other processes through the computer port, and a computer port can only be occupied by one process at a time, therefore, by specifying the source port and target port, you can know which two processes need to communicate. The source port and target port are expressed in 16 bits. The number of computer ports is calculated as 0-65535 (2 ^ 16,The server port is fixed; the client port is random
Cat/etc/services:
Http 80/tcp https 443/tcp ssh 22/tcp ftp 21/tcp File Transfer Protocol tftp 69/utp smtp 25/tcp mail
Pops 110/tcp dns 53/tcp/udp dhcp udp 67 68 automatically obtain IP telnet 23/tcp remote host mysql 3306/tcp Database
Oracle 1521/tcp SQL server 1433/tcp smb 445 139 137/udp windows Shared snmp 161udp Monitoring Management
②Serial numberThe number of the first byte of the data sent in this section. Each byte of the byte stream transmitted in the TCP connection is numbered sequentially. Because the serial number is represented by 32 bits, the serial number is rewound every 2 ^ 32 bytes, starting from 0 again.
③Confirmation Number: Indicates that the recipient expects to receive the senderNextThe ID of the first byte of the packet segment. That is, to tell the sender: the first byte of the data that I want you (the sender) to send next time is the confirmation number.
④ Data offset: indicates the length of the TCP packet segment, which consists of four digits. Because the TCP header contains an option with a variable length, you need to specify the length of the TCP packet segment. It indicates how far TCP is from the start of the packet segment. The unit of this field is 32 bits (4 bytes for calculation), and the 4 bits for Binary represents a maximum of 15 bits, so the data offset is the maximum of 60 bytes for the TCP header.
⑤ Mark bit(The next part is about three handshakes and four handshakes)
URG: indicates whether the data sent in this section contains emergency data. Urgent pointer is valid only when URG = 1, and URG = 0 is invalid.
ACK: Indicates whether the preceding validation number field is valid. ACK = 1, which indicates valid. The preceding validation number field is valid only when ACK = 1. TCP requires that the ACK must be 1 after the connection is established. The TCP packet segment with the ACK mark is called the validation packet segment.
PSH: Prompt that the receiving end application should read data from the TCP receiving buffer immediately to free up space for receiving subsequent data. If1, Indicates that the other party shouldNowExtract dataTo the upper layerApplication instead of caching. If the application does not read the received data, it will stay in the TCP receiving buffer.
RST: If you receiveRST = 1Message, indicating a serious error (such as host crash) occurred when connecting to the host. You must release the connection beforeReestablish connection. It also indicates that the data sent to the host last time has a problem and the host rejects the response. The TCP packet segment with the RST flag is called the reset packet segment.
SYN: InEstablish a connectionUsed to synchronize sequence numbers. WhenSYN = 1, ACK = 0Indicates that this isRequest to establish a connectionWhenSYN = 1, ACK = 1Indicates the other partyAgree to establish connection. SYN = 1 indicates a request to establish a connection or agree to establish a connection. SYN is set to 1 only in the first two handshakes. The TCP packet segment with SYN flag is called the synchronous packet segment.
FIN: Indicates that the local end of the notification mustClose connectionMark whether the data has been sent. IfFIN = 1, That is, tell the recipient: "My data has been sent, you canRelease connectionThe TCP packet segment with the FIN flag is calledEnd message segment
6. Window Size: indicates the amount of data sent by the other party, that is, the amount of data sent by the other party starting from the confirmation number in this section.
7. checksum: provides additional reliability.
Marker emergency pointer: Mark the location of emergency data in the data field
Limit option part: the maximum length can be calculated based on the length of the TCP header. The length of the TCP header is 4 bits. the maximum length of the Option part is: (2 ^ 4-1) * 4-20 = 40 bytes.
Common options:
Maximum Segment Length: Maxium Segment Size, MSS
Windows Scaling
Timestamp: Timestamps
3. TCP PORT
The transport layer uses the port number to determine the application layer protocol.
IANA: Internet digital distribution organization (responsible for domain name, digital resource, protocol allocation)
0-1023: System port or privileged port (available only to administrators). As we all know, it is permanently assigned to a fixed System Application for use, 22/tcp (ssh ), 80/tcp (http), 443/tcp (https)
1024-49151: User port or registered port, but the requirements are not strict. It is allocated to the application for registration as an application, 1433/tcp (SqlServer), 1521/tcp (oracle ), 3306/tcp (mysql), 11211/tcp/udp (memcached)
49152-65535: dynamic port or private port, random port used by the client
Cat/proc/sys/net/ipv4/ip_local_port_range query the dynamic port or private port range (linux)
4. TCP timeout retransmission
In abnormal network conditions (timeout or packet loss occurs at the beginning), TCP controls data transmission to ensure its promised reliable services
Two kernel parameters related to TCP timeout retransmission:
/Proc/sys/net/ipv4/tcp_retries1, which specifies the minimum number of retransmission times of TCP before the underlying IP address takes over. The default value is 3.
/Proc/sys/net/ipv4/tcp_retries2: specify the maximum number of retransmissions that can be executed by TCP before the connection is abandoned. The default value is 15 (usually 13 ~ 30 min)
5. Fixed TCP window: knowing the window size, sender fixed sending n, and the hacker replied to ACK n + 1
Sliding window: do not know the window size. For example, if the sender sends four, the worker replies to ACK 3, indicating that only two are received, the window size is 2, and the next sender sends only two
6. Congestion Control: TCP improves network utilization, reduces packet loss rates, and ensures the fairness of network resources to each data stream.
Slow start, congestion avoidance, fast retransmission, and fast recovery
/Proc/sys/net/ipv4/tcp_congestion_control view the current congestion control algorithm
(3) UDP features
1. Features
Working on the transport layer
Provide unreliable network access
Non-connection-oriented protocol
Limited Error checks
High Transmission Performance
No data recovery features
2. Baotou
Iv. Internet Layer
Internet layer protocol:ICMP, ARP, RARP, IPAnd other Protocols
(1)ICMP protocol, Relatively outer of the Internet
① It is used to transmit control messages between IP hosts and routers, and is mostly used to check the status.
② Classic command: ping Command
③ The characteristics of the ICMP protocol determine that it is very easy to be used to attack routers and hosts on the network. Sending ICMP packets to the target host for a long, continuous, and massive period of time will ultimately paralyze the system. A large number of ICMP data packets will form an "ICMP Storm", making the target host consume a lot of CPU resources for processing, so it is exhausted. For example, you can ping a large number of addresses.
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all disable ping and do not reply to other ping requests (the default value is 0)
④ When viewing the packet capture tool, 8 indicates sending, 0 indicates returning
(2)ARPAddress Resolution Protocol
① Send a broadcast request to all hosts on the network based on the IP address and receive the returned message to determine the target physical mac address. That is, you have an IP address to obtain the mac address.
② Purpose: restart and avoid IP address conflicts when restarting network services; query mac addresses
③ ARP table query command: ip neigh/arp-n
④ Arp command:
Arp-a views the relationship between IP addresses and mac addresses (linux). There are three relationships: dynamic, static, and permanent.
Arp-d deletes a ing.
Add one arp-s IP mac manually (permanent)
Arping-I ensX IP Address: view the mac address corresponding to the IP address
Arp-a view the relationship between IP addresses and mac addresses (windows)
⑤ Attackers can also be attacked, so that they can send pseudo ARP response packets to a host so that the messages they send cannot reach the expected host or reach the wrong host, this constitutes an ARP spoofing.
(3)RARPReverse ARP Protocol
There is a mac address, get the IP address
Example: diskless workstation (bank, ensuring data security)
(4) IP protocol
1. Features
Run on OSI network layer
Connectionless protocols
Process data packets independently
Hierarchical Addressing
Best effort for Transmission
No data recovery function
2. Baotou
①Version: 4 digits. The current IP protocol version is 4,Ipv4
② Header Length: 4 bits. The maximum value can be 15 units. One unit is 4 bytes. Therefore, the maximum length of the IP header is 60 bytes.
③ Differentiated Services: Eight services are used to obtain better services. In the old standard, they are called service types, but they have never been used. and then renamed it "differentiated service. this field takes effect only when DiffServ is used. generally, it is not used.
④ Total length: 16 digits, indicating the length of the sum of the header and data, in bytes. Therefore, the maximum length of a datagram is 65535 bytes, and the total length must not exceed the maximum transmission unit MTU.
⑤ Identifier: it occupies 16 bits. It is a counter. Generally, each packet sent is added with a value of 1. It is also used for packet sharding. In several shards of the same package, the value is the same
⑥Flag(Flag): three digits. Currently, only the last two digits are meaningful.
DF: Don't Fragment when the middle one is allowed only when DF = 0
MF: More Fragment, the highest bit. MF = 1 indicates that there are still parts. MF = 0 indicates the last part.
7. segment offset: 12-bit. This refers to the relative position of a part in the original group after a long group is split. The segment offset is in 8 bytes.
Timeout Time: the maximum number of routers that can pass the TTL (Time To Live) datagram in the network. The TTL field is an 8-bit field initially set by the sender. the recommended initial value is specified by the Allocation Number RFC. The current value is 64. When an ICMP response is sent, the TTL is usually set to the maximum value of 255.
The default value is 64 in linux. The default value is 128 in windows.
Cat/proc/sys/net/ipv4/ip_default_ttl queries the TTL of the Local Machine
Echo 128>/proc/sys/net/ipv4/ip_default_ttl to modify the automatic ttl, disguised as windows
Protocol: Indicates the protocol used for the data carried by the datagram so that the IP layer of the target host can hand over the data part to which processing process,1 indicates ICMP, 2 indicates IGMP, 6 indicates TCP, and 17 indicates UDP.
Token header check: occupies 16 bits. It only checks the header of the datagram and does not test the data part. Here, a simple calculation method is used instead of the CRC check code.
⑪ Source address and Destination Address: Each occupies 4 bytes, respectively recording the source address and Destination Address
3. display information after packet capture
Okay, I think the content is a bit Doha. Let's take a look at it. If you have any questions, please comment and discuss them together ~~~ This article is here...