TCP協議抓包分析 – wireshark

TCP- (Transmission Control Protocol，傳輸控制協議)是一種面向連接的、可靠的、基于IP的傳輸層協議。它的主要目的就是為數據提供可靠的端到端的傳輸服務。參考RFC793

TCP是面向連接的通信協議，在通信過程中，通過三次握手建立連接，通信結束之后還需要斷開連接。如果要發送的數據包沒有被送到目的地還會進行數據包的重傳。

相比于UDP TCP提供可靠的網絡傳輸服務，可以提高網絡的安全性，因為使用TCP進行數據傳輸時，每個數據包都要進行確認。若果有一個數據包丟失就收不到確認包，發送方就知道應該重發這個數據包，這樣就保證了數據的安全性。

以下是三次握手的建立過程

• 第一次握手建立時，客戶端向服務器發送SYN報文(Seq=x,SYN=1)，并進入SYN_SEND狀態，等待服務器確認。

• 第二次握手，分兩部分來完成，即SYN+ACK(請求和確認)報文

服務器收到客戶端的請求，向客戶端確認信息(Ack=x+1)

服務器再向客戶端發送一個SYN包(Seq=y)建立連接的請求，此時服務器進入SYN_RECV狀態

• 第三次握手客戶端收到服務器的回復(SYN+ACK)，此時，客戶端也要向服務器發送確認包(ACK)，此包發送完畢客戶端和服務器進入ESTABLISHED狀態，完成三次握手。

以下是TCP四次揮手的計算過程

TCP重置

在理想的情況中，每一個連接都會以TCP四次斷開來正常的結束會話，但是在現實中，連接經常會突然斷掉。例如，這可能由于一個潛在的攻擊者正在進行斷開掃描，或者僅僅是主機配置錯誤，在這種其概況下就需要使用設置了RST標志的TCP數據包，RST標志用來指出連接異常終止或拒絕連接請求的包。

TCP各個協議之間的關系

TCP首部

• Source Port`: 用來傳輸數據包的端口 🦌
• Destination Port: 接收數據的端口
• Sequence Number: 該數字表示一個TCP片段，這個部分用來表示數據部分沒有丟失
• Acknowledgment Number: 該數字是通信中希望從對方中得到的下一個數據包的序號
• Data offset: 數據偏移
• Reserved: 保留
• 標記
• Window: 窗口大小
• checksum: 校驗和
• Urgent Pointer: 緊急指針
• Options: 選項

標記

URG：緊急標志，此標志表示TCP包的緊急指針域有效，用來保證TCP連接不被中斷，并催促中間設備要盡快處理這些數據

ACK：確認標志，分別為1或者0，為1的時候代表應答優先，反之為0

PSH：該標志是PUSH操作，代表著數據到達接收端以后，立即傳送給應用程序，而不是在緩沖區中排隊

RST：該標志表示連接復位請求，用來復位那些產生的錯誤連接，也用來拒絕錯誤和非法的數據包

SYN：表示同步序號，SYN標志位和ACK標志位搭配使用，當連接請求的時候，SYN=1,ACK=0；當連接響應的時候SYN=1,ACK=1。標志的數據經常用來進行端口掃描，掃描者發送一個只有SYN的數據包，如果對方主機回應一個數據包，則說明該主機的對應端口是存在監聽的。

FIN：說明數據結束了，也就是雙方數據傳輸完成，斷開連接的意思。該標記也可以用于進行端口掃描，當發送一個帶有FIN標記的數據包的時候，如果對方相應一個RST說明這臺計算機對應的端口是不存在的，但是對應的計算機是存在的，若是對方沒有反饋任何數據包，就表明這臺被掃描的計算機是存在這個端口

---

三次握手報文

TCP第一次握手

Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 0, Len: 0Source Port: 42942Destination Port: 80[Stream index: 42][TCP Segment Len: 0]Sequence number: 0 (relative sequence number)Sequence number (raw): 2725618253[Next sequence number: 1 (relative sequence number)]Acknowledgment number: 0Acknowledgment number (raw): 01010 .... = Header Length: 40 bytes (10)Flags: 0x002 (SYN) # 這里表明是SYN000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...0 .... = Acknowledgment: Not set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..1. = Syn: Set[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 80][Connection establish request (SYN): server port 80][Severity level: Chat][Group: Sequence].... .... ...0 = Fin: Not set[TCP Flags: ··········S·]Window size value: 64240[Calculated window size: 64240]Checksum: 0x488e [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scaleTCP Option - Maximum segment size: 1460 bytesKind: Maximum Segment Size (2)Length: 4MSS Value: 1460TCP Option - SACK permittedKind: SACK Permitted (4)Length: 2TCP Option - Timestamps: TSval 2292026825, TSecr 0Kind: Time Stamp Option (8)Length: 10Timestamp value: 2292026825Timestamp echo reply: 0TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Window scale: 7 (multiply by 128)Kind: Window Scale (3)Length: 3Shift count: 7[Multiplier: 128][Timestamps][Time since first frame in this TCP stream: 0.000000000 seconds][Time since previous frame in this TCP stream: 0.000000000 seconds]

TCP第二次握手

Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 0, Ack: 1, Len: 0Source Port: 80Destination Port: 42942[Stream index: 42][TCP Segment Len: 0]Sequence number: 0 (relative sequence number)Sequence number (raw): 3580910260[Next sequence number: 1 (relative sequence number)]Acknowledgment number: 1 (relative ack number)Acknowledgment number (raw): 27256182541010 .... = Header Length: 40 bytes (10)Flags: 0x012 (SYN, ACK) # 表明是第二次進行握手000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..1. = Syn: Set[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80][Connection establish acknowledge (SYN+ACK): server port 80][Severity level: Chat][Group: Sequence].... .... ...0 = Fin: Not set[TCP Flags: ·······A··S·]Window size value: 28960[Calculated window size: 28960]Checksum: 0x9240 [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scaleTCP Option - Maximum segment size: 1412 bytesKind: Maximum Segment Size (2)Length: 4MSS Value: 1412TCP Option - SACK permittedKind: SACK Permitted (4)Length: 2TCP Option - Timestamps: TSval 3883000206, TSecr 2292026825Kind: Time Stamp Option (8)Length: 10Timestamp value: 3883000206Timestamp echo reply: 2292026825TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Window scale: 7 (multiply by 128)Kind: Window Scale (3)Length: 3Shift count: 7[Multiplier: 128][SEQ/ACK analysis][This is an ACK to the segment in frame: 1701][The RTT to ACK the segment was: 0.036923396 seconds][iRTT: 0.036936408 seconds][Timestamps][Time since first frame in this TCP stream: 0.036923396 seconds][Time since previous frame in this TCP stream: 0.036923396 seconds]

TCP第三次握手信息

Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 1, Ack: 1, Len: 0Source Port: 42942Destination Port: 80[Stream index: 42][TCP Segment Len: 0]Sequence number: 1 (relative sequence number)Sequence number (raw): 2725618254[Next sequence number: 1 (relative sequence number)]Acknowledgment number: 1 (relative ack number)Acknowledgment number (raw): 35809102611000 .... = Header Length: 32 bytes (8)Flags: 0x010 (ACK) # 確認包000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..0. = Syn: Not set.... .... ...0 = Fin: Not set[TCP Flags: ·······A····]Window size value: 502[Calculated window size: 64256][Window size scaling factor: 128]Checksum: 0x4886 [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), TimestampsTCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Timestamps: TSval 2292026862, TSecr 3883000206Kind: Time Stamp Option (8)Length: 10Timestamp value: 2292026862Timestamp echo reply: 3883000206[SEQ/ACK analysis][This is an ACK to the segment in frame: 1713][The RTT to ACK the segment was: 0.000013012 seconds][iRTT: 0.036936408 seconds][Timestamps][Time since first frame in this TCP stream: 0.036936408 seconds][Time since previous frame in this TCP stream: 0.000013012 seconds]

四次揮手報文

TCP第一次揮手

Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 96357, Ack: 431, Len: 0Source Port: 80Destination Port: 42942[Stream index: 42][TCP Segment Len: 0]Sequence number: 96357 (relative sequence number)Sequence number (raw): 3581006617[Next sequence number: 96358 (relative sequence number)]Acknowledgment number: 431 (relative ack number)Acknowledgment number (raw): 27256186841000 .... = Header Length: 32 bytes (8)Flags: 0x011 (FIN, ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..0. = Syn: Not set.... .... ...1 = Fin: Set # 設置了FIN 位[Expert Info (Chat/Sequence): Connection finish (FIN)][Connection finish (FIN)][Severity level: Chat][Group: Sequence][TCP Flags: ·······A···F]Window size value: 235[Calculated window size: 30080][Window size scaling factor: 128]Checksum: 0xa05d [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), TimestampsTCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Timestamps: TSval 3883005416, TSecr 2292027407Kind: Time Stamp Option (8)Length: 10Timestamp value: 3883005416Timestamp echo reply: 2292027407[Timestamps][Time since first frame in this TCP stream: 5.246526261 seconds][Time since previous frame in this TCP stream: 4.663717779 seconds]

第二次揮手

Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 431, Ack: 96358, Len: 0Source Port: 42942Destination Port: 80[Stream index: 42][TCP Segment Len: 0]Sequence number: 431 (relative sequence number)Sequence number (raw): 2725618684[Next sequence number: 431 (relative sequence number)]Acknowledgment number: 96358 (relative ack number)Acknowledgment number (raw): 35810066181000 .... = Header Length: 32 bytes (8)Flags: 0x010 (ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..0. = Syn: Not set.... .... ...0 = Fin: Not set[TCP Flags: ·······A····]Window size value: 1341[Calculated window size: 171648][Window size scaling factor: 128]Checksum: 0x4886 [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), TimestampsTCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Timestamps: TSval 2292032113, TSecr 3883005416Kind: Time Stamp Option (8)Length: 10Timestamp value: 2292032113Timestamp echo reply: 3883005416[SEQ/ACK analysis][This is an ACK to the segment in frame: 1886][The RTT to ACK the segment was: 0.041837077 seconds][iRTT: 0.036936408 seconds][Timestamps][Time since first frame in this TCP stream: 5.288363338 seconds][Time since previous frame in this TCP stream: 0.041837077 seconds]

第三次揮手

Transmission Control Protocol, Src Port: 42942, Dst Port: 80, Seq: 431, Ack: 96358, Len: 0Source Port: 42942Destination Port: 80[Stream index: 42][TCP Segment Len: 0]Sequence number: 431 (relative sequence number)Sequence number (raw): 2725618684[Next sequence number: 432 (relative sequence number)]Acknowledgment number: 96358 (relative ack number)Acknowledgment number (raw): 35810066181000 .... = Header Length: 32 bytes (8)Flags: 0x011 (FIN, ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..0. = Syn: Not set.... .... ...1 = Fin: Set[Expert Info (Chat/Sequence): Connection finish (FIN)][Connection finish (FIN)][Severity level: Chat][Group: Sequence][TCP Flags: ·······A···F]Window size value: 1341[Calculated window size: 171648][Window size scaling factor: 128]Checksum: 0x4886 [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), TimestampsTCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Timestamps: TSval 2292032716, TSecr 3883005416Kind: Time Stamp Option (8)Length: 10Timestamp value: 2292032716Timestamp echo reply: 3883005416[Timestamps][Time since first frame in this TCP stream: 5.891095824 seconds][Time since previous frame in this TCP stream: 0.602732486 seconds]

第四次揮手

Transmission Control Protocol, Src Port: 80, Dst Port: 42942, Seq: 96358, Ack: 432, Len: 0Source Port: 80Destination Port: 42942[Stream index: 42][TCP Segment Len: 0]Sequence number: 96358 (relative sequence number)Sequence number (raw): 3581006618[Next sequence number: 96358 (relative sequence number)]Acknowledgment number: 432 (relative ack number)Acknowledgment number (raw): 27256186851000 .... = Header Length: 32 bytes (8)Flags: 0x010 (ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..0. = Syn: Not set.... .... ...0 = Fin: Not set[TCP Flags: ·······A····]Window size value: 235[Calculated window size: 30080][Window size scaling factor: 128]Checksum: 0x88f5 [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), TimestampsTCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - No-Operation (NOP)Kind: No-Operation (1)TCP Option - Timestamps: TSval 3883006098, TSecr 2292032716Kind: Time Stamp Option (8)Length: 10Timestamp value: 3883006098Timestamp echo reply: 2292032716[SEQ/ACK analysis][This is an ACK to the segment in frame: 1894][The RTT to ACK the segment was: 0.037212056 seconds][iRTT: 0.036936408 seconds][Timestamps][Time since first frame in this TCP stream: 5.928307880 seconds][Time since previous frame in this TCP stream: 0.037212056 seconds]

---

TCP reset包

Transmission Control Protocol, Src Port: 58842, Dst Port: 443, Seq: 1, Ack: 33, Len: 0Source Port: 58842Destination Port: 443[Stream index: 0][TCP Segment Len: 0]Sequence number: 1 (relative sequence number)Sequence number (raw): 2675798108[Next sequence number: 1 (relative sequence number)]Acknowledgment number: 33 (relative ack number)Acknowledgment number (raw): 40358107200101 .... = Header Length: 20 bytes (5)Flags: 0x014 (RST, ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 0... = Push: Not set.... .... .1.. = Reset: Set # 設置reset標記[Expert Info (Warning/Sequence): Connection reset (RST)][Connection reset (RST)][Severity level: Warning][Group: Sequence].... .... ..0. = Syn: Not set.... .... ...0 = Fin: Not set[TCP Flags: ·······A·R··]Window size value: 501[Calculated window size: 501][Window size scaling factor: -1 (unknown)]Checksum: 0x7114 [unverified][Checksum Status: Unverified]Urgent pointer: 0[Timestamps][Time since first frame in this TCP stream: 3.678235464 seconds][Time since previous frame in this TCP stream: 3.678165023 seconds]

TCP連接狀態機

總結

以上是生活随笔為你收集整理的TCP协议抓包分析 -- wireshark的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。