Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze the wireshark grab package. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

About wireshark grabbing the bag.

Three-way handshake

172.18.254.177 is the customer 111.13.2.158 is the server

1. Open it actively. Send SYN to negotiate the maximum window size of window size and TCP MSS seq=0 len=0 MSS=1460 win=65535

Client is syn_sent

The server is syn_recv.

2. Syn is received. Reply to syn ack seq=0 ack=1=0+1 to confirm your maximum win=14480 MSS=1460

Client is established

The server is syn_recv.

3. The three-way handshake has been successfully established since receiving a reply from syn to ack seq=1 ack=1=0+1.

Client is established

The server is established.

Disconnect four times

1. Actively close and send fin. Seq=328

Server status is fin_wait1

Client status is closed_wait

2. The client sends an acknowledgement ack ack=329=328+1

Server status is fin_wait2

3. The client sends fin seq=133

Client status is last_ack

Server status is time_wait

4. The server sends ack ack=134=133+1

Client status closed

Server status closed

Packet ACK=segment len+seq = seq of the next packet to be received

Figure 1

Figure 2

Figure 3

You can see the 359 seq=1441 segment len=1440 from the packet in figure 1, so the ack=1441+1440=2881 of the next return packet can confirm from figure 2 that the ack is indeed 2881.

Figure 2 data packet situation can see 360 seq=349 segment len=0, so the ack=349+0=349 of the next return packet can be confirmed from figure 3 that the ack is 349.

The ack=349 of Fig. 1359 infers the seq=2881 of Fig. 361 by the seq=349 ack=2881 of Fig. 2350.

A full session (session) refers to the communication between two different ports between two different IP in the same transport protocol. If the IP or port change just belongs to a different session, the seq and ack are independent of each other and have no connection.

TCP segment of a reassembled PDU (part of TCP packet reorganization)

Segmented packets have the same ACKnum

When the requested packet is larger than TCP MSS, the data is divided into multiple packets for transmission.

The TCP MSS size in the LAN is 1460 to 1500-20 (IP header)-20 (TCP header)

Server=124.192.132.36 client=192.168.10.111

(378,381,384,387) seq=349 remained unchanged, but ack increased all the time. It indicates that the client side has been receiving data from the server side and has been replying to the client.

Server=124.192.132.36 client=192.168.10.111

(376,377,379) ack=349 did not change. The increasing number of seq means that the server side has been sending packets to the client, not to the client reply, but waiting for the client side to reply.

From the above, we can see that client does not have to reply to every packet on the server side, but can receive several packets and make a unified response.

TCP window update (TCP window update)

TCP zero window

TCP window full

It is a state in TCP communication, and it can happen for many reasons, but in the end, it comes down to the fact that the sender transmits data faster than the receiver reads, which makes the receiver have to release a part of the space in the buffer to hold the sent data, and then send Windows Update to the sender, telling the sender how fast the data should be sent, so that the data transmission and reception can return to normal.

Either a TCP Window becomes zero, or it is close to zero, which warns the sender that there is no more room to accept more data. The file transfer will stop until a update says that buffer has been emptied.

Tcp window full: a window warning sent by the server to the client.

Tcp zero window: a window warning that the client sends to the server.

Tcp keep-alive: session persistence, usually issued by the server.

The following is an analysis of the packet in the figure above

Client: 192.168.10.111 server: 42.250.12.36

The server sends a tcp window full to the client, indicating that it can no longer accept new data

The client sends a tcp zero window to the server, indicating that there is no window to receive new data

The server sends a keep-live to the client and maintains the session until the client has enough window to receive the data again.

The client sends tcp zere window to the server again, reminding the server that there is not enough window to receive new data.

The client sends a tcp window update to the server, indicating that the buffer has been emptied. And remind the server that there is now enough window size of 17280.

Since the window buffer sent by the client has been emptied, we continue to send the data.

TCP DUP ACK (duplicate ACK)

Indicates that the data segment has been lost, 574 is the location of the data loss, and # 1 represents a loss.

In general, when the network delay increases, the network speed slows down, which is one of the main reasons for the repetitive ACK. Either the server or the client responds slowly or there is no response.

TCP out-of-order

Due to the disorder of the received packets, it may be due to network congestion or load sharing on the route, resulting in the arrival of the later packets first.

TCP Restransmission retransmission

Packet 170 is a retransmission operation for packet 167, so the seq ack is all the same, seq=2070 ack=6264

Previous segments of TCP previous segment not captured were not received

It means that if the data packet is out of order, it should be retransmitted before it is received. The ack=83066 of 1932, that is, requires the server to send the packet of seq=83066 next time, and the result of the packet sent by 1933 is seq=85946. If the server side has received the packet ack=85946 sent by the client, it is determined that the previous packet has not been received. 1932 packets are retransmitted at 1934.

The above is the editor for you to share how to analyze the wireshark grab package, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.