tcp报文手工解析
在linux (ip 192.168.1.155)执行nc -l 7001,监听7001端口,同时执行tcpdump -nnvvXS -i ens33 port 7001
(ens33是网卡 7001是监听端口)进行抓包,本地pc(ip 192.168.1.100)启动sokit工具,连接服务端7001端口,在客户端sokit进行数据发送
服务端抓包结果如下
查看7001端口状态,pc上从源端口1615端口发送到服务端7001端口
下面手工解析tcp数据
root@ZYJ:~# tcpdump -nnvvXS -i ens33 port 7001
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
13:05:46.068475 IP (tos 0x0, ttl 128, id 3534, offset 0, flags [DF], proto TCP (6), length 72)
192.168.1.100.1615 > 192.168.1.155.7001: Flags [P.], cksum 0x4376 (correct), seq 1117716375:1117716395, ack 4110941674, win 4117, options [nop,nop,TS val 2479861258 ecr 890617083], length 20
0x0000: 4500 0048 0dce 4000 8006 6892 c0a8 0164 E..H..@...h....d
0x0010: c0a8 019b 064f 1b59 429e ff97 f507 fdea .....O.YB.......
0x0020: 8018 1015 4376 0000 0101 080a 93cf ae0a ....Cv..........
0x0030: 3515 bcfb 3132 3334 3536 3738 3930 3132 5...123456789012
0x0040: 3334 3536 3738 3930 34567890
13:05:46.068516 IP (tos 0x0, ttl 64, id 6476, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.155.7001 > 192.168.1.100.1615: Flags [.], cksum 0x2837 (correct), seq 4110941674, ack 1117716395, win 227, options [nop,nop,TS val 890633086 ecr 2479861258], length 0
0x0000: 4500 0034 194c 4000 4006 9d28 c0a8 019b E..4.L@.@..(....
0x0010: c0a8 0164 1b59 064f f507 fdea 429e ffab ...d.Y.O....B...
0x0020: 8010 00e3 2837 0000 0101 080a 3515 fb7e ....(7......5..~
0x0030: 93cf ae0a ....
手工解析第一条抓包数据如下:
------------------------------
ip协议头
4500 => 说明是ipv4报文,ip头占20字节
4500 0048 0dce 4000 8006 6892 c0a8 0164 c0a8 019b => [说明是整个ip头,占用20字节]
0048 => 72 [ip+tcp报文总长度,那么tcp长度是52字节]
0dce 4000 => 标识16bit+标志3bit+段位移13bit
8006 6892 => TTL 8bit + 协议8bit + 校验和16bit [这里标识是tcp协议] [1标识ICMP、2标识IGMP、6标识TCP、17标识UDP、89标识OSPF]
c0a8 0164 => 192.168.1.100 [源ip]
c0a8 019b => 192.168.1.155 [目的ip]
-------------tcp--------------
064f => 1615 [源端口16bit]
1b59 => 7001 [目的端口16bit]
429e ff97 => 1117716375 [序号32bit]
f507 fdea => 4110941674 [确认号32bit]
8018 => 1000000000011000 = [数据偏移4bit+保留6bit+URG+ACK+PSH+RST+SYN+FIN]
1015 => 4117 [窗口16bit]
4376 => 17270 [校验和 16bit]
0000 => 0 [紧急指针 16bit]
0101 080a 93cf ae0a 3515 bcfb => [类型1字节+长度1字节+内容(长度-2), 0101-说明类型是1,长度是1,因此无内容。 080a-标识08是类型长度是10,内容长度就是10-2=8,因此内容数据93cf ae0a 3515 bcfb符合长度8]
3132 3334 3536 3738 3930 3132 3334 3536 3738 3930 => [tcp数据12345678901234567890]
-------------------------------
发送一条数据抓包两条,其中第二条是ack,无实际数据,只有tcp头。
完整的ip/tcp报文格式如下图
由此结构图看出,tcp的数据部分并没有定义长度,
下面在tcp建立连接、发送数据、断开连接的完整抓包
tcp连接
root@ZYJ:~# tcpdump -nnvvXS -i ens33 port 7001
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:50:34.617569 IP (tos 0x0, ttl 128, id 4923, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.7687 > 192.168.1.155.7001: Flags [S], cksum 0xf57b (correct), seq 807569599, win 64240, options [mss 1460,nop,wscale 8,sackOK,TS val 2504149950 ecr 0], length 0
0x0000: 4500 003c 133b 4000 8006 6331 c0a8 0164 E..<.;@...c1...d
0x0010: c0a8 019b 1e07 1b59 3022 88bf 0000 0000 .......Y0"......
0x0020: a002 faf0 f57b 0000 0204 05b4 0103 0308 .....{..........
0x0030: 0402 080a 9542 4bbe 0000 0000 .....BK.....
19:50:34.617679 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.155.7001 > 192.168.1.100.7687: Flags [S.], cksum 0x5ab1 (correct), seq 2813895832, ack 807569600, win 28960, options [mss 1460,sackOK,TS val 896705223 ecr 2504149950,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 4006 b66c c0a8 019b E..<..@.@..l....
0x0010: c0a8 0164 1b59 1e07 a7b8 a498 3022 88c0 ...d.Y......0"..
0x0020: a012 7120 5ab1 0000 0204 05b4 0402 080a ..q.Z...........
0x0030: 3572 a2c7 9542 4bbe 0103 0307 5r...BK.....
19:50:34.617894 IP (tos 0x0, ttl 128, id 4924, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.100.7687 > 192.168.1.155.7001: Flags [.], cksum 0xf89a (correct), seq 807569600, ack 2813895833, win 514, options [nop,nop,TS val 2504149951 ecr 896705223], length 0
0x0000: 4500 0034 133c 4000 8006 6338 c0a8 0164 E..4.<@...c8...d
0x0010: c0a8 019b 1e07 1b59 3022 88c0 a7b8 a499 .......Y0"......
0x0020: 8010 0202 f89a 0000 0101 080a 9542 4bbf .............BK.
0x0030: 3572 a2c7 5r..
tcp发送
19:51:08.751297 IP (tos 0x0, ttl 128, id 4936, offset 0, flags [DF], proto TCP (6), length 72)
192.168.1.100.7687 > 192.168.1.155.7001: Flags [P.], cksum 0x5f1b (correct), seq 807569600:807569620, ack 2813895833, win 514, options [nop,nop,TS val 2504184088 ecr 896705223], length 20
0x0000: 4500 0048 1348 4000 8006 6318 c0a8 0164 E..H.H@...c....d
0x0010: c0a8 019b 1e07 1b59 3022 88c0 a7b8 a499 .......Y0"......
0x0020: 8018 0202 5f1b 0000 0101 080a 9542 d118 ...._........B..
0x0030: 3572 a2c7 3132 3334 3536 3738 3930 3132 5r..123456789012
0x0040: 3334 3536 3738 3930 34567890
19:51:08.751354 IP (tos 0x0, ttl 64, id 1630, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.155.7001 > 192.168.1.100.7687: Flags [.], cksum 0x52f6 (correct), seq 2813895833, ack 807569620, win 227, options [nop,nop,TS val 896713757 ecr 2504184088], length 0
0x0000: 4500 0034 065e 4000 4006 b016 c0a8 019b E..4.^@.@.......
0x0010: c0a8 0164 1b59 1e07 a7b8 a499 3022 88d4 ...d.Y......0"..
0x0020: 8010 00e3 52f6 0000 0101 080a 3572 c41d ....R.......5r..
0x0030: 9542 d118 .B..
tcp端开 客户端主动断开
19:51:36.481089 IP (tos 0x0, ttl 128, id 4950, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.100.7687 > 192.168.1.155.7001: Flags [F.], cksum 0xe58a (correct), seq 807569620, ack 2813895833, win 514, options [nop,nop,TS val 2504211811 ecr 896713757], length 0
0x0000: 4500 0034 1356 4000 8006 631e c0a8 0164 E..4.V@...c....d
0x0010: c0a8 019b 1e07 1b59 3022 88d4 a7b8 a499 .......Y0"......
0x0020: 8011 0202 e58a 0000 0101 080a 9543 3d63 .............C=c
0x0030: 3572 c41d 5r..
19:51:36.481255 IP (tos 0x0, ttl 64, id 1631, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.155.7001 > 192.168.1.100.7687: Flags [F.], cksum 0xcb94 (correct), seq 2813895833, ack 807569621, win 227, options [nop,nop,TS val 896720689 ecr 2504211811], length 0
0x0000: 4500 0034 065f 4000 4006 b015 c0a8 019b E..4._@.@.......
0x0010: c0a8 0164 1b59 1e07 a7b8 a499 3022 88d5 ...d.Y......0"..
0x0020: 8011 00e3 cb94 0000 0101 080a 3572 df31 ............5r.1
0x0030: 9543 3d63 .C=c
19:51:36.481558 IP (tos 0x0, ttl 128, id 4951, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.100.7687 > 192.168.1.155.7001: Flags [.], cksum 0xbc62 (correct), seq 807569621, ack 2813895834, win 4117, options [nop,nop,TS val 2504211811 ecr 896720689], length 0
0x0000: 4500 0034 1357 4000 8006 631d c0a8 0164 E..4.W@...c....d
0x0010: c0a8 019b 1e07 1b59 3022 88d5 a7b8 a49a .......Y0"......
0x0020: 8010 1015 bc62 0000 0101 080a 9543 3d63 .....b.......C=c
0x0030: 3572 df31 5r.1