第一部分:基础知识
A protocol stack is a logical grouping of protocols that work together.
many protocols commonly address the following issues:
- connection initiation
- negotiation of connection characteristics
- data formatting
- error detection and correction
- connection termination
应用层: provides a means for users to actually access network resources
传输层:Through flow control, segmentation/desegmentation, and error control, the transport
layer makes sure data gets from point to point error-free. Because ensuring reliable data transportation can be extremely cumbersome, the OSI model devotes an entire layer to it.
网络层:routing data between physical networks(路由转发)
数据链路层: transporting data across a physical network
物理层:AD/DA
The term packet refers to a complete protocol data unit that includes header and footer information
from all layers of the OSI model.
keep in mind that not every packet on a network is generated from an application layer protocol.
集线器:A hub is no more than a repeating device that operates on the physical layer of the OSI model. It takes packets sent from one port and transmits (repeats) them to every other port on the device.
(半双工,大量无用流量,物理层)
交换机:Like a hub, a switch is designed to repeat packets. However, unlike a hub, rather than broadcasting data to every port, a switch sends data to only the computer for which the data is intended.
(全双工,仅指向特定MAC,因此是数据链路层)
路由器:Routers operate at layer 3 of the OSI model, where they are responsible for forwarding packets between two or more networks. Routers commonly use layer 3 addresses (such as IP addresses) to uniquely identify devices on a network.
广播:A broadcast packet is one that is sent to all ports on a network segment, regardless of whether that port is a hub or switch. All broadcast traffic is not created equally, however. There are layer 2 and layer 3 forms of broadcast traffic. For instance, on layer 2, the MAC address FF:FF:FF:FF:FF:FF is the reserved broadcast address, and any traffic sent to this address is broadcast to the entire network segment. Layer 3 also has a specific broadcast address.The highest possible IP address in an IP network range is reserved for use as the broadcast address.
The extent to which broadcast packets travel is called the broadcast domain.
(arp发现就是数据链路层的广播,问某个ip对应的MAC)
多播:The primary method of implementing multicast is via an addressing scheme that joins the packet recipients to a multicast group, which is how IP multicast works. This addressing scheme ensures that the packets cannot be transmitted to computers to which they are not destined. In fact, IP devotes an entire range of addresses to multicast. If you see an IP address in the 224.0.0.0 to 239.255.255.255 range, it is most likely multicast traffic.
A key decision for effective packet analysis is where to position a packet sniffer to appropriately capture the data.
第二部分:嗅探器位置(把嗅探器放进网络的过程称之为tap into the wire,得名于第三种方案)
Most operating systems (including Windows) will not let you use a a network interface card in promiscuous mode unless you have elevated user privileges.
监听hub network是最简单的,不过hub已经基本弃用了。
对于switch network,When you connect a sniffer to a port on a switch, you can see only
broadcast traffic and the traffic transmitted and received by your machine.
There are four primary ways to capture traffic from a target device on a switched network: port mirroring, hubbing out, using a tap, and ARP cache poisoning.
- port mirroring
you must have access to the command-line or web-management interface of the switch
on which the target computer is located.
To enable port mirroring, you issue a command that forces the switch to copy all traffic on one port to another port. For instance, to capture the traffic from a device on port 3 of a switch, you could simply plug your analyzer into port 4 and mirror port 3 to port 4, allowing you to see all traffic transmitted
and received by your target device. - hubbing out
- tap
至于non-aggregated tap,有4个口,两个方向的流量由两块网卡分别监听。 - arp cache poisoning
其实就是arp欺骗。arp欺骗可以像下图一样用做监听,也可以把所有包或者大部分包丢掉实现DoS攻击。cain&abel可以用来做arp欺骗。
如果target的流量过大,可以利用非对称路由解决。从A到B所走的路由和从B到A所走的路由不同,称为非对称路由。
P52,下次继续。