TCP协议抓包分析 – wireshark
TCP- (Transmission Control Protocol,传输控制协议)是一种面向连接的、可靠的、基于IP的传输层协议。它的主要目的就是为数据提供可靠的端到端的传输服务。参考RFC793
TCP是面向连接的通信协议,在通信过程中,通过三次握手建立连接,通信结束之后还需要断开连接。如果要发送的数据包没有被送到目的地还会进行数据包的重传。
相比于UDP TCP提供可靠的网络传输服务,可以提高网络的安全性,因为使用TCP进行数据传输时,每个数据包都要进行确认。若果有一个数据包丢失就收不到确认包,发送方就知道应该重发这个数据包,这样就保证了数据的安全性。
以下是三次握手的建立过程
- 第一次握手建立时,客户端向服务器发送
SYN报文(Seq=x,SYN=1),并进入SYN_SEND状态,等待服务器确认。 - 第二次握手,分两部分来完成,即
SYN+ACK(请求和确认)报文
- 服务器收到客户端的请求,向客户端确认信息(
Ack=x+1) - 服务器再向客户端发送一个
SYN包(Seq=y)建立连接的请求,此时服务器进入SYN_RECV状态
- 第三次握手客户端收到服务器的回复(
SYN+ACK),此时,客户端也要向服务器发送确认包(ACK),此包发送完毕客户端和服务器进入ESTABLISHED状态,完成三次握手。
以下是TCP四次挥手的计算过程
TCP重置
在理想的情况中,每一个连接都会以TCP四次断开来正常的结束会话,但是在现实中,连接经常会突然断掉。例如,这可能由于一个潜在的攻击者正在进行断开扫描,或者仅仅是主机配置错误,在这种其概况下就需要使用设置了RST标志的TCP数据包,RST标志用来指出连接异常终止或拒绝连接请求的包。
TCP各个协议之间的关系
TCP首部
- Source Port`: 用来传输数据包的端口 🦌
-
Destination Port: 接收数据的端口 -
Sequence Number: 该数字表示一个TCP片段,这个部分用来表示数据部分没有丢失 -
Acknowledgment Number: 该数字是通信中希望从对方中得到的下一个数据包的序号 -
Data offset: 数据偏移 -
Reserved: 保留 - 标记
-
Window: 窗口大小 -
checksum: 校验和 -
Urgent Pointer: 紧急指针 -
Options: 选项
标记
URG:紧急标志,此标志表示TCP包的紧急指针域有效,用来保证TCP连接不被中断,并催促中间设备要尽快处理这些数据
ACK:确认标志,分别为1或者0,为1的时候代表应答优先,反之为0
PSH:该标志是PUSH操作,代表着数据到达接收端以后,立即传送给应用程序,而不是在缓冲区中排队
RST:该标志表示连接复位请求,用来复位那些产生的错误连接,也用来拒绝错误和非法的数据包
SYN:表示同步序号,SYN标志位和ACK标志位搭配使用,当连接请求的时候,SYN=1,ACK=0;当连接响应的时候SYN=1,ACK=1。标志的数据经常用来进行端口扫描,扫描者发送一个只有SYN的数据包,如果对方主机回应一个数据包,则说明该主机的对应端口是存在监听的。
FIN:说明数据结束了,也就是双方数据传输完成,断开连接的意思。该标记也可以用于进行端口扫描,当发送一个带有FIN标记的数据包的时候,如果对方相应一个RST说明这台计算机对应的端口是不存在的,但是对应的计算机是存在的,若是对方没有反馈任何数据包,就表明这台被扫描的计算机是存在这个端口
三次握手报文
TCP第一次握手
Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 0, Len: 0
Source Port: 42942
Destination Port: 80
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Sequence number (raw): 2725618253
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN) # 这里表明是SYN
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80]
[Connection establish request (SYN): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window size value: 64240
[Calculated window size: 64240]
Checksum: 0x488e [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - SACK permitted
Kind: SACK Permitted (4)
Length: 2
TCP Option - Timestamps: TSval 2292026825, TSecr 0
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 2292026825
Timestamp echo reply: 0
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Window scale: 7 (multiply by 128)
Kind: Window Scale (3)
Length: 3
Shift count: 7
[Multiplier: 128]
[Timestamps]
[Time since first frame in this TCP stream: 0.000000000 seconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]TCP第二次握手
Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 0, Ack: 1, Len: 0
Source Port: 80
Destination Port: 42942
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Sequence number (raw): 3580910260
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Acknowledgment number (raw): 2725618254
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK) # 表明是第二次进行握手
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80]
[Connection establish acknowledge (SYN+ACK): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A··S·]
Window size value: 28960
[Calculated window size: 28960]
Checksum: 0x9240 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 1412 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1412
TCP Option - SACK permitted
Kind: SACK Permitted (4)
Length: 2
TCP Option - Timestamps: TSval 3883000206, TSecr 2292026825
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 3883000206
Timestamp echo reply: 2292026825
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Window scale: 7 (multiply by 128)
Kind: Window Scale (3)
Length: 3
Shift count: 7
[Multiplier: 128]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 1701]
[The RTT to ACK the segment was: 0.036923396 seconds]
[iRTT: 0.036936408 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 0.036923396 seconds]
[Time since previous frame in this TCP stream: 0.036923396 seconds]TCP第三次握手信息
Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 1, Ack: 1, Len: 0
Source Port: 42942
Destination Port: 80
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Sequence number (raw): 2725618254
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Acknowledgment number (raw): 3580910261
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK) # 确认包
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x4886 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 2292026862, TSecr 3883000206
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 2292026862
Timestamp echo reply: 3883000206
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 1713]
[The RTT to ACK the segment was: 0.000013012 seconds]
[iRTT: 0.036936408 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 0.036936408 seconds]
[Time since previous frame in this TCP stream: 0.000013012 seconds]四次挥手报文
TCP第一次挥手
Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 96357, Ack: 431, Len: 0
Source Port: 80
Destination Port: 42942
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 96357 (relative sequence number)
Sequence number (raw): 3581006617
[Next sequence number: 96358 (relative sequence number)]
Acknowledgment number: 431 (relative ack number)
Acknowledgment number (raw): 2725618684
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set # 设置了FIN 位
[Expert Info (Chat/Sequence): Connection finish (FIN)]
[Connection finish (FIN)]
[Severity level: Chat]
[Group: Sequence]
[TCP Flags: ·······A···F]
Window size value: 235
[Calculated window size: 30080]
[Window size scaling factor: 128]
Checksum: 0xa05d [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 3883005416, TSecr 2292027407
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 3883005416
Timestamp echo reply: 2292027407
[Timestamps]
[Time since first frame in this TCP stream: 5.246526261 seconds]
[Time since previous frame in this TCP stream: 4.663717779 seconds]第二次挥手
Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 431, Ack: 96358, Len: 0
Source Port: 42942
Destination Port: 80
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 431 (relative sequence number)
Sequence number (raw): 2725618684
[Next sequence number: 431 (relative sequence number)]
Acknowledgment number: 96358 (relative ack number)
Acknowledgment number (raw): 3581006618
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 1341
[Calculated window size: 171648]
[Window size scaling factor: 128]
Checksum: 0x4886 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 2292032113, TSecr 3883005416
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 2292032113
Timestamp echo reply: 3883005416
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 1886]
[The RTT to ACK the segment was: 0.041837077 seconds]
[iRTT: 0.036936408 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 5.288363338 seconds]
[Time since previous frame in this TCP stream: 0.041837077 seconds]第三次挥手
Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 431, Ack: 96358, Len: 0
Source Port: 42942
Destination Port: 80
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 431 (relative sequence number)
Sequence number (raw): 2725618684
[Next sequence number: 432 (relative sequence number)]
Acknowledgment number: 96358 (relative ack number)
Acknowledgment number (raw): 3581006618
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set
[Expert Info (Chat/Sequence): Connection finish (FIN)]
[Connection finish (FIN)]
[Severity level: Chat]
[Group: Sequence]
[TCP Flags: ·······A···F]
Window size value: 1341
[Calculated window size: 171648]
[Window size scaling factor: 128]
Checksum: 0x4886 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 2292032716, TSecr 3883005416
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 2292032716
Timestamp echo reply: 3883005416
[Timestamps]
[Time since first frame in this TCP stream: 5.891095824 seconds]
[Time since previous frame in this TCP stream: 0.602732486 seconds]第四次挥手
Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 96358, Ack: 432, Len: 0
Source Port: 80
Destination Port: 42942
[Stream index: 42]
[TCP Segment Len: 0]
Sequence number: 96358 (relative sequence number)
Sequence number (raw): 3581006618
[Next sequence number: 96358 (relative sequence number)]
Acknowledgment number: 432 (relative ack number)
Acknowledgment number (raw): 2725618685
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 235
[Calculated window size: 30080]
[Window size scaling factor: 128]
Checksum: 0x88f5 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 3883006098, TSecr 2292032716
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 3883006098
Timestamp echo reply: 2292032716
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 1894]
[The RTT to ACK the segment was: 0.037212056 seconds]
[iRTT: 0.036936408 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 5.928307880 seconds]
[Time since previous frame in this TCP stream: 0.037212056 seconds]TCP reset包
Transmission Control Protocol, Src Port: 58842, Dst Port: 443, Seq: 1, Ack: 33, Len: 0
Source Port: 58842
Destination Port: 443
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Sequence number (raw): 2675798108
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 33 (relative ack number)
Acknowledgment number (raw): 4035810720
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set # 设置reset标记
[Expert Info (Warning/Sequence): Connection reset (RST)]
[Connection reset (RST)]
[Severity level: Warning]
[Group: Sequence]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A·R··]
Window size value: 501
[Calculated window size: 501]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x7114 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 3.678235464 seconds]
[Time since previous frame in this TCP stream: 3.678165023 seconds]TCP连接状态机
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
