一、TCP/IP数据包基础知识
我们在做基于全流量的网络安全评估的时候会需要对关键服务的协议进行分析,该系列主要讲这些关键协议分析的基础知识及应用示例
(https://naotu.baidu.com/file/d3021fd8d87cc164eb2427acb7b10f53?token=c5d4f483c9781dfe 密码: J8wp
网络协议的基础构成包括Ethernet头,IP头,TCP/UDP头,应用层数据
一、Ethernet 头
包含源mac地址、目的mac地址
Type包含IPv4/ARP/IPv6二、IPv4/IPv6头
包含源ip地址、目的ip地址
Protocol包含TCP/UDP/ICMP/IGMP/IGRP/GRE/ESP/AH三、TCP/UDP/ICMP
(1)TCP头
包含源端口地址,目的端口地址、序列号SEQ、响应号ACK、
Flags(FIN结束会话;SYN同步,表示开始会话请求;RST复位,中断一个连接;PUSH推送,数据包立即发送;ACK应答;URG紧急;ECE显示拥塞提醒回应;CWR拥塞窗口减少)
下面示例TCP开始连接时候的三次握手
python print_pcap.py --pcapfile=data/pcap_pub/wireshark/mysql_complete.pcap
(源码见 https://github.com/tanjiti/packet_analysis)[TCP][1216309825.142008-07-17 15:50:25]192.168.0.254:56162(00:00:00:00:00:00) ----->192.168.0.254:3306(00:00:00:00:00:00)SEQ=3436755789ACK=0FLAGS=['SYN']WIN=32792DATA=ttl=64DATA_BINARY=LEN=0
[TCP][1216309825.142008-07-17 15:50:25]192.168.0.254:3306(00:00:00:00:00:00) ----->192.168.0.254:56162(00:00:00:00:00:00)SEQ=3442775511ACK=3436755790FLAGS=['ACK', 'SYN']WIN=32768DATA=ttl=64DATA_BINARY=LEN=0
[TCP][1216309825.142008-07-17 15:50:25]192.168.0.254:56162(00:00:00:00:00:00) ----->192.168.0.254:3306(00:00:00:00:00:00)SEQ=3436755790ACK=3442775512FLAGS=['ACK']WIN=513DATA=ttl=64DATA_BINARY=LEN=0
(2)UDP头
包含源端口地址,目的端口地址
[UDP] [1500285744.54 2017-07-17 10:02:24] xxx.xxx.xxx.xxxx:63816(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx:500(58:f3:9c:51:83:c7) ttl=53 DATA_BINARY=00 11 22 33 44 55 66 77 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 c0 00 00 00 a4 00 00 00 01 00 00 00 01 00 00 00 98 01 01 00 04 03 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 03 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 03 00 00 24 03 01 00 00 80 01 00 01 80 02 00 02 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 00 00 00 24 04 01 00 00 80 01 00 01 80 02 00 01 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 LEN=192
(3)ICMP头
包含:ICMP Type与各种Type对应的Code
[ICMP_Unreach] [1500285744.7 2017-07-17 10:02:24] xxx.xxx.xxx.xxx:500(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:63816(58:f3:9c:51:83:c7) 3:3[host:port unreachable] ttl=43 DATA_BINARY= LEN=0
四、应用层数据
来源:碳基体
评论