3.2.2 UDP User Datagram Protocol
3.2.2.1 UDP特性
工作在传输层
提供不可靠的网络访问
非面向连接协议
有限的错误检查
传输性能高
无数据恢复特性
更多关于udp的内核参数,可参看man 7 udp
3.2.2.2 UDP包头
3.3 Internet 层
3.3.1 Internet Control Message Protocol
范例: 利用icmp协议判断网络状态
[root@rocky8 ~]# ping 223.5.5.5
PING 223.5.5.5 (223.5.5.5) 56(84) bytes of data.
64 bytes from 223.5.5.5: icmp_seq=1 ttl=128 time=38.9 ms
64 bytes from 223.5.5.5: icmp_seq=2 ttl=128 time=24.1 ms
64 bytes from 223.5.5.5: icmp_seq=3 ttl=128 time=24.4 ms
64 bytes from 223.5.5.5: icmp_seq=4 ttl=128 time=22.1 ms
^C
--- 223.5.5.5 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 22.138/27.384/38.910/6.711 ms
[root@rocky8 ~]# ping 172.31.0.7
PING 172.31.0.7 (172.31.0.7) 56(84) bytes of data.
64 bytes from 172.31.0.7: icmp_seq=1 ttl=64 time=0.365 ms
64 bytes from 172.31.0.7: icmp_seq=2 ttl=64 time=0.407 ms
64 bytes from 172.31.0.7: icmp_seq=3 ttl=64 time=0.492 ms
64 bytes from 172.31.0.7: icmp_seq=4 ttl=64 time=0.390 ms
^C
--- 172.31.0.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3108ms
rtt min/avg/max/mdev = 0.365/0.413/0.492/0.051 ms
[root@rocky8 ~]# ping 180.76.76.76
PING 180.76.76.76 (180.76.76.76) 56(84) bytes of data.
64 bytes from 180.76.76.76: icmp_seq=1 ttl=128 time=33.2 ms
64 bytes from 180.76.76.76: icmp_seq=2 ttl=128 time=33.9 ms
64 bytes from 180.76.76.76: icmp_seq=3 ttl=128 time=34.10 ms
64 bytes from 180.76.76.76: icmp_seq=4 ttl=128 time=36.5 ms
^C
--- 180.76.76.76 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 33.222/34.660/36.522/1.259 ms
[root@rocky8 ~]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=128 time=32.4 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=128 time=32.7 ms
64 bytes from 114.114.114.114: icmp_seq=3 ttl=128 time=30.6 ms
64 bytes from 114.114.114.114: icmp_seq=4 ttl=128 time=32.3 ms
^C
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 30.643/32.005/32.708/0.830 ms
[root@rocky8 ~]# ping 119.29.29.29
PING 119.29.29.29 (119.29.29.29) 56(84) bytes of data.
64 bytes from 119.29.29.29: icmp_seq=1 ttl=128 time=28.2 ms
64 bytes from 119.29.29.29: icmp_seq=2 ttl=128 time=31.1 ms
64 bytes from 119.29.29.29: icmp_seq=3 ttl=128 time=31.6 ms
64 bytes from 119.29.29.29: icmp_seq=4 ttl=128 time=28.7 ms
^C
--- 119.29.29.29 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 28.176/29.885/31.571/1.474 ms
C:\Users\raymond>ping 180.76.76.76
正在 Ping 180.76.76.76 具有 32 字节的数据:
来自 180.76.76.76 的回复: 字节=32 时间=27ms TTL=51 #ttl=51,就是64-51=13,经过了13个路由器,每经过一个路由器就减少一个
来自 180.76.76.76 的回复: 字节=32 时间=27ms TTL=51
来自 180.76.76.76 的回复: 字节=32 时间=26ms TTL=51
来自 180.76.76.76 的回复: 字节=32 时间=27ms TTL=51
180.76.76.76 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 26ms,最长 = 27ms,平均 = 26ms
[root@rocky8 ~]# iptables -A INPUT -s 172.31.0.7 -j REJECT
[root@rocky8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 172.31.0.7 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@centos7 ~]# ping 172.31.1.8
PING 172.31.1.8 (172.31.1.8) 56(84) bytes of data.
From 172.31.1.8 icmp_seq=1 Destination Port Unreachable
From 172.31.1.8 icmp_seq=2 Destination Port Unreachable
From 172.31.1.8 icmp_seq=3 Destination Port Unreachable
From 172.31.1.8 icmp_seq=4 Destination Port Unreachable
^C
--- 172.31.1.8 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3000ms
pkts bytes target prot opt in out source destination
[root@rocky8 ~]# iptables -F
[root@rocky8 ~]# ping www.raymond01.org
ping: www.raymond01.org: Name or service not known
[root@rocky8 ~]# ping -s 65508 172.31.1.8
Error: packet size 65508 is too large. Maximum is 65507
[root@rocky8 ~]# ping -f -s 65507 172.31.0.7
PING 172.31.0.7 (172.31.0.7) 65507(65535) bytes of data.
.^C
--- 172.31.0.7 ping statistics ---
4382 packets transmitted, 4381 received, 0.0228206% packet loss, time 20105ms
rtt min/avg/max/mdev = 0.928/4.400/6.028/0.562 ms, ipg/ewma 4.589/3.998 ms
PING 的作用?
PING 主要的作用就是测试在两台主机之间能否建立连接,如果 PING 不通就无法建立连接。
它其实就是向目的主机发送多个 ICMP 回送请求报文
- 如果没有响应则无法建立连接
- 如果有响应就可以根据目的主机返回的回送报文的时间和成功响应的次数估算出数据包往返时间及丢包率
3.3.2 Address Resolution Protocol
3.2.2.1 ARP
ARP 地址解析协议由互联网工程任务组(IETF)在1982年11月发布的RFC 826中描述制定,是根据IP地址获取物理地址的一个TCP/IP协议。
主机发送信息时将包含目标IP地址的ARP请求广播到局域网络上的所有主机,并接收返回消息,以此确定目标的物理地址;收到返回消息后将该IP地址和物理地址存入本机ARP缓存中并保留一定时间,下次请求时直接查询ARP缓存以节约资源。地址解析协议是建立在网络中各个主机互相信任的基础上的,局域网络上的主机可以自主发送ARP应答消息,其他主机收到应答报文时不会检测该报文的真实性就会将其记入本机ARP缓存
同网段的ARP
跨网段的ARP
范例:ARP 表
[root@rocky8 ~]# ip neigh
172.31.0.2 dev eth0 lladdr 00:50:56:ea:ab:89 STALE
172.31.0.7 dev eth0 lladdr 00:0c:29:50:0f:03 STALE
172.31.7.254 dev eth0 lladdr 00:50:56:f4:6a:1b STALE
172.31.0.1 dev eth0 lladdr 00:50:56:c0:00:08 DELAY
[root@rocky8 ~]# arp -n
Address HWtype HWaddress Flags Mask Iface
172.31.0.2 ether 00:50:56:ea:ab:89 C eth0
172.31.0.7 ether 00:0c:29:50:0f:03 C eth0
172.31.7.254 ether 00:50:56:f4:6a:1b C eth0
172.31.0.1 ether 00:50:56:c0:00:08 C eth0
范例:
[root@centos7 ~]# yum install -y tcpdump
[root@centos7 ~]# tcpdump -i eth0 arp -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
[root@rocky8 ~]# ping 172.31.0.6
PING 172.31.0.6 (172.31.0.6) 56(84) bytes of data.
64 bytes from 172.31.0.6: icmp_seq=1 ttl=64 time=0.382 ms
64 bytes from 172.31.0.6: icmp_seq=2 ttl=64 time=0.464 ms
64 bytes from 172.31.0.6: icmp_seq=3 ttl=64 time=0.290 ms
64 bytes from 172.31.0.6: icmp_seq=4 ttl=64 time=0.375 ms
[root@centos7 ~]# tcpdump -i eth0 arp -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:57:47.117529 ARP, Request who-has 172.31.0.6 tell 172.31.1.8, length 46
14:57:47.117628 ARP, Reply 172.31.0.6 is-at 00:0c:29:8e:46:7a, length 46
[root@rocky8 ~]# arp -n
Address HWtype HWaddress Flags Mask Iface
172.31.0.6 ether 00:0c:29:8e:46:7a C eth0
172.31.0.2 ether 00:50:56:ea:ab:89 C eth0
172.31.0.7 ether 00:0c:29:50:0f:03 C eth0
172.31.7.254 ether 00:50:56:f4:6a:1b C eth0
172.31.0.1 ether 00:50:56:c0:00:08 C eth0
范例:ARP静态绑定可以防止ARP欺骗
[root@rocky8 ~]# arp -s 172.31.0.6 00:0c:29:8e:46:7a
[root@rocky8 ~]# arp -n
Address HWtype HWaddress Flags Mask Iface
172.31.0.6 ether 00:0c:29:8e:46:7a CM eth0
172.31.0.2 ether 00:50:56:ea:ab:89 C eth0
172.31.0.7 ether 00:0c:29:50:0f:03 C eth0
172.31.7.254 ether 00:50:56:f4:6a:1b C eth0
172.31.0.1 ether 00:50:56:c0:00:08 C eth0
范例:
[root@rocky8 ~]# arp -d 172.31.0.6
[root@rocky8 ~]# arp -n
Address HWtype HWaddress Flags Mask Iface
172.31.0.2 ether 00:50:56:ea:ab:89 C eth0
172.31.0.7 ether 00:0c:29:50:0f:03 C eth0
172.31.7.254 ether 00:50:56:f4:6a:1b C eth0
172.31.0.1 ether 00:50:56:c0:00:08 C eth0
范例:kali 系统实现 arp 欺骗上网流量劫持
#启动路由转发功能
[root@kali ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
#安装包
[root@kali ~]# apt-get install dsniff
#欺骗目标主机,本机是网关
[root@kali ~]# arpspoof -i eth0 -t 被劫持的目标主机IP 网关IP
#欺骗网关,本机是目标主机
[root@kali ~]# arpspoof -i eth0 -t 网关IP 被劫持的目标主机IP
3.2.2.2 Gratuitous ARP
Gratuitous ARP也称为免费ARP,无故ARP。Gratuitous ARP不同于一般的ARP请求,它并非期待得到ip对应的mac地址,而是当主机启动的时候,将发送一个Gratuitous arp请求,即请求自己的ip地址的mac地址
免费ARP可以有两个方面的作用:
- 验证IP是否冲突:一个主机可以通过它来确定另一个主机是否设置了相同的 IP地址
- 更换物理网卡:如果发送ARP的主机改变了物理地址(如更换物理网卡),可以使用此方法通知网络中其它主机及时更新ARP缓存
范例:抓取 CentOS 8 重启过程的ARP信息
范例:抓取 CentOS 6 重启过程的ARP信息
范例:
[root@centos7 ~]# tcpdump -i eth0 arp -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:45.952866 ARP, Request who-has 172.31.1.8 tell 172.31.0.6, length 46
15:05:45.952970 ARP, Reply 172.31.1.8 is-at 00:0c:29:f9:6a:d1, length 46
#免费ARP
3.3.3 Reverse Address Resolution Protocol
RARP 即将MAC转换成IP
3.3.4 internet 协议
3.3.4.1 Internet 协议特征
- 运行于 OSI 网络层
- 面向无连接的协议
- 独立处理数据包
- 分层编址
- 尽力而为传输
- 无数据恢复功能
3.3.4.2 IP PDU 报头
IP PDU 报头格式
-
版本:占4位,指 IP 协议的版本目前的IP协议版本号为4
-
首部长度:占4位,可表示的最大数值是15个单位,一个单位为4字节,因此IP 的首部长度的最大值是60字节
区分服务:占8位,用来获得更好的服务,在旧标准中叫做服务类型,但实际上一直未被使用过.后改名为区分服务.只有在使用区分服务(DiffServ)时,这个字段才起作用.一般的情况下不使用
-
总长度:占16位,指首部和数据之和的长度,单位为字节,因此数据报的最大长度为 65535 字节.总长度必须不超过最大传送单元 MTU
-
标识:占16位,它是一个计数器,通常,每发送一个报文,该值会加1, 也用于数据包分片,在同一个包的若干分片中,该值是相同的
-
标志(flag):占3位,目前只有后两位有意义
DF: Don’t Fragment 中间的一位,只有当 DF=0 时才允许分片
MF: More Fragment 最后一位,MF=1表示后面还有分片,MF=0 表示最后一个分片
IP PDU 报头
-
片偏移:占13位,指较长的分组在分片后,该分片在原分组中的相对位置.片偏移以8个字节为偏移单位
-
生存时间:占8位,记为TTL (Time To Live) 数据报在网络中可通过的路由器数的最大值,TTL 字段是由发送端初始设置一个 8 bit字段.推荐的初始值由分配数字 RFC 指定,当前值为 64.发送 ICMP 回显应答时经常把 TTL 设为最大值 255
-
协议:占8位,指出此数据报携带的数据使用何种协议以便目的主机的IP层将数据部分上交给哪个处理过程, 1表示为 ICMP 协议, 2表示为 IGMP 协议, 6表示为 TCP 协议, 17表示为 UDP 协议
-
首部检验和:占16位,只检验数据报的首部不检验数据部分.这里不采用 CRC 检验码而采用简单的计算方法
-
源地址和目的地址:都各占4字节,分别记录源地址和目的地址
范例:
[root@rocky8 ~]# cat /proc/sys/net/ipv4/ip_default_ttl
64
[root@rocky8 ~]# echo "ibase=2;10101100000111110000000100001000" |bc
2887713032
[root@rocky8 ~]# ping 2887713032
PING 2887713032 (172.31.1.8) 56(84) bytes of data.
64 bytes from 172.31.1.8: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 172.31.1.8: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 172.31.1.8: icmp_seq=3 ttl=64 time=0.056 ms
^C
--- 2887713032 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2025ms
rtt min/avg/max/mdev = 0.037/0.044/0.056/0.011 ms
范例:
[root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:50:0f:03 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.7/21 brd 172.31.7.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe50:f03/64 scope link
valid_lft forever preferred_lft forever
[root@centos7 ~]# ip a a 172.31.0.6/21 dev eth0 label eth0:1
[root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:50:0f:03 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.7/21 brd 172.31.7.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 172.31.0.6/21 scope global secondary eth0:1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe50:f03/64 scope link
valid_lft forever preferred_lft forever
[root@rocky8 ~]# arp -n
Address HWtype HWaddress Flags Mask Iface
172.31.0.6 ether 00:0c:29:8e:46:7a C eth0
172.31.0.2 ether 00:50:56:ea:ab:89 C eth0
172.31.0.7 ether 00:0c:29:50:0f:03 C eth0
172.31.7.254 ether 00:50:56:f4:6a:1b C eth0
172.31.0.1 ether 00:50:56:c0:00:08 C eth0
#发现IP冲突的主机
root@ubuntu1804:~# arping 172.31.0.6
ARPING 172.31.0.6
60 bytes from 00:0c:29:50:0f:03 (172.31.0.6): index=0 time=202.791 usec
60 bytes from 00:0c:29:8e:46:7a (172.31.0.6): index=1 time=347.122 usec
60 bytes from 00:0c:29:50:0f:03 (172.31.0.6): index=2 time=181.210 usec
60 bytes from 00:0c:29:8e:46:7a (172.31.0.6): index=3 time=459.633 usec
60 bytes from 00:0c:29:50:0f:03 (172.31.0.6): index=4 time=295.335 usec
60 bytes from 00:0c:29:8e:46:7a (172.31.0.6): index=5 time=632.849 usec
60 bytes from 00:0c:29:8e:46:7a (172.31.0.6): index=6 time=160.417 usec
60 bytes from 00:0c:29:50:0f:03 (172.31.0.6): index=7 time=326.288 usec
60 bytes from 00:0c:29:8e:46:7a (172.31.0.6): index=8 time=480.989 usec
60 bytes from 00:0c:29:50:0f:03 (172.31.0.6): index=9 time=868.357 usec
^C
--- 172.31.0.6 statistics ---
5 packets transmitted, 10 packets received, 0% unanswered (5 extra)
rtt min/avg/max/std-dev = 0.160/0.395/0.868/0.211 ms
协议域
3.4 主机到主机的包传递完整过程
范例:
1 22/tcp
1 分析目标地址是否在同一网段(之后)
2 ARP 得到MAC
3 三次握手
4 数据通讯