常见协议解码详解.docx

1、常见协议解码详解常见协议解码详解数据包封包分层数据包解码说明数据链路层 Data Link Layer如：设备驱动网络层 Network Layer如：IP，ICMP，IGMP等传输层 Transport Layer如：TCP，UDP应用层 Application Layer如：FTP，HTTP，Email等下图是对数据包的解码图，其中对数据包中的每一层协议分别进行了解码分析：这里面，我们可以看到协议由外向内封装，分别是：1.数据链路层对应“Ethernet II”协议；2.网络层对应“IP”协议；3.传输层对应“UDP”协议；4.应用层对应“DNS”协议。下面我们就分别对这四层协议做详细解释

2、。以太网数据包结构协议结构为： 7166246-1500bytes4PreSFDDASALength TypeData unit + padFCS下图是Ethernet II协议解码后的内容，利用此实例进行说明： 目标MAC地址 0位开始/6 bytes长 源MAC地址 6位开始/6 bytes长 上层协议 12位开始/2 bytes长字段说明Destination addressDA，目标MAC地址6 字节Source addressesSA，源MAC地址6 字节ProtocolLength Type，承载的上层协议类型Data unit + pad，数据字段（46-1500bytes）FC

3、S检验（4bytes）MAC地址：MAC地址为16进制编码，在解码中可以将前3 bytes代表厂商的字段翻译出来，方便定位问题，如网络上有两台设备IP地址冲突，可以通过厂商信息方便的将故障设备找到，如00e04C为TP-LINK，000AKB为迅捷，00A0C9为Intel等等，上层协议：Ethernet II 承载的上层协议主要包括0x800为IP协议和0x806为ARP协议。IP协议结构IP头的结构如下：48161932bitsVerIHLType of serviceTotal lengthIdentificationFlagsFragment offsetTime to livePro

4、tocolHeader checksumSource addressDestination addressOption + PaddingData下图是IP层解码后的内容，利用此实例进行说明：下面是IP协议解码的对应字段解释：字段说明Version: 4版本号为4，即IPv4协议，Header Length: 5头部长度20字节，5 bitsType of service: 000 0000服务提供类型，显示参数摘要。 Precedence优先路由信息 Delay迟延 Throughput吞吐量 Reliability可靠性Total Length: 131总长131（单位字节，最长为6553

5、5字节）Identification: 10403标识Fragmentation Flags: 000. .标志 Reserved:保留 Fragment:片断 More Fragment:最后片断Fragment Offset: 0偏移量Time to Live:TTL, 科来网络分析系统5.0将丢弃TTL=0的数据包Protocol: 17是哪种协议，1ICMP，6 TCP， 17 UDP，89 OSPFCheck Sum: 0xCE73对IP协议头的校验合，0xCE73 为正确Source IP: 192.168.1.1源IP地址Destination IP: 192.168.1.2目标

6、IP地址ARP协议结构以下是ARP协议结构：81632 bits Hardware Type Protocol Type Hardware address lengthProtocol address lengthOpcodeSender Hardware Address Sender Protocol Address Target Hardware Address Target Protocol Address 下图是对ARP协议进行解码视图：我们对上图中的ARP字段进行详细说明：字段说明Hardware Type:1（硬件类型) 占16 bits，用来定义运行ARP的网络类型，每一个局域网

7、基于其类型被指定一个整数，例如，以太网是类型1，ARP可以使用在任何网络上。Protocol Type: 0x0800（协议类型）占16 bits，用来定义协议的类型。如：0x0800代表IP协议，ARP可用于任何高层协议。Hardware Length: 6（硬件长度）占8 bits，用来定义物理地址和长度。以太网值为6。Protocol Length: 4（协议长度）占8 bits，用来定义物理地址和长度。IPv4值为4。Type: 1（操作类型）占16 bits，用来定义操作类型，请求为1，回答为2。Source Physics:00:A0:C9:BB:21:2A 源MAC地址Sourc

8、e IP: Source Ip 192.168.1.3源IP地址Destination Physics: 00:00:00:00:00:00 目标MAC地址，对于ARP请求数据包，此值全为0，因为请求主机并不知道目标主机的MAC地址Destination IP:192.168.1.1目标IP地址TCP协议结构以下是TCP协议的结构：16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Reserved UAPRSFWindow Checksum Urgent pointer O

9、ption + Padding Data 下图是对TCP协议进行解码视图：我们对上图中的TCP字段进行详细说明：字段说明Source Port: 80源端口，HTTP为80端口Destination Port: 3406目标端口Sequence Number: 416175999032 bits. The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequen

10、ce number (ISN) and the first data octet is ISN+1.Ack Number: 032 bits. If the ACK control bit is set, this field contains the value of the next sequence number which the sender of the segment is expecting to receive. Once a connection is established, this value is always sent.Data Offset: 80Header

11、Length: 804 bits. The number of 32-bit words in the TCP header. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.Reserved: 06 bits. Reserved for future use. Must be cleared to zero. Urgent pointer:Urgent pointer field significant. Acknowledgment numb

12、erAcknowledgment field significant. Push Function:Push function. Reset the connection:Reset the connection. Synchronize sequence:Synchronize sequence numbers. End of data: No more data from sender.Window16 bits. It specifies the size of the senders receive window, that is, the buffer space available

13、 in octets for incoming data.Check Sum:16 bits. The checksum field is the 16 bit ones complement of the ones complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to

14、 form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.Urgent Pointer16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field can only be interpreted in segments for which the URG control bit has been set.DNS 协议结构以下是DNS协议的结构：1617212223242526