TCP协议抓包分析 -- wireshark

    科技2022-07-15  122

    TCP协议抓包分析 – wireshark

    TCP- (Transmission Control Protocol,传输控制协议)是一种面向连接的、可靠的、基于IP的传输层协议。它的主要目的就是为数据提供可靠的端到端的传输服务。参考RFC793

    TCP是面向连接的通信协议,在通信过程中,通过三次握手建立连接,通信结束之后还需要断开连接。如果要发送的数据包没有被送到目的地还会进行数据包的重传。

    相比于UDP TCP提供可靠的网络传输服务,可以提高网络的安全性,因为使用TCP进行数据传输时,每个数据包都要进行确认。若果有一个数据包丢失就收不到确认包,发送方就知道应该重发这个数据包,这样就保证了数据的安全性。

    以下是三次握手的建立过程

    第一次握手建立时,客户端向服务器发送SYN报文(Seq=x,SYN=1),并进入SYN_SEND状态,等待服务器确认。

    第二次握手,分两部分来完成,即SYN+ACK(请求和确认)报文

    服务器收到客户端的请求,向客户端确认信息(Ack=x+1)服务器再向客户端发送一个SYN包(Seq=y)建立连接的请求,此时服务器进入SYN_RECV状态 第三次握手客户端收到服务器的回复(SYN+ACK),此时,客户端也要向服务器发送确认包(ACK),此包发送完毕客户端和服务器进入ESTABLISHED状态,完成三次握手。

    以下是TCP四次挥手的计算过程

    TCP重置

    在理想的情况中,每一个连接都会以TCP四次断开来正常的结束会话,但是在现实中,连接经常会突然断掉。例如,这可能由于一个潜在的攻击者正在进行断开扫描,或者仅仅是主机配置错误,在这种其概况下就需要使用设置了RST标志的TCP数据包,RST标志用来指出连接异常终止或拒绝连接请求的包。

    TCP各个协议之间的关系

    TCP首部

    Source Port`: 用来传输数据包的端口 🦌Destination Port: 接收数据的端口Sequence Number: 该数字表示一个TCP片段,这个部分用来表示数据部分没有丢失Acknowledgment Number: 该数字是通信中希望从对方中得到的下一个数据包的序号Data offset: 数据偏移Reserved: 保留标记Window: 窗口大小checksum: 校验和Urgent Pointer: 紧急指针Options: 选项

    标记

    URG:紧急标志,此标志表示TCP包的紧急指针域有效,用来保证TCP连接不被中断,并催促中间设备要尽快处理这些数据

    ACK:确认标志,分别为1或者0,为1的时候代表应答优先,反之为0

    PSH:该标志是PUSH操作,代表着数据到达接收端以后,立即传送给应用程序,而不是在缓冲区中排队

    RST:该标志表示连接复位请求,用来复位那些产生的错误连接,也用来拒绝错误和非法的数据包

    SYN:表示同步序号,SYN标志位和ACK标志位搭配使用,当连接请求的时候,SYN=1,ACK=0;当连接响应的时候SYN=1,ACK=1。标志的数据经常用来进行端口扫描,扫描者发送一个只有SYN的数据包,如果对方主机回应一个数据包,则说明该主机的对应端口是存在监听的。

    FIN:说明数据结束了,也就是双方数据传输完成,断开连接的意思。该标记也可以用于进行端口扫描,当发送一个带有FIN标记的数据包的时候,如果对方相应一个RST说明这台计算机对应的端口是不存在的,但是对应的计算机是存在的,若是对方没有反馈任何数据包,就表明这台被扫描的计算机是存在这个端口


    三次握手报文

    TCP第一次握手

    Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 0, Len: 0 Source Port: 42942 Destination Port: 80 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) Sequence number (raw): 2725618253 [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 0 Acknowledgment number (raw): 0 1010 .... = Header Length: 40 bytes (10) Flags: 0x002 (SYN) # 这里表明是SYN 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80] [Connection establish request (SYN): server port 80] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set [TCP Flags: ··········S·] Window size value: 64240 [Calculated window size: 64240] Checksum: 0x488e [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale TCP Option - Maximum segment size: 1460 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1460 TCP Option - SACK permitted Kind: SACK Permitted (4) Length: 2 TCP Option - Timestamps: TSval 2292026825, TSecr 0 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2292026825 Timestamp echo reply: 0 TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Window scale: 7 (multiply by 128) Kind: Window Scale (3) Length: 3 Shift count: 7 [Multiplier: 128] [Timestamps] [Time since first frame in this TCP stream: 0.000000000 seconds] [Time since previous frame in this TCP stream: 0.000000000 seconds]

    TCP第二次握手

    Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 0, Ack: 1, Len: 0 Source Port: 80 Destination Port: 42942 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) Sequence number (raw): 3580910260 [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Acknowledgment number (raw): 2725618254 1010 .... = Header Length: 40 bytes (10) Flags: 0x012 (SYN, ACK) # 表明是第二次进行握手 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80] [Connection establish acknowledge (SYN+ACK): server port 80] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set [TCP Flags: ·······A··S·] Window size value: 28960 [Calculated window size: 28960] Checksum: 0x9240 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale TCP Option - Maximum segment size: 1412 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1412 TCP Option - SACK permitted Kind: SACK Permitted (4) Length: 2 TCP Option - Timestamps: TSval 3883000206, TSecr 2292026825 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 3883000206 Timestamp echo reply: 2292026825 TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Window scale: 7 (multiply by 128) Kind: Window Scale (3) Length: 3 Shift count: 7 [Multiplier: 128] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1701] [The RTT to ACK the segment was: 0.036923396 seconds] [iRTT: 0.036936408 seconds] [Timestamps] [Time since first frame in this TCP stream: 0.036923396 seconds] [Time since previous frame in this TCP stream: 0.036923396 seconds]

    TCP第三次握手信息

    Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 1, Ack: 1, Len: 0 Source Port: 42942 Destination Port: 80 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 1 (relative sequence number) Sequence number (raw): 2725618254 [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Acknowledgment number (raw): 3580910261 1000 .... = Header Length: 32 bytes (8) Flags: 0x010 (ACK) # 确认包 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······A····] Window size value: 502 [Calculated window size: 64256] [Window size scaling factor: 128] Checksum: 0x4886 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 2292026862, TSecr 3883000206 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2292026862 Timestamp echo reply: 3883000206 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1713] [The RTT to ACK the segment was: 0.000013012 seconds] [iRTT: 0.036936408 seconds] [Timestamps] [Time since first frame in this TCP stream: 0.036936408 seconds] [Time since previous frame in this TCP stream: 0.000013012 seconds]

    四次挥手报文

    TCP第一次挥手

    Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 96357, Ack: 431, Len: 0 Source Port: 80 Destination Port: 42942 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 96357 (relative sequence number) Sequence number (raw): 3581006617 [Next sequence number: 96358 (relative sequence number)] Acknowledgment number: 431 (relative ack number) Acknowledgment number (raw): 2725618684 1000 .... = Header Length: 32 bytes (8) Flags: 0x011 (FIN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set # 设置了FIN 位 [Expert Info (Chat/Sequence): Connection finish (FIN)] [Connection finish (FIN)] [Severity level: Chat] [Group: Sequence] [TCP Flags: ·······A···F] Window size value: 235 [Calculated window size: 30080] [Window size scaling factor: 128] Checksum: 0xa05d [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 3883005416, TSecr 2292027407 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 3883005416 Timestamp echo reply: 2292027407 [Timestamps] [Time since first frame in this TCP stream: 5.246526261 seconds] [Time since previous frame in this TCP stream: 4.663717779 seconds]

    第二次挥手

    Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 431, Ack: 96358, Len: 0 Source Port: 42942 Destination Port: 80 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 431 (relative sequence number) Sequence number (raw): 2725618684 [Next sequence number: 431 (relative sequence number)] Acknowledgment number: 96358 (relative ack number) Acknowledgment number (raw): 3581006618 1000 .... = Header Length: 32 bytes (8) Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······A····] Window size value: 1341 [Calculated window size: 171648] [Window size scaling factor: 128] Checksum: 0x4886 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 2292032113, TSecr 3883005416 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2292032113 Timestamp echo reply: 3883005416 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1886] [The RTT to ACK the segment was: 0.041837077 seconds] [iRTT: 0.036936408 seconds] [Timestamps] [Time since first frame in this TCP stream: 5.288363338 seconds] [Time since previous frame in this TCP stream: 0.041837077 seconds]

    第三次挥手

    Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 431, Ack: 96358, Len: 0 Source Port: 42942 Destination Port: 80 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 431 (relative sequence number) Sequence number (raw): 2725618684 [Next sequence number: 432 (relative sequence number)] Acknowledgment number: 96358 (relative ack number) Acknowledgment number (raw): 3581006618 1000 .... = Header Length: 32 bytes (8) Flags: 0x011 (FIN, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...1 = Fin: Set [Expert Info (Chat/Sequence): Connection finish (FIN)] [Connection finish (FIN)] [Severity level: Chat] [Group: Sequence] [TCP Flags: ·······A···F] Window size value: 1341 [Calculated window size: 171648] [Window size scaling factor: 128] Checksum: 0x4886 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 2292032716, TSecr 3883005416 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2292032716 Timestamp echo reply: 3883005416 [Timestamps] [Time since first frame in this TCP stream: 5.891095824 seconds] [Time since previous frame in this TCP stream: 0.602732486 seconds]

    第四次挥手

    Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 96358, Ack: 432, Len: 0 Source Port: 80 Destination Port: 42942 [Stream index: 42] [TCP Segment Len: 0] Sequence number: 96358 (relative sequence number) Sequence number (raw): 3581006618 [Next sequence number: 96358 (relative sequence number)] Acknowledgment number: 432 (relative ack number) Acknowledgment number (raw): 2725618685 1000 .... = Header Length: 32 bytes (8) Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······A····] Window size value: 235 [Calculated window size: 30080] [Window size scaling factor: 128] Checksum: 0x88f5 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 3883006098, TSecr 2292032716 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 3883006098 Timestamp echo reply: 2292032716 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1894] [The RTT to ACK the segment was: 0.037212056 seconds] [iRTT: 0.036936408 seconds] [Timestamps] [Time since first frame in this TCP stream: 5.928307880 seconds] [Time since previous frame in this TCP stream: 0.037212056 seconds]

    TCP reset包

    Transmission Control Protocol, Src Port: 58842, Dst Port: 443, Seq: 1, Ack: 33, Len: 0 Source Port: 58842 Destination Port: 443 [Stream index: 0] [TCP Segment Len: 0] Sequence number: 1 (relative sequence number) Sequence number (raw): 2675798108 [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 33 (relative ack number) Acknowledgment number (raw): 4035810720 0101 .... = Header Length: 20 bytes (5) Flags: 0x014 (RST, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .1.. = Reset: Set # 设置reset标记 [Expert Info (Warning/Sequence): Connection reset (RST)] [Connection reset (RST)] [Severity level: Warning] [Group: Sequence] .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······A·R··] Window size value: 501 [Calculated window size: 501] [Window size scaling factor: -1 (unknown)] Checksum: 0x7114 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [Timestamps] [Time since first frame in this TCP stream: 3.678235464 seconds] [Time since previous frame in this TCP stream: 3.678165023 seconds]

    TCP连接状态机

    Processed: 0.012, SQL: 8