常见协议解码详解

1、常见协议解码详解数据包封包分层这里面，我 们可以看到 协议由外向内封装，分 别是:1.数据链路层对应Ethernet II ”协议；2.网络层对应“ IP”协议；3.传输层对应“ UDP 协议；4.应用层对应“ DNS 协议。F 面我们就分别对这四层协议做详细解释。数据包解码说明下图是对数据包的解 码图，其中对数据包中的每一层协议分别进行了解码分析:以太网数据包结构协议结构为7166246-1500bytes4PreSFDDASALen gth TypeData un it + padFCS下图是 Ethernet II协议解码后的内容，利用此 实例进行说明:目标 MA（地址0 位开始/6 b

2、ytes 长源 MA（地址6 位开始/6 bytes 长I J-1Protocol:0 x0600（12/；）上层协议12 位开始/2 bytes 长字段说明Desti nati on addressDA，目标 MAC 地址 6 字节Info :国F自匚Rut即租3乐匸；:l_P Packet. Length: .Captur e length.:a TiiLestaiapz_ “V EtlLernet工1 IfeaderSjDestination:Source Address:-Protocol:-IPProto co J84SO00:E014C01:0800oioooD01E002ADC3

3、F、i575086源 MAC地址_DO OA EB DA 7F 9G 00 E0 4C A0 S& ED OS 080 1186COA80102 COA90101CIO23 01000001000000000003777777 OC70 7Z 6FF65 6F6C 6173fiS036265740000Cl0001De strinacion. Address:00:0A:BB:DA:7?:56（0/bSource Address:00:E0:4C:A0:S6:BD （6/b05-07-24 10:Z9-地址L4/Z0上层协议10/6期：361BD1Z/21v.WWTJ.pror0 x0

4、800 （IP 协议）;1 一, ,-E名占Source addressesSA，源 MAC 地址 6 字节ProtocolLength Type ，承载的上层协议类型Data unit + pad，数据字段（46-1500bytes）FCS 检验（4bytes）MAC 地址：MAC 地址为 16 进制编码，在解码中可以将前 3 bytes 代表厂商的字段翻 译出来，方便定位 问 题，如网络上有两台设备 IP 地址冲突，可以通过厂商信息方便的将故障 设备找到，如 00e04C 为 TP-LINK，OOOAK 助迅捷，00A0C9 为 In tel 等等，上层协议：Ethernet II 承载的

5、上层协议 主要包括 0 x800 为 IP 协议和 0 x806 为 ARP 协议。IP协议结构IP 头的结构如下：48161932bitsVerIHLType of serviceTotal le ngthIde ntificati onFlagsFragme nt offsetTime to liveProtocolHeader checksumSource addressDesti nati on addressOpti on + Paddi ngData下图是 IP 层解码后的内容，利用此 实例进行说明:F 面是 IP 协议解码的对应字段解释:字段说明Versio n: 4版本号为 4

6、，即 IPv4 协议，Header Len gth: 5头部长度 20 字节，5 bitsType of service: 000 0000服务提供类型，显示参数摘要。Precede nee优先路由信息Delay迟延Throughput吞吐量Reliability可靠性Total Len gth: 131总长 131 （单位字节，最长为 65535 字节）Ide ntifieatio n: 10403标识Fragme ntati on Flags: 000.标志Reserved:保留Fragme nt:片断More Fragme nt:最后片断Fragme nt Offset: 0偏移量Tim

7、e to Live:TTL,科来网络分析系统5.0 将丢弃 TTL=0 的数据包Protocol: 17是哪种协议，1 -ICMP，6 -TCP，17 -UDP，89 -OSPFCheek Sum: 0 xCE73对 IP 协议头的校验合，0 xCE73 为正确Source IP: 源 IP 地址Destin ation IP: 目标 IP 地址L4/20U VerfiQti;J Header Length.:-i l_) Type o f Serir ice:”LJ Precedence :Pelay?Throughput:”Q Hellabili

8、T.7：停Total Length:芋Id&nti ticaion: 0 UFragi&eiitatL&n. Flags:Hesetw&d.：0000 000000,131104031/11 QxQQFQ20 bytes 114/1 OxOOOF15/1Jrouting-infoniiat-ioii 16/J OxOOENormalNormaLNOTDIQL16/Z1lelay 16/11 OxOOlC shroughput 16/J 0 x0008teliabi丄IcyDn0004Sauirce port;IP Options :U&亡r JDatpy

9、ramL Frotouo1:utfM5am -GJJragiaent :Uore Fr: ent Offlet; Tclrj| JF FF FF FF FF 00 AOC9 BEZ1 ZA 08 06 0001 OS 00 06 04DOR ！肓001E01 00 kd C9 BE L 2A COis 010300 00 00 DO00 OCi CO AS 01DJ.我们对上图中的 ARP 字段进行详细说明:字段说明Hardware Type:1（硬件类型）占 16 bits，用来定义运行 ARP 的网络类型，每一个局域 网基于其类型被指定一个整数，例如，以太网是类型1，ARP 可以使用在任何

10、网络上。Protocol Type: 0 x0800（协议类型）占 16 bits，用来定义协议的类型。如：0 x0800 代表 IP 协议，ARP 可用于任何高层协议。Hardware Len gth: 6（硬件长度）占 8 bits，用来定义物理地址和长度。以太网值为 6。Protocol Len gth: 4（协议长度）占 8 bits，用来定 义物理地址和 长度。IPv4 值为 4。Type: 1（操作类型）占 16 bits ，用来定义操作类型，请求为 1,回答为 2。Source Physics:00:A0:C9:BB:21:2A源 MAC 地址Source IP: Source

11、Ip源 IP 地址Desti nati on Physics:00:00:00:00:00:00目标 MAC 地址，对于 ARP 请求数据包，此 值全为 0,因为请求主机并 不知道目标主机的 MAC 地址Dest in ation IP:目标 IP 地址TCP协议结构以下是 TCP 协议的结构:1632 bitsSource portDestination portSeque nee n umberAckno wledgeme nt n umberOffsetReserved U A P R S FWin dowChecksumUrge nt poi

12、n terOpti on + Padd ingData下图是对 TCP 协议进行解码视图:TCP - IramspoEt. ContTOl Protocol3/.00 EO 4C A0 66 BP 00 OA EB PA 7F 96 0600 34 06 Bl GF S& 7S SS丄E CO A9 01 02CIO00 tici 00 0 04 00 00 JL9 FE OOEH我们对上图中的 TCP 字段进行详细说明:字段说明Source Po rt: 80源端口，HTTP 为 80 端口Dest in ation Po rt: 3406目标端口Seque nee Number:

13、416175999032 bits. The sequenee number of the first data octet in this segment (except whe n SYN is prese nt). If SYN is prese nt, theSource Pert:3034/Destination Port: Sequence Munib&r zAcJt Wixmtjer;Header Length.: Reserved: FlaE:”Q Urgent pointer:ArkykoL# d gnait ntuJberO rutk FtiKSTiaH:- Tie

14、-set t-h.e aotmeert ionzQ SynGhconie sequence:End o E d&t&:itlindotr tV Clieck Emu:? Urgant point:LO No TCP Optl&as: nExfa Dt-a.:34064161759930800.00.0. D-0.丄 F.a36/233/41I4Z/420 bytes (4/J OHOOFO 46/1 OsOFCD47/1OMOOSF48AJ OsOOEO46/1 OKOOLO4G/L0w00094S/L OxOOft448M Us:口口0249/1 OwOOOl04S/

15、L0 xA5tBCorrect.=：Q/2J0 x000052/?IS4/C0000001002Asequenee number is the initial sequenee number (ISN) and thefirst data octet is ISN+1.Ack Number: 032 bits. If the ACK control bit is set, this field contains the value ofthe next sequenee number which the sender of the segment isexpecting to receive.

16、 Once a connection is established, this valueis always sent.Data Offset: 80Header Len gth: 804 bits. The n umber of 32-bit words in the TCP header. This indicates where the data beg ins. The len gth of the TCP header isalways a multiple of 32 bits.Reserved: 06 bits. Reserved for future use. Must be

17、cleared to zero.Urge nt poin ter:Urge nt poin ter field sig nifica nt.Ackno wledgme nt n umberAcknowledgment field significant.Push Fun cti on:Push fun cti on.Reset the conn ecti on:Reset the conn ecti on.Syn chr onize seque nee:Syn chr onize seque nee n umbers.End of data:No more data from sen der.

18、Win dow16 bits. It specifies the size of the sen ders receivewin dow,that is, the buffer space available in octets for incoming data.Check Sum:16 bits. The checksum field is the 16 bit one?_s complementof the one?_s complement sum of all 16-bit words in the headerand text. If a segment contains an o

19、dd number of header and textoctets to be checksummed, the last octet is padded on the rightwith zeros to form a 16-bit word for checksum purposes. The padis not tra nsmitted as part of the segment. While computing thechecksum, the checksum field itself is replaced with zeros.Urge nt Poin ter16 bits.

20、 This field communicates the current value of the urge ntpoin ter as a positive offset from the seque nee n umber in thissegme nt. The urge nt poin ter points to the seque nee n umber ofthe octet follow ing the urge nt data. This field can only beinterpreted in segments for which the URG control bit

21、 has bee nset.DNS协议结构以下是 DNS 协议的结构：1617212223242526272832Ide ntificati onQROpcodeAATCRDRAZADCDRcodeQuesti on cou ntAn swer cou ntAuthority cou ntAdditi onal cou nt下图是对 DNS 协议进行解码视图：00 2E 01 00 00 01 00 00 00 00 GO DD g M M中中M “ 2 74缸7g 03 63 F D 0 0 00 01 OO我们对上图中的 DNS 字段进行详细说明:字段说明Ide ntificati on:

22、 43标识，占 16 bitsFlags:Query/Resp on se: 1用于 定义疋 Query 还疋 Response。0 为 Query, 1 为 Response。Operator Code: 0占 4 bits，其对应代码如下：0 QUERY, Standard query.1 IQUERY, I nverse query.2 STATUS, Server status request.3 Reserved.4 Notify.5 Update.6-15 Reserved.Authoritative An swer: 01-bit field. When set to 1, id

23、entifies the response as one made by an一 4. .tin _ Niitr ofX. CDJR8II-Name gjygtCTt Pxgtca 1舵/IdentitiGacion:43曲由亭虜S -i- -!=|OQue ry/Rift sponsa:0JOperator Codez0QAuthorit axive Ansur;0-Truticatioii:0” Recutslon desired:丄OApprove kecurELori:0R&sirvfid0cede:042/2144/ZQu&xy 44/1J 0 x0060QUERY

24、44/1 00078MQAUthoirit-ative 44/11K0004No truncation 44/10 x0OOZn&( (2U.t5io& 44/1J OMOOOINo apjiioue 4/1 Oy 009045/： OsOOQNo arror (4S/1 OwOOOTI4&/24/1Ollifi-llJ. lTam4 Type：Cla.S：5：S FCS - Erajrne Clieck Sequence:序FCS：054/20MWW - filAtC f.K. d竝-11( (?/?IS2/2VL1k (70/21Irjte rnt (72/2OJt

25、JLfi 1A09EA Calc-ilat-d00 DO0015DO 0A EBPA 7F 00002A002Fauthoritative n ame server.0 Not authoritative.1 Is authoritativeTrun cati on: 01-bit field. When set to 1, indicates the message has been truncated.0 Not trun cated.1 Message tru ncatedRecursi on Desired: 1Recursi on desired:1-bit field. May b

26、e set in a query and is copied into the response. If set, the nameserver is directed to pursue the query recursively. Recursive query support is option al.0 Recursi on not desired.1 Recursi on desired.Approve Recurs ion: 11 bit field. Indicates if recursive query support is available in the name ser

27、ver.0 Recursive query support not available.1 Recursive query support available.Reserved: 01 bit field. Indicates in a response that all data included in the answer andauthority sections of the response have been authenticated by the serveraccording to the policies of that server. It should be set o

28、nly if all data in theresponse has been cryptographically verified or otherwise meets the serverslocal security policy.Resp ond code: 00 No error. The request completed successfully.1 Format error. The n ame server was un able to in terpret the query.2 Server failure.3 Name Error.4 Not Impleme nted.5 Refused.6 YXDoma in. Name Exists whe n it should not.7 YXRRSet. RR Set Exists when it should not.8 NXRRSet. RR Set that should exist does not.9 NotAuth. Server Not Authoritative for zone.10 NotZ one. Name not contained in zone.11-15 Reserved.16 BADVERS. Bad OPT Versio n. BADSIG.