tcp报文完整解析记录

2023-11-22 17:59:46

tcp报文手工解析

在linux (ip 192.168.1.155)执行nc -l 7001，监听7001端口，同时执行tcpdump -nnvvXS -i ens33 port 7001 (ens33是网卡 7001是监听端口)进行抓包，本地pc(ip 192.168.1.100)启动sokit工具，连接服务端7001端口，在客户端sokit进行数据发送

服务端抓包结果如下

查看7001端口状态，pc上从源端口1615端口发送到服务端7001端口

下面手工解析tcp数据

root@ZYJ:~# tcpdump -nnvvXS -i ens33 port 7001
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
13:05:46.068475 IP (tos 0x0, ttl 128, id 3534, offset 0, flags [DF], proto TCP (6), length 72)
    192.168.1.100.1615 > 192.168.1.155.7001: Flags [P.], cksum 0x4376 (correct), seq 1117716375:1117716395, ack 4110941674, win 4117, options [nop,nop,TS val 2479861258 ecr 890617083], length 20
	0x0000:  4500 0048 0dce 4000 8006 6892 c0a8 0164  E..H..@...h....d
	0x0010:  c0a8 019b 064f 1b59 429e ff97 f507 fdea  .....O.YB.......
	0x0020:  8018 1015 4376 0000 0101 080a 93cf ae0a  ....Cv..........
	0x0030:  3515 bcfb 3132 3334 3536 3738 3930 3132  5...123456789012
	0x0040:  3334 3536 3738 3930                      34567890
13:05:46.068516 IP (tos 0x0, ttl 64, id 6476, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.155.7001 > 192.168.1.100.1615: Flags [.], cksum 0x2837 (correct), seq 4110941674, ack 1117716395, win 227, options [nop,nop,TS val 890633086 ecr 2479861258], length 0
	0x0000:  4500 0034 194c 4000 4006 9d28 c0a8 019b  E..4.L@.@..(....
	0x0010:  c0a8 0164 1b59 064f f507 fdea 429e ffab  ...d.Y.O....B...
	0x0020:  8010 00e3 2837 0000 0101 080a 3515 fb7e  ....(7......5..~
	0x0030:  93cf ae0a                                ....

手工解析第一条抓包数据如下：

------------------------------
ip协议头
4500 => 说明是ipv4报文，ip头占20字节
4500 0048 0dce 4000 8006 6892 c0a8 0164 c0a8 019b => [说明是整个ip头，占用20字节]
0048 => 72 [ip+tcp报文总长度，那么tcp长度是52字节]
0dce 4000 => 标识16bit+标志3bit+段位移13bit 
8006 6892 => TTL 8bit + 协议8bit + 校验和16bit [这里标识是tcp协议] [1标识ICMP、2标识IGMP、6标识TCP、17标识UDP、89标识OSPF]
c0a8 0164 => 192.168.1.100 [源ip]
c0a8 019b => 192.168.1.155 [目的ip]
-------------tcp--------------
064f => 1615 [源端口16bit]
1b59 => 7001 [目的端口16bit]
429e ff97 => 1117716375 [序号32bit]
f507 fdea => 4110941674 [确认号32bit]
8018 => 1000000000011000 = [数据偏移4bit+保留6bit+URG+ACK+PSH+RST+SYN+FIN]
1015 => 4117 [窗口16bit]
4376 => 17270 [校验和 16bit]
0000 => 0 [紧急指针 16bit]
0101 080a 93cf ae0a 3515 bcfb => [类型1字节+长度1字节+内容(长度-2), 0101-说明类型是1，长度是1，因此无内容。 080a-标识08是类型长度是10，内容长度就是10-2=8，因此内容数据93cf ae0a 3515 bcfb符合长度8]
3132 3334 3536 3738 3930 3132 3334 3536 3738 3930 => [tcp数据12345678901234567890]
-------------------------------

发送一条数据抓包两条，其中第二条是ack，无实际数据，只有tcp头。

完整的ip/tcp报文格式如下图

由此结构图看出，tcp的数据部分并没有定义长度，

下面在tcp建立连接、发送数据、断开连接的完整抓包

tcp连接
root@ZYJ:~# tcpdump -nnvvXS -i ens33 port 7001
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:50:34.617569 IP (tos 0x0, ttl 128, id 4923, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.100.7687 > 192.168.1.155.7001: Flags [S], cksum 0xf57b (correct), seq 807569599, win 64240, options [mss 1460,nop,wscale 8,sackOK,TS val 2504149950 ecr 0], length 0
	0x0000:  4500 003c 133b 4000 8006 6331 c0a8 0164  E..<.;@...c1...d
	0x0010:  c0a8 019b 1e07 1b59 3022 88bf 0000 0000  .......Y0"......
	0x0020:  a002 faf0 f57b 0000 0204 05b4 0103 0308  .....{..........
	0x0030:  0402 080a 9542 4bbe 0000 0000            .....BK.....
19:50:34.617679 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.155.7001 > 192.168.1.100.7687: Flags [S.], cksum 0x5ab1 (correct), seq 2813895832, ack 807569600, win 28960, options [mss 1460,sackOK,TS val 896705223 ecr 2504149950,nop,wscale 7], length 0
	0x0000:  4500 003c 0000 4000 4006 b66c c0a8 019b  E..<..@.@..l....
	0x0010:  c0a8 0164 1b59 1e07 a7b8 a498 3022 88c0  ...d.Y......0"..
	0x0020:  a012 7120 5ab1 0000 0204 05b4 0402 080a  ..q.Z...........
	0x0030:  3572 a2c7 9542 4bbe 0103 0307            5r...BK.....
19:50:34.617894 IP (tos 0x0, ttl 128, id 4924, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.100.7687 > 192.168.1.155.7001: Flags [.], cksum 0xf89a (correct), seq 807569600, ack 2813895833, win 514, options [nop,nop,TS val 2504149951 ecr 896705223], length 0
	0x0000:  4500 0034 133c 4000 8006 6338 c0a8 0164  E..4.<@...c8...d
	0x0010:  c0a8 019b 1e07 1b59 3022 88c0 a7b8 a499  .......Y0"......
	0x0020:  8010 0202 f89a 0000 0101 080a 9542 4bbf  .............BK.
	0x0030:  3572 a2c7                                5r..

tcp发送
19:51:08.751297 IP (tos 0x0, ttl 128, id 4936, offset 0, flags [DF], proto TCP (6), length 72)
    192.168.1.100.7687 > 192.168.1.155.7001: Flags [P.], cksum 0x5f1b (correct), seq 807569600:807569620, ack 2813895833, win 514, options [nop,nop,TS val 2504184088 ecr 896705223], length 20
	0x0000:  4500 0048 1348 4000 8006 6318 c0a8 0164  E..H.H@...c....d
	0x0010:  c0a8 019b 1e07 1b59 3022 88c0 a7b8 a499  .......Y0"......
	0x0020:  8018 0202 5f1b 0000 0101 080a 9542 d118  ...._........B..
	0x0030:  3572 a2c7 3132 3334 3536 3738 3930 3132  5r..123456789012
	0x0040:  3334 3536 3738 3930                      34567890
19:51:08.751354 IP (tos 0x0, ttl 64, id 1630, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.155.7001 > 192.168.1.100.7687: Flags [.], cksum 0x52f6 (correct), seq 2813895833, ack 807569620, win 227, options [nop,nop,TS val 896713757 ecr 2504184088], length 0
	0x0000:  4500 0034 065e 4000 4006 b016 c0a8 019b  E..4.^@.@.......
	0x0010:  c0a8 0164 1b59 1e07 a7b8 a499 3022 88d4  ...d.Y......0"..
	0x0020:  8010 00e3 52f6 0000 0101 080a 3572 c41d  ....R.......5r..
	0x0030:  9542 d118                                .B..

tcp端开 客户端主动断开
19:51:36.481089 IP (tos 0x0, ttl 128, id 4950, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.100.7687 > 192.168.1.155.7001: Flags [F.], cksum 0xe58a (correct), seq 807569620, ack 2813895833, win 514, options [nop,nop,TS val 2504211811 ecr 896713757], length 0
	0x0000:  4500 0034 1356 4000 8006 631e c0a8 0164  E..4.V@...c....d
	0x0010:  c0a8 019b 1e07 1b59 3022 88d4 a7b8 a499  .......Y0"......
	0x0020:  8011 0202 e58a 0000 0101 080a 9543 3d63  .............C=c
	0x0030:  3572 c41d                                5r..
19:51:36.481255 IP (tos 0x0, ttl 64, id 1631, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.155.7001 > 192.168.1.100.7687: Flags [F.], cksum 0xcb94 (correct), seq 2813895833, ack 807569621, win 227, options [nop,nop,TS val 896720689 ecr 2504211811], length 0
	0x0000:  4500 0034 065f 4000 4006 b015 c0a8 019b  E..4._@.@.......
	0x0010:  c0a8 0164 1b59 1e07 a7b8 a499 3022 88d5  ...d.Y......0"..
	0x0020:  8011 00e3 cb94 0000 0101 080a 3572 df31  ............5r.1
	0x0030:  9543 3d63                                .C=c
19:51:36.481558 IP (tos 0x0, ttl 128, id 4951, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.100.7687 > 192.168.1.155.7001: Flags [.], cksum 0xbc62 (correct), seq 807569621, ack 2813895834, win 4117, options [nop,nop,TS val 2504211811 ecr 896720689], length 0
	0x0000:  4500 0034 1357 4000 8006 631d c0a8 0164  E..4.W@...c....d
	0x0010:  c0a8 019b 1e07 1b59 3022 88d5 a7b8 a49a  .......Y0"......
	0x0020:  8010 1015 bc62 0000 0101 080a 9543 3d63  .....b.......C=c
	0x0030:  3572 df31                                5r.1

码农公寓

相关文章