Shulou(Shulou.com)06/01 Report--

1. Packet details

The Packet Details panel, which is mainly used to analyze the details of the packet, is as follows.

Frames: physical layer, link layer

Packages: network layer

Segment: transport layer, application layer

1) Frame

Overview of physical layer data Fram

2) Ethernet II

Data link layer Ethernet frame header information

3) Internet Protocol Version 4

Internet layer IP packet header information

IP header:

4) Transmission Control Protocol

Transport layer data segment header information, here is the TCP protocol

TCP header:

5) Hypertext Transfer Protocol

Application layer information, here is the HTTP protocol

Second, coloring rules

Wireshark has a set of shading rules by default, and you can expand the frame portion of the package in the Packet Details panel to view the shading rules.

In View | Coloring Rules, open the shading rules window, and the new channel TOEFL can be created, deleted, selected and removed by yourself.

3. Wireshark hint

1) Packet size limited during capture

It means that the marked bag is not fully grasped. It is generally caused by packet capture, and some operating systems only capture the first 96 bytes of each frame by default.

Packet 4 is 171 bytes long, but only 96 bytes are caught.

2) TCP Previous segment not captured

If Wireshark finds that the Seq of the latter package is greater than Seq+Len, it knows that a segment is missing in the middle.

If the missing segment cannot be found in the entire network packet (excluding disorder), it will be prompted.

The Seq of packet 6 is 1449 greater than the Seq+Len=1+1=1 of packet 5, indicating that there is a 1448-byte packet that has not been caught, which is "Seq=1,Len=1448".

3) TCP ACKed unseen segment

When Wireshark discovers that the bag that has not been caught by Ack has not been caught, it will prompt.

The Seq+Len=6889+1448=8337 of package 32, indicating the next package Seq=8337.

What we see is the Seq=11233 of package 35, which means that the data of 8337 / 11232 has not been caught.

4) TCP Out-of-Order

When Wireshark finds that the Seq number of the latter package is less than the Seq+Len of the previous package, it will consider it out of order and issue a prompt.

The Seq of package 3362 is less than the Seq of package 3360, so it is out of order.

5) TCP Dup ACK

When out of order or packet loss occurs, the receiver will receive some packets with a larger Seq number than expected. If you do not receive one of these packets, you will Ack the expected Seq value once and withdraw the sender.

Package 7 expects the next Seq=30763, but package 8 Seq=32223, indicating that the Seq=30763 packet is missing, and package 9 sends Ack=30763, which means "I want Seq=30763".

The 10th, 12th and 14th are all greater than 30763, so reply to Ack once without receiving one.

6) TCP Fast Retransmission

When the sender receives 3 or more [TCP Dup ACK], it realizes that the previously sent packet may be lost, so it quickly retransmits it.

7) TCP Retransmission

If a packet is really lost and there is no subsequent packet to trigger [Dup Ack] at the receiver, it will not be retransmitted quickly.

In this case, the sender has to wait for the timeout before retransmitting.

After packet 1053 was sent, it did not wait for the corresponding Ack, so it could only be retransmitted more than 100ms later.

8) TCP zerowindow

The "win" of the packet represents the size of the receive window, and when Wireshark finds "win=0" in a packet, it will be prompted.

9) TCP window Full

This prompt indicates that the sender of the packet has exhausted the receiving window declared by the other party.

This prompt is issued when Wireshark calculates that 65535 bytes of Middle East have not been confirmed.

[TCP window Full] indicates that the sender cannot send any more data for the time being.

[TCP zerowindow] indicates that the sender is unable to receive data for the time being.

10) TCP segment of a reassembled PDU

Wireshark can virtually centralize the TCP packages of PDU belonging to the same application layer.

When the TCP layer receives a large block of messages in the upper layer, it is decomposed into segments and sent out. When the host responds to a query or command, if it wants to respond to a lot of data (information) that exceeds the maximum MSS of TCP,

The host transmits this data by sending multiple packets (note: these packets are not fragmented).

11) Time-to-live exceeded (Fragment reassembly time exceeded)

Indicates that the sender of the packet received some fragments before, but was unable to assemble them for some reason.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.