Use protocol analysis tools to learn TCP/IP

Use protocol analysis tools to learn TCP/IP

I. Preface

At present, the speed of network development is very fast, and more people are learning the network. People with a little knowledge about the network know that the TCP/IP protocol is the basis of the network and the language of the Internet, it can be said that there is no Internet today without the TCP/IP protocol. At present, there are a lot of people who are known to be engaged in the Internet. Many people are connected to the network from a clamp and a tester. If they are just playing online, just know a few ping and other commands, if you want to develop more in the network, whether it is black or red, you must understand the TCP/IP protocol.

Many people who have learned the TCP/IP protocol have a feeling that this is too abstract and there is no data instance. I forgot it soon after reading it. This article will introduce an intuitive learning method, using protocol analysis tools to learn TCP/IP, in the process of learning can intuitively see the specific data transmission process.

To make it easier for beginners to understand, this article will build a simple network environment that does not contain subnets.

Ii. Test Environment

1. Network Environment

1.

Figure 1

For ease of expression, machine 208 is the computer with the address 192.168.113.208 and machine 1 is the computer with the address 192.168.113.1.

2. Operating System

Both machines are Windows 2000 and machine 1 are used as servers to install the FTP service.

3. Protocol Analysis Tools

Common tools in Windows include Sniffer Pro, natxray, Iris, and network monitor in Windows 2000. This document uses Iris as a protocol analysis tool.

Install Iris software on the client machine 208.

Iii. Test process

1. test example: download a file from machine 1 to machine 208 through FTP.

2. Iris settings.

Because Iris has the network listening function, if there are other machines in the network environment that will capture many other data packets, this will bring a lot of inconvenience to learning, to clearly understand the transmission process of the above example, Iris is set to capture only data packets between machine 208 and machine 1. The procedure is as follows:

1) Use the shortcut key Ctrl + B to pop up the address table and enter the IP address of the machine in the table. Do not add the Host Name (name) to make it clearer for the captured package ), close this window after setting.

Figure 2

2) press the shortcut key Ctrl + e to bring up the filtering settings. Select "ip address" in the left column, and drag the address in the address book to the right column. After setting the settings, click OK, in this way, capture the packages between the two computers.

Figure 3

3. packet capture

Click Start in the iris toolbar. Enter ftp: // 192.168.113.1 in the browser, find the file to be downloaded, right-click the file, and select copy to folder in the pop-up menu to start downloading, click the button in the iris toolbar to stop packet capture. Figure 4 shows the entire FTP process. Next we will analyze this process in detail.

Figure 4

Note: To capture ARP packets, run ARP-D in Windows 2000 to clear ARP cache.

Iv. Process Analysis

1. Basic principles of TCP/IP

Although the focus of this article is to resolve TCP/IP Based on the instance, it is necessary to briefly describe the basic principles of TCP/IP.

A. The network is layered, and each layer is responsible for different communication functions.

TCP/IP is generally regarded as a layer-4 protocol system, and the TCP/IP protocol family is composed of a group of different protocols. Although this protocol family is usually called TCP/IP, TCP/IP and IP are only two of them, as shown in table 1. Each layer is responsible for different functions:

Table 1

The concept of hierarchy is very simple, but it is very important in practical applications. It is well understood in network settings and troubleshooting, it will be of great help to the work. For example, if you want to set a route for the network layer IP protocol, you need to find that the MAC address is the link layer ARP, And the commonly used ping command is done by the ICMP protocol.

Figure 5 shows the relationship between protocols at different layers. Understanding the relationship between them is very important for the following protocol analysis.

Figure 5

B. Data is sent from top to bottom, and coded layer by layer. Data is received from the bottom up and decoded layer by layer.

When an application transmits data over TCP, the data is sent to the protocol stack, and then passes through each layer one by one until it is sent to the network as a string of bit streams. Each layer adds some header information (and sometimes tail information) to the received data, as shown in Step 6. The data unit sent from TCP to IP is called the TCP packet segment or the TCP segment for short. The data units that I p sends to the network interface layer are called IP datagram. A bit stream transmitted over Ethernet is called a frame ).

The data is sent from top to bottom according to Figure 6, and the data is received from bottom up and decoded layer by layer.

Figure 6

C. Logically, communication is completed at the same level.

The vertical structural hierarchy is a common process of data processing. Each layer has interfaces with its adjacent layers. For communication, the two systems must transmit data, commands, addresses, and other information between different layers. The logical flow of communication is different from that of real data streams. Although the communication process passes through various layers vertically, each layer can communicate directly with the corresponding layer of the remote computer system logically.

As shown in figure 7, communication is actually performed in the vertical direction, but logically the communication is performed at the same level.

Figure 7

2. process description

For better analysis protocols, we will first describe the data transmission steps in the above example. 8:

1) the FTP client requests TCP to establish a connection with the server IP address.

2) TCP sends a connection request segment to the remote host, that is, an IP datagram is sent using the above IP address.

3) if the target host is on the local network, IP datagram can be directly sent to the target host. If the target host is on a remote network, you can use the IP address routing function to determine the next route address on the local network and forward the IP data. In both cases, IP datagram is sent to a host or router located on the local network.

4) in this example, the sender host must change the 32-bit IP address to a 48-bit ethernet address, also known as the MAC address, it is the world's only hardware address written to the NIC at the factory. It is done by ARP to translate the IP address to the corresponding MAC address.

5) as shown in the dotted line, ARP sends an Ethernet data frame called an ARP request to each host on the Ethernet. This process is called broadcast. The ARP request data frame contains the IP address of the target host, which means "if you are the owner of this IP address, please reply to your hardware address ."

6) After receiving the broadcast, the ARP layer of the target host identifies the IP address that the sender is asking for, and sends an ARP response. This ARP response contains the I P address and the corresponding hardware address.

7) after receiving the ARP response, the IP packet for ARP request-response exchange can be transmitted now.

8) send IP data to the target host.

Figure 8

3. instance analysis

Next, we will analyze the TCP/IP working process using the packets captured by Iris. In order to better explain the data transmission process, we captured four groups of data at different stages of transmission, find the server, establish a connection, data transmission, and terminate the connection. For each group of data, follow the three steps below.

Show data packets

Interpret this packet

Analyze the packet header information by Layer