directory

  • Caught process
  • Ethernet frames (also known as MAC frames) header analysis
  • IP packet head analysis

Caught process

The Wireshark is used to capture packets. Use the two most common curl and ping commands to display the packet capture and enable packet capture.

# # to access my own homepage curl https://zengzhiqin.kuaizhan.com # # to check my own website address ping https://zengzhiqin.kuaizhan.comCopy the code

The Wireshark filters packets based on the IP address obtained from the ping command to obtain the packets obtained from the preceding two commands, including TCP (HTTPS based on TCP) and ICMP (ping based on ICMP), as shown in the following figure:

Caught analysis

Ethernet frames (also known as MAC frames) header analysis

MAC frame = 6 bytes Source MAC address + 6 bytes Destination MAC address + 2 bytes type + 4 bytes FRAME check sequence FCS + Data length (46 to 1500 bytes)

MAC frames must be between 64 and 1518 bytes in length. Too long or too short frames are invalid.

When an IP packet arrives, the MAC layer will add “source MAC address” and “destination MAC Address” with 6 bytes respectively, and spend 2 bytes to indicate the type of IP datagram (currently there are IPV4 and IPV6 types). The 4-byte “FCS frame check sequence” is responsible for checking whether the frame is valid. Then there is the IP datagram length between 46 and 1500 bytes.

The MAC frame content in the captured packet is as follows. The packet information of ping Reply type is selected for analysis:

Ethernet frame

Minor supplement: Frame check sequence (FCS) allows the network adapter or interface that receives frames to determine whether an error occurred.

The judgment process is as follows: The sending network card uses polynomial calculation, called cyclic redundancy check (CRC), and writes the calculation result into the FCS field. The receiver receives this frame and performs the same CRC calculation on it. If the computed result is the same as the received FCS field, the frame has no error. If not, the receiver believes that a frame error must have occurred and drops the frame.

IP packet head analysis

The mapping between the captured headers is as follows (1 to 31 bits, 8 bits =1byte) :

IP packet header

Each header reads as follows:

  • Version: TCP/IP version, ipv4 or ipv6.
  • Header length: tells the packet how long the header is, because there is a variable length part in the header.
  • Type of service: Data packets in the network are in a hurry and not in a hurry. For example, when you chat with others on wechat, the packet is in a hurry. If you are sending an email, it is ok to click send and let them stroll over slowly. It’s like standing in line at a train station, military families first, disabled people first,Let Comrade Lenin go firstThe meaning of;
  • The total length: Header + data length, the total length of the maximum is 2 ^ 16 -1, namely 65535 bytes (the above mentioned data link layer data size of the maximum 1500 bytes do not forget, excluding the IP header 20 bytes, the data link layer can accept the IP data size is 1480 bytes, because the two sizes are different, If a packet is larger than 1480 bytes, the network layer needs to send the packet to the data link layer for transmissionshard)
  • Identifier: The purpose is to reassemble the fragmented packets into a complete packet according to the identifier number
shard
  • Flag: the 3bit flag indicates that the computer has received a packet. How does it know if it is a complete packet or just a shard? The flag says “watch me.

In this screenshot, the Reserved bit is Reserved for the flag content of packet capture analysis. If Don’t fragement is 1, it indicates that the packet is a complete packet, not a piece. More fragements 0 indicates that this is the last fragment, and 1 indicates that there are More fragments to follow;

The first page of my curl site is not much. It is not larger than 1500 bytes, so there is no need for sharding. If I download something very large, this site needs sharding.

  • Slice offset: The offset that identifies the first byte of the packet as the offset of the whole packet. The slice offset of the captured packet is 0 because it is not fragmented
Slice offset
  • TTL: For Linux, the default TTL for packets is 64, for Windows, 128, and for Unix, 255. Each time through a router, then TTL-1, and each time through a router, the value will be reduced by 1. When the TTL is exhausted, then the packet will automatically disappear, preventing the routing loop in the loop, and the packet will never disappear.
  • Protocol: Identifies who handles the packet. If the packet is TCP or UDP, it needs to be handled by the transport layer. If it is ICMP, IGMP or OSPF, it needs to be handled by the network layer. Here is TCP. The protocol number is 6.
image
  • Head check sum
The calibration process
  • Source address and destination address need not be said
  • Optional field, padding: ipv6 has removed this optional, because variability needs to be controlled, increasing processing time, in this case to increase IP packet functionality, but is rarely used in practice.

There are so many packages in the network all the time, designers are grasping the spirit of never wasting a bit, each logo design is carefully designed, this time the head of the package will be absolutely streamlined. The next article I will write a sister article, packet capture analysis of the transmission layer of TCP three times holding hands four times break up process ~~ thank you for watching.