工具:wireshark
显示过滤器VS捕获过滤器
顾名思义,显示过滤器是针对结果的显示过滤,捕获过滤器是针对捕获过程中的过滤。
tcp stream理解
根据 IP_1:Port_1 - IP_2:Port_2的唯一标识,可能dns或者udp或者其协议也用。
但是可以理解到的重点应该是,从一个连接的握手到keep alive 到fin,这个tcp stream index是不变的。比如下面的三次握手和四次挥手 tcp stream 都为10 (用 tcp stream index eq 10即可),这个与右击某个包数据-追踪流,效果一致。
设置为绝对序列号
tcp是字节流,每个字节一个编号。注意此序列号为当前数据包数据第一个字节的序号。序列号32位,所以2的32次方个字节最大(考虑回流问题?),另外实际抓包是各自端的数据数据第一个字节对应的序列号,这样就可以对发送的每一个字节数据进行编号了。另外如果有tcp分片,seq格式就是当前seq:下一个seq
三次握手
先放出tcp报文
注意wireshark的包内容中带[]的应该为该软件自定义补充内容,其他为tcp报文中对应内容。比如 [Stream index: 10]这个东东就是她自己calucate出来的
第一次握手
客户端发送syn,客户端说我的初始序列号是79994848,我要和你好。
Transmission Control Protocol, Src Port: 55148, Dst Port: 443, Seq: 79994848, Len: 0
Source Port: 55148
Destination Port: 443
[Stream index: 10]
[TCP Segment Len: 0]
Sequence number: 79994848
[Next sequence number: 79994848]
Acknowledgment number: 0
1000 .... = Header Length: 32 bytes (8)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window size value: 64240
[Calculated window size: 64240]
Checksum: 0xe207 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
[Timestamps]
[Time since first frame in this TCP stream: 0.000000000 seconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]第二次握手
服务端发送 syn 和ack:服务端说我也 想和你好,我的初始序列号是907180931,下次我希望你发出的的是 79994849 。注意这个79994849 是确认号,代表接收方期望收到发送方下个报文段的第一个字节数据的字节编号(下同)
Transmission Control Protocol, Src Port: 443, Dst Port: 55148, Seq: 907180931, Ack: 79994849, Len: 0
Source Port: 443
Destination Port: 55148
[Stream index: 10]
[TCP Segment Len: 0]
Sequence number: 907180931
[Next sequence number: 907180931]
Acknowledgment number: 79994849
1000 .... = Header Length: 32 bytes (8)
Flags: 0x012 (SYN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A··S·]
Window size value: 14600
[Calculated window size: 14600]
Checksum: 0xf24a [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 440]
[The RTT to ACK the segment was: 0.003146000 seconds]
[iRTT: 0.003200000 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 0.003146000 seconds]
[Time since previous frame in this TCP stream: 0.003146000 seconds]
第三次握手
客户端ack说好的,我给你发79994849,咱俩好了,我希望你给我发的是907180932。
Transmission Control Protocol, Src Port: 55148, Dst Port: 443, Seq: 79994849, Ack: 907180932, Len: 0
Source Port: 55148
Destination Port: 443
[Stream index: 10]
[TCP Segment Len: 0]
Sequence number: 79994849
[Next sequence number: 79994849]
Acknowledgment number: 907180932
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 256
[Calculated window size: 65536]
[Window size scaling factor: 256]
Checksum: 0x6b25 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 442]
[The RTT to ACK the segment was: 0.000054000 seconds]
[iRTT: 0.003200000 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 0.003200000 seconds]
[Time since previous frame in this TCP stream: 0.000054000 seconds]
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。