My colleagues in the company were analyzing the problem of slow web page loading, and suddenly used Wireshark. I felt curious as if I had discovered a new land, so I hurriedly looked at it and reviewed the relevant protocols. When going to school, learn to forget almost, shame ah!

Overall packet encapsulation structure

MAC frame header definition
/ / typedef struct _MAC_FRAME_HEADER {char m_cDstMacAddress[6]; // Destination MAC address char m_cSrcMacAddress[6]; // Source MAC address short m_cType; 0x0806 is ARP}__attribute__((Packed))MAC_FRAME_HEADER,*PMAC_FRAME_HEADER;Copy the code
IP header definition

/ / typedef struct _IP_HEADER {char m_cVersionAndHeaderLen; Char m_cTypeOfService; // Version information (first 4 digits); // Service type 8-bit short m_sTotalLenOfPacket; // Packet length short m_sPacketID; // Packet identifier short m_sSliceinfo; // Fragments use char m_cTTL; Char m_cTypeOfProtocol; // Protocol type short m_sCheckSum; // Checksum unsigned int m_uiSourIp; // Source IP unsigned int m_uiDestIp; // Destination IP} __attribute__((Packed))IP_HEADER, *PIP_HEADER;Copy the code
  • Version field: contains 4 bits. This parameter indicates the version number of the IP protocol implementation. The current version is IPv4, that is, 0100.

  • Internet Header Length (IHL) field: 4 bits. Is a number with a header of 32 bits, including optional numbers. Normal IP datagrams (without any options), the value of this field is 5, i.e. 160 bits =20 bytes. The maximum value of this field is 60 bytes.

  • Type of Service (TOS) field: 8 bits. The first three bits are Precedence sub-fields (Precedence is ignored). The eighth bit is left unused. Bits 4 through 7 represent delay, throughput, reliability, and cost, respectively. When the value is 1, the minimum delay, maximum throughput, maximum reliability, and minimum cost are required respectively. Only one of the four bits of the service type can be set to 1. All of them can be 0. If all of them are 0, they indicate common services. The service type field declares how datagrams can be handled when transmitted by the network system. Such as: The TELNET Protocol may require minimum delay, the FTP Protocol (data) may require maximum throughput, the SNMP Protocol may require maximum reliability, and the Network News Transfer Protocol (NNTP) may require minimum cost. ICMP may have no special requirement (all 4 bits are 0). In fact, most hosts ignore this field, However, some dynamic routing protocols include Open Shortest Path First Protocol (OSPF) and Intermediate System to Intermediate System (IS-IS) Protocol can make routing decisions based on the values of these fields.

  • Total length field: 16 bits. Specifies the length, in bytes, of the entire datagram. The value contains a maximum of 65535 bytes.

  • Flag field: 16 bits. Used to uniquely identify each datagram sent by the host. Usually, its value increases by 1 each time a packet is sent.

  • Flag bit field: 3 bits. Flag whether a datagram requires segmentation.

  • Segment offset field: 13 bits. If a datagram requires segmentation, this field specifies the segment offset from the beginning of the original datagram.

  • TTL: Time to Live field: 8 bits. Set the maximum number of routers a datagram can pass through. Set by the source host sending data, usually 32, 64, 128, etc. Each time it passes through a router, the value decreases by 1 until the datagram is discarded at 0.

  • Protocol field: 8 bits. Indicates the upper-layer protocols encapsulated at the IP layer, such as ICMP (1), IGMP (2), TCP (6), and UDP (17).

  • Header checksum field: 16 bits. The content is the checksum code calculated according to the IP header. It is calculated by summing the binary inverse of each 16 bits in the header. (Unlike ICMP, IGMP, TCP, and UDP, IP does not verify the data after the header.)

  • Source IP address and destination IP address: each field contains 32 bits. This parameter specifies the IP address of the source host that sends IP packets and the destination host that receives IP packets.

  • Optional fields: 32 bits. Used to define some optional items, such as record path, timestamp, etc. These options are rarely used, and not all hosts and routers support them. The length of the optional field must be an integer multiple of 32 bits. If it is insufficient, 0 must be filled to meet the length requirement.

TCP Header Definition

/ / typedef struct _TCP_HEADER {short m_sSourPort; // Source port 16bit short m_sDestPort; // Destination port 16bit unsigned int m_uiSequNum; // sequence number 32bit unsigned int m_uiinitials genum; // Confirmation number 32bit short m_sHeaderLenAndFlag; // First 4 bits: TCP header length; Middle 6: reserved; Last 6 bits: flag bit short m_sWindowSize; // Window size 16bit short m_sCheckSum; // check and 16bit short m_surgentPointer; // Emergency data offset 16bit}__attribute__((Packed))TCP_HEADER, *PTCP_HEADER; /* The option in the TCP header defines kind(8bit)+Length(8bit)+ content (if any). Kind = 1 means no operation NOP, The LENGTH of the maximum segment option is expressed in bytes. 1+1+ Content content LENGTH) 3 Windows Scale specifies the LENGTH of the Windows Scale option. No content section 5 indicates that this is a SACK packet with a LENGTH of 2, and no content section 8 indicates a timestamp with a LENGTH of 10, containing an 8-byte timestamp */Copy the code
  • Source and destination port numbers: 16 bits. TCP uses ports to identify application processes at the source and target ends. The port number can be any number between 0 and 65535. When a service request is received, the operating system dynamically assigns port numbers to the client’s applications. On the server side, each service serves the user at a “Well known Port.”

  • Sequence number field: 32 bits. Identifies the byte stream of data sent from the TCP source to the TCP target. It represents the first byte in the packet segment.

  • Confirmation number field: 32 bits. The confirmation number field is valid only when the ACK flag is 1. It contains the next byte of data that the target expects to receive from the source.

  • Header length field: 4 bits. Gives the number of 32 bits in the header. The TCP header without any option fields is 20 bytes long; You can have up to 60 bytes of TCP headers.

  • Flag bit field (U, A, P, R, S, F) : contains 6 bits. The meanings of each bit are as follows:
    • URG: Urgent Pointer is valid.
    • ACK: Confirms that the serial number is valid.
    • PSH: The receiver should send the packet segment to the application layer as soon as possible.
    • RST: reestablishes the connection.
    • SYN: Initiates a connection.
    • FIN: Releases a connection.
    • Window size field: 16 bits. This field is used for flow control. In bytes, this value is the number of bytes the host expects to receive at one time.
    • TCP checksum field: 16 bits. The whole TCP packet segment, namely the TCP header and TCP data, is checksum calculated and verified by the target end.
    • Emergency pointer field: 16 bits. It is an offset that is added to the value in the ordinal field to represent the ordinal number of the last byte of emergency data.
    • Option field: 32 bits. Options such as “window enlargement factor” and “timestamp” may be included.
Udp Header Definition

*/ struct _UDP_HEADER {unsigned short m_usSourPort; // Source port 16bit unsigned short m_usDestPort; // Destination port 16bit unsigned short m_usLength; // Packet length 16bit unsigned short m_usCheckSum; // Checksum 16bit}__attribute__((Packed))UDP_HEADER, *PUDP_HEADER;Copy the code
Transmission Control Protocol (TCP)

Since Wikipedia specializes in beauty and cannot write better than it, so post its link here: zh.wikipedia.org/wiki/%E4%BC…

The main part of learning how it works will be able to better understand the operation process.

Wireshark reserves: MTU and MSS before use

The Packet format of wireshark Ethernet frames is as follows:

Frame=Ethernet Header +IP Header +TCP Header +TCP Segment Data

  • Ethernet Header =14 bytes =Dst Physical Address (6 bytes) + Src Physical Address (6 bytes) +Type (2 bytes).
  • IP Header =20 bytes (without options field). Data is called Datagram and Fragment is called Fragment at the IP layer.
  • TCP Header = 20 bytes (without options field). Data is called Stream in the TCP layer and Segment (Message in UDP).
  • The 54 bytes later is the Data Portion of TCP Data Portion, that is, the user Data at the application layer.

The Maximum Transmission Unit (MTU) for IP datagrams below the Ethernet Header is 1500 for most Lans using Ethernet.

The maximum data that can be transmitted by TCP packets is segmented as MSS. In order to achieve the best transmission efficiency, both parties negotiate the MSS value when establishing a TCP connection. The minimum MSS value provided by both parties is the maximum MSS value of this connection. MSS is usually calculated based on MTU. MSS=MTU-sizeof(IP Header)-sizeof(TCP Header)=1500-20-20=1460.

In this way, the data is segmented by the local TCP layer and delivered to the local IP layer, where there is no need for sharding. However, IP fragments may occur on the neighbor router of the Next Hop. The MTU of the router’s network card may be smaller than the size of the IP datagram to be forwarded.

At this point, two things can happen on the router:

(1) If the source sender sets the IP packet can be fragmented (May Fragment, DF=0), the router will Fragment the IP packet and forward it.

(2) If the IP packet cannot be fragmented (DF=1), the router discards the IP packet and sends an ICMP Fragment error message to the source sender.

Wireshark of actual combat

A screenshot of a simple request example is shown below:

  • The options from left to right are no (Frame number), Time(Time), Source (Source address), Destination(Destination address), Protocal (protocol), Length (packet size), and Info (details).

  • Info for TCP requests and replies includes: Port information (such as 63703->8279) indicates src.port -> des.port, flag bit information (such as SYN, ACK), Seq information, ACK information (note, The ACK is the acknowledgement number field M_UIinitials genum, len (upper data length), MSS (MSS length), WS (window size field).

  • In practice, the header is 66 bytes because 12 bytes of TCP option information are added. The actual MSS is 1460.

  • Detailed information of each data can be displayed below the selected data, as shown in the figure below:



    Frame (entire Frame information), Ethernet II (Ethernet header information), Internet Protocal Version(IP header information), Transmission Control Protocal (TCP header information), The detailed information about each field is displayed, consistent with the protocol.

Analyze the operation mode of TCP based on practice

  1. Three-way handshake: TCP creates a link through the three-way handshake, as shown in figure 63703->8279. Then 8279->63703, send SYN&&ACK, Seq=0, ACK =1; Finally 63703->8279 sends ACK,Seq=1, ACK =1. This completes three handshakes. Compared with the relevant knowledge in Wikipedia, it is found to be completely consistent with practice:

    1. The client creates an active open by sending a SYN to the server as part of a three-way handshake. The client sets the serial number of this connection to A random number. First 63703->8279 sends SYN, Seq=0 A= 0.2. The server should return a SYN/ACK for a valid SYN. The ACK code should be A+1, and the SYN/ACK packet itself has A random sequence number B. Then 8279->63703, send SYN&&ACK, Seq=0, ACK =1 B=0 3. Finally, the client sends another ACK. When the server receives this ACK, it completes the three-way handshake and enters the connection creation state. The packet number is set to A+1 for the received acknowledgement and B+1 for the response. Finally 63703->8279 sends ACK,Seq=1, ACK =1. This completes three handshakes.

  2. Data transfer: 69 and 70 are HTTP requests that are split into two TCP packets because the packet is too long. 75 and 76 send ack responses to these two packets respectively to inform them that they have been received. 81 returns a business response to the request. And 82 is the ACK response to 81. Seq=1,Ack=1,Len=1448; 70:Seq=1449,Ack=1,Len=112 ; 81:Seq=1, Ack=1561, Len=123). By analyzing the above data, we find that the increment of Seq is mainly the Len of the sent data, such as Seq70 = Seq69 + Len69. The ACK value of a piece of data is also determined by seQ and len of the requested data. If 75 is ack of 69, then Ack75=Seq69+Len69. This law also conforms to the provisions of the agreement. See wikipedia data Transfer example for details. Of course, there are examples of Selective Acknowledgement that will not be posted.

  3. Select acknowledgment: The receiver of a TCP packet sends acknowledgment after receiving a certain number of continuous byte streams to ensure reliability.

Wireshark (formerly known as Ethereal) is a network packet analysis software. The function of network packet analysis software is to capture network packets and display the most detailed network packet information as possible. The Wireshark uses the WinPCAP interface to exchange data packets with network adapters. As a free software, really very easy to use.

References:

1. Transmission Control Protocol, Wikipedia, zh.wikipedia.org/wiki/%E4%BC… 2. The TCP traffic flow analysis, CSDN blog, blog.csdn.net/phunxm/arti… 3. IP, TCP, UDP header explanation and definition, CSDN blog, blog.csdn.net/mrwangwang/…