root@ip-10-0-20-60:~# tcpdump -nnvvXSs 0 host 10.0.30.21 12:32:38.887309 IP (tos 0x0, ttl 64, id 4945, offset 0, flags [DF], proto TCP (6), length 60) 10.0.30.21.55390 > 10.0.20.60.80: Flags [S], cksum 0x0dff (correct), seq 711110784, win 26883, options [mss 8961,sackOK,TS val 368813009 ecr 0,nop,wscale 9], length 0 0x0000: 4500 003c 1351 4000 4006 e11a 0a00 1e15 E..<.Q@.@....... 0x0010: 0a00 143c d85e 0050 2a62 b080 0000 0000 ...<.^.P*b...... 0x0020: a002 6903 0dff 0000 0204 2301 0402 080a ..i.......#..... 0x0030: 15fb a3d1 0000 0000 0103 0309 ............
我們先從訊息架構上開始看起,tcpdump 輸出的文字訊息,我已經用顏色做了基本的區分,綠色的部分是 IP header,紫色的部分是 TCP header,每個顏色又分別有有個區塊,第一個區塊是 tcpdump 分析後的資訊,第二個區塊是原始的 hex 資訊,兩者本質上是一樣的,只是一個方便我們閱讀,一個是可以直接觀察 header 的內容,自己做分析。在大部份的情況下,使用 tcpdump 分析過後的資訊就足夠了。
IP header
IP (tos 0x0, ttl 64, id 4945, offset 0, flags [DF], proto TCP (6), length 60)● 12:32:38.887309 - the datagram's timestamp
● IP - this are all IP (protocol) related settings
● tos 0x0 - type of service field
● ttl 64 - time to live field
Number of hops that the packet has to reach its destination i.e throw how many routers the packets should pass, this is for not living the packets travel the net for ever. After 64 hops the packet will 'die'.
mostly used for identifying the parts of a fragmented datagram; incremented by one with every packet sent
● offset 0 - 13-bit fragmentation offset field
The fragment offset, used with fragmented packets
● flags [DF] - flags field
Any IP flags set; [DF] for Don’t Fragment and [MR] for More Fragments
● proto TCP (6) - upper layer protocol and its number
● length 60 - the entire IP packet length, including headers and data
TCP Header
10.0.30.21.55390 > 10.0.20.60.80: Flags [S], cksum 0x0dff (correct), seq 711110784, win 26883, options [mss 8961,sackOK,TS val 368813009 ecr 0,nop,wscale 9], length 0● 10.0.30.21.55390 - the source IP address and port
● 10.0.20.60.80 - the destination IP address and port
● Flags [S] - any TCP flags; a period '.' indicates an ACK
● cksum 0x0dff (correct) - the packet’s TCP checksum value
● seq 711110784 - sequence number field
● win 26883 - receive window field
this field is used for flow control to indicate the number of bytes that a receiver is willing to accept.
● options [mss 8961,sackOK,TS val 368813009 ecr 0,nop,wscale 9] - variable-length option field
It is used when a sender and receiver negotiate the maximum segment size (MSS) or as a window scaling factor for use in high-speed networks. In most cases, we don't need to focus on this field.
● length 0 - the length of TCP data
Not including TCP header, only TCP data. In this case, this packet is SYN packet and it doesn't contain any data.
Length Problem
一開始分析 packet 的時候,我常常無法把 tpcdump 分析的結果和實際的 hex data 結合在一起,最大的問題在於 length 的計算上面,跟我想得常常不一樣。在 IP 分析訊息裡頭 length 60,意思是這個封包的總長度是 60 bytes,從 hex data 的數量算起來真得是 60 bytes,但是實際上要怎麼從 header 資訊中計算出這個數值呢,其實滿有意思的。
在 IP header 第 2 bytes 記錄 header length,從 hex data 得知為 5 (第一個紅色標示位置),意思是 5 個 32-bit 的長度,也就是 5 * 4 bytes (32-bit) = 20 bytes。如果 IP header 沒有利用到 options field 的話 (大多數的情況),那麼 IP header length 正常狀況下都是 20 bytes。
而 TCP packet 被封裝在 IP datagram 的 data 部分,所以 hex data 一開始的 20 bytes 是 IP header 的部分,接下來的 40 bytes 都是 TCP packet。
TCP header 第 13 bytes 記錄 header length,從 hex data 得知為 a,(第二個紅色標示位置),意思是 10 個 32-bit 的長度,也就是 10 * 4 bytes (32-bit) = 40 bytes。在我們一般的認知裡,如果 TCP header 中沒有 option field 的話,長度固定為 20 bytes,所以這個例子中 40 bytes - 20 bytes = 20 bytes, option field 其實也占了 20 bytes。
因為這個例子是一個 SYC packet,沒有 TCP packet 的 data 部分,所以長度為 0。實際上由 hex data 對照起來,也證實了這個推論。
Identifying the type of packet
Different types of packets have different types of flags. Without going too deep into what types of packets exist within TCP you can use the below as a cheat sheet for identifying packet types.- [S] - SYN (Start Connection)
- [.] - ACK
- [P] - PSH (Push Data)
- [F] - FIN (Finish Connection)
- [R] - RST (Reset Connection)
Depending on the version and output of tcpdump you may also see flags such as [S.] this is used to indicate a SYN-ACK packet.
Format
下面列出常見的封包格式,讓大家做快速的參考,詳細的欄位說明請參考專門的頁面。
IP datagram format
TCP packet format
UDP packet format
ICMP message format
沒有留言:
張貼留言