To analyze PVs PXE boot packets using Wireshark tracing

The Citrix Provisioning Service uses PXE technology to start a virtual machine for use by users.

First, the virtual machine must be set to start the network card by default, the NIC sends a find frame through the PXE bootrom on the net, the data frame contains its own MAC network card address, when the DHCP server receives the data frame, it returns the packet to the NIC, which includes the IP address assigned by DHCP to the NIC, Subnet mask, gateway, and other information, the network adapter receives the server's assigned parameters, the server initiates a connection request through TFTP in order to establish a connection with the server and start data communication.

After the client and the TFTP server establish communication, the boot image file is downloaded and started from the 67 option configured on the implementation DHCP server, and the virtual machine is actually turned on by connecting to the Citrixprovisioning service server through the boot image file.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7B/64/wKiom1bM1tXxHIATAAAoMNZ2mXI089.png "title=" 001. PNG "alt=" Wkiom1bm1txxhiataaaomnz2mxi089.png "/>

The PXE boot process for PVS can be divided into 4 phases:

1. dhcp– downloading boot files via PXE boot

2. Log on to the PVS server

3. Streaming Pre-bnistack

4. Determining if Bnistack driveris up

The test environment is:

PVs Server: 10.1.1.1

Target device: 10.1.1.100

First stage: dhcp– boot file download via PXE booting

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7B/64/wKiom1bM1vWjsgoxAAAzRDXJEX8068.png "title=" 1.png " alt= "Wkiom1bm1vwjsgoxaaazrdxjex8068.png"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7B/63/wKioL1bM12-TVB73AAKfYIzxVJg695.png "title=" 2.png " Width= "693" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:693px;height:40px; "alt=" Wkiol1bm12-tvb73aakfyizxvjg695.png "/>

Description

1. 1.1 DHCP Discovery (DISCOVER)

The target device sends broadcasts on the physical subnet to look for available servers. A network administrator can configure a local route to forward DHCP packets to a DHCP server on another subnet. The target device implementation generates a UDP packet with a destination address of 255.255.255.255 or a subnet broadcast address.

1. 1.2 DHCP Delivery (offer)

When the DHCP server receives an IP lease request from the target device, it provides an IP lease. DHCP retains an IP address for the target device and then unicast a DHCPOFFER message to the target device over the network. The message contains the MAC address of the target device, the IP address provided by the server, the subnet mask, the lease, and the IP of the DHCP server that provides the IP.

The server checks the configuration based on the target device hardware address specified in the CHADDR field. The server here, 10.1.1.1, specifies the IP address in the Yiaddr field.

1. 1.3 DHCP requests (request)

When the target device PC receives an IP lease provided, it must tell all other DHCP servers that it has accepted a lease offer. Therefore, the target device sends a DHCPREQUEST message that contains the IP of the server that provided the lease. When other DHCP servers receive the message, they reclaim all leases that might have been made available to the target device. They then re-put the address that they once reserved for the target device back into the pool of available addresses, so that they can assign the address to other computers. Any number of DHCP servers can respond to the same IP lease request, but each target device adapter can only accept one lease.

1. 1.4 DHCP Acknowledgement (acknowledge,ack)

When the DHCP server receives a request message from the target device, it begins the final phase of the configuration process. This response phase includes sending a DHCPACK packet to the target device. This package contains all other configuration information that the lease period and the target device may request. At this point, the TCP/IP configuration process is complete.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/7B/63/wKioL1bM152TJDBFAANsGoESGbc441.png "title=" 2.png " Width= "695" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" WIDTH:695PX;HEIGHT:57PX; "alt=" Wkiol1bm152tjdbfaansgoesgbc441.png "/>

Description

1. 1.1 Address Resolution (ARP)

When the target device obtains the IP address, the Address Resolution Protocol (Resolution Protocol) will be queried for the MAC address of the DHCP server to ensure smooth communication. This is because in the TCP/IP protocol, a device in a local area network must know each other's MAC address, otherwise it cannot communicate directly. Shows that the target device broadcasts a packet with the content of who is 10.1.1.1.

1. 1.2 Address Resolution (ARP)

After the DHCP server accepts the packet, it finds itself 10.1.1.1, and then fills its MAC address with the reply packet and sends it to the target device's MAC address. The content is 10.1.1.1 's MAC address is 32:af:85:d8:16:be.

1. 1.3 DHCP requests (request)

The target device initiates a DHCP request again, depending on the DHCP option we configure to find the IP address that we have filled out, the IP address of the PVS server.

1. 1.4 DHCP Acknowledgement (acknowledge,ack)

DHCP returns the reply packet.

1. 1.5 Address Resolution (ARP)

The target device initiates address resolution and resolves the TFTP server's MAC address. Here the DHCP and TFTP server is a server.

1. 1.6 Address Resolution (ARP)

The PVS server returns its own answer Mac packet. Here, the DHCP and PVS servers are a single server.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7B/64/wKiom1bM11WyxsGqAAQbM-iQkTI360.png "title=" 2.png " Width= "694" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:694px;height:74px; "alt=" Wkiom1bm11wyxsgqaaqbm-iqkti360.png "/>

Description

1. 1.1 tftp read request (TFTP)

The target device sends a read request (RRQ) packet to the TFTP server, which is on the same role server as the PVS server and contains the file name and transfer mode. , the packet content reads the data file that the boot file is ardbp32.bin on the TFTP server, followed by the transfer mode.

1. 1.2 tftp transfer (TFTP)

The TFTP server sends a numbered packet to the target device, which currently has a number of 1.

1. 1.3 ACK Response (TFTP)

The destination host answers all packets with a numbered ACK packet.

As the next packet we can see, the TFTP connection has been established and the TFTP transfer has started.

Second stage: Log in to the PVS server

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7B/64/wKiom1bM13yxu-EsAAA19Yn6KsI879.png "title=" 1.png " alt= "Wkiom1bm13yxu-esaaa19yn6ksi879.png"/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/7B/63/wKioL1bM1_XAkqKsAAJOFRbJTDQ402.png "title=" 2.png " Width= "692" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" WIDTH:692PX;HEIGHT:39PX; "alt=" wkiol1bm1_ Xakqksaajofrbjtdq402.png "/>

Description

1. 2.1 transfer End (TFTP)

Here you will see a sign of the end of the TFTP transfer, at the time of 142 packets, the TFTP packet is appended with last, indicating that this is the final TFTP packet of the transmission.

1. 2.2 Confirmation Complete (TFTP)

In the 143 packet here, the target device returns an ACK acknowledgement packet, and you will know that the transmission has passed validation and the server sends the last TFTP message to the correct verification completion. The entire TFTP transfer process is complete.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7B/64/wKiom1bM16qgvv3WAAbedH2xIT4642.png "title=" 2.png " Width= "694" height= "104" border= "0" hspace= "0" vspace= "0" style= "width:694px;height:104px;" alt= " Wkiom1bm16qgvv3waabedh2xit4642.png "/>

Description

1. 2.1 login PVs (UDP)

Once the boot file has been downloaded, depending on the configuration information in the boot file, the target device will continuously send a series of packets to the PVS server trying to request the source data while attempting to log on to the server based on the configuration information.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7B/63/wKioL1bM2DqREPn1AAU0S7Gi6rk558.png "title=" 2.png " Width= "694" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:694px;height:83px; "alt=" Wkiol1bm2dqrepn1aau0s7gi6rk558.png "/>

Description

1. 2.1 Address Resolution (ARP)

When the logon process is complete, the target device sends the IP of the streaming server server to complete an ARP request. Find the MAC address information for the Streamingserver server. Here the Streamingserver server and the PVS server are on the same server role.

1. 2.2 Traffic Transfer (UDP)

, the traffic between the server and the target device continues to be transferred using the previous source and destination ports after the server is logged on.

Phase III: Streaming Pre-bnistack (pre-boot)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7B/64/wKiom1bM1_TgfimtAAA0zNe_HHM511.png "title=" 1.png " alt= "Wkiom1bm1_tgfimtaaa0zne_hhm511.png"/>

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7B/63/wKioL1bM2GzQ0YALAAQiYomL9oI465.png "title=" 2.png " Width= "696" height= "148" border= "0" hspace= "0" vspace= "0" style= "width:696px;height:148px;" alt= " Wkiol1bm2gzq0yalaaqiyoml9oi465.png "/>

Description

1. 3.1 processing Traffic (UDP)

Continue to use the Undi driver to process traffic here. (Network Driver Interface), and a one-to-one package will be distributed.

The above is very unclear, I am not very clear, then according to my understanding to do the explanation. Perhaps we all know that when we install the operating system, in fact, according to the process is divided into two stages, one is the pre-installation phase, a formal installation phase.

Pre-installation phase, this phase actually does not start to install the operating system, we need to install the operating system of the environment to do some configuration, such as Select the language we need to install the operating system, input method, version and consent license, and other options configuration. So similarly, at this stage, PVS is not starting the operating system, but before preparing to start the operating system, some of the preparatory work, using the Undi driver, and the above analogy, the installation of the operating system in accordance with the installation phase appears to us to choose the input method, version and so on the interface is actually windows The interface of the PE is a miniature interface that Microsoft has prepared specifically for the domain installation phase, and the Undi drive is similar to Windows PE.

During this time, Undi mainly identifies the target device's display window and loads the appropriate underlying driver.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7B/63/wKioL1bM2I3DBXIiAAB4QxzDWzc535.png "title=" 2.png " alt= "Wkiol1bm2i3dbxiiaab4qxzdwzc535.png"/>

In particular, this step, the problem is often related to our network card, we deploy the network card when the big packet offload shutdown, in order to avoid this step in the Undi driver and PVS server in the process of a large number of interactions caused by conflict.

Phase IV: Determining if Bnistack Driver is up (official start)

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7B/64/wKiom1bM2DvCRxdTAAAlHUDo2aU671.png "title=" 1.png " alt= "Wkiom1bm2dvcrxdtaaalhudo2au671.png"/>

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7B/63/wKioL1bM2LfgUwPVAAbTD8-Z9-M209.png "title=" 2.png " Width= "683" height= "241" border= "0" hspace= "0" vspace= "0" style= "width:683px;height:241px;" alt= " Wkiol1bm2lfguwpvaabtd8-z9-m209.png "/>

Description

1. 4.1 Official transfer operating system (UDP)

Once the drive from Undi to the Bnistack drive (the main driver for the PVS target device), the target device will begin to require more data. This transfer continues to the window of the login interface. As I described above to install the operating system similar to the official start of the operating system here.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/7B/64/wKiom1bM2G7R80gHAAQSESSXwGs152.png "title=" 2.png " Width= "658" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:658px;height:61px; "alt=" Wkiom1bm2g7r80ghaaqsessxwgs152.png "/>

Note that the IP address of the target device that appears in the request packet where, which is the flag from the Undi driver to the Bnistack driver.

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/7B/63/wKioL1bM2PeDiAK7AAGBjhz6n_g402.jpg "title=" 4.jpg " Width= "424" height= "319" border= "0" hspace= "0" vspace= "0" style= "WIDTH:424PX;HEIGHT:319PX;" alt= " Wkiol1bm2pediak7aagbjhz6n_g402.jpg "/>

The problem during this time is usually either a related driver or a service that is caused by the underlying driver, such as Xentools and VMware tools or antivirus products, which can cause problems with bnistack conflicts.

The implementation of the Citrix Provisioning service requires a DHCP server to be configured, while the broadcast packets that originate at the time the virtual machine starts are affected by other endpoints. If the other PC in the production environment is accidentally set up as a network card, it will also enter the PVS environment. So Citrix PVs is implemented in an isolated environment.

Finally, the PVS-start flowchart on a network is attached:

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7B/64/wKiom1bM2K-R1FpPAAHEMNAwdCw491.png "title=" 1.png " alt= "Wkiom1bm2k-r1fppaahemnawdcw491.png"/>

This article is from "I take fleeting chaos" blog, please be sure to keep this source http://tasnrh.blog.51cto.com/4141731/1744495

Use Wireshark trace to analyze PVs PXE boot packets