TCP 握手数据包分析
一、客户端数据分析:
spu@spu:~/code/pcap$ tcpdump -r client_all.pcap -X
reading from file client_all.pcap, link-type EN10MB (Ethernet)
17:58:56.346748 IP 192.168.1.178.55814 > 192.168.1.117.socks: Flags [S], seq 2615205588, win 64240, options [mss 1460,sackOK,TS val 2960015764 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c 6c75 4000 4006 49cf c0a8 01b2 E..<lu@.@.I.....
0x0010: c0a8 0175 da06 0438 9be0 ded4 0000 0000 ...u...8........
0x0020: a002 faf0 7da0 0000 0204 05b4 0402 080a ....}...........
0x0030: b06e 4194 0000 0000 0103 0307 .nA.........
17:58:56.354743 IP 192.168.1.117.socks > 192.168.1.178.55814: Flags [S.], seq 3996464281, ack 2615205589, win 65160, options [mss 1460,sackOK,TS val 902936060 ecr 2960015764,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 4006 b644 c0a8 0175 E..<..@.@..D...u
0x0010: c0a8 01b2 0438 da06 ee35 3499 9be0 ded5 .....8...54.....
0x0020: a012 fe88 6b5a 0000 0204 05b4 0402 080a ....kZ..........
0x0030: 35d1 b5fc b06e 4194 0103 0307 5....nA.....
17:58:56.354773 IP 192.168.1.178.55814 > 192.168.1.117.socks: Flags [.], ack 1, win 502, options [nop,nop,TS val 2960015772 ecr 902936060], length 0
0x0000: 4500 0034 6c76 4000 4006 49d6 c0a8 01b2 E..4lv@.@.I.....
0x0010: c0a8 0175 da06 0438 9be0 ded5 ee35 349a ...u...8.....54.
0x0020: 8010 01f6 96b1 0000 0101 080a b06e 419c .............nA.
0x0030: 35d1 b5fc 5...
spu@spu:~/code/containrc$ ./test/pcap_parse ../pcap/client_all.pcap
Capturing packets from ../pcap/client_all.pcap...
Source IP: 192.168.1.178, Destination IP: 192.168.1.117 syn 1 ack 0 check a07d seq 9be0ded4 ack_seq 0
Source IP: 192.168.1.117, Destination IP: 192.168.1.178 syn 1 ack 1 check 5a6b seq ee353499 ack_seq 9be0ded5
Source IP: 192.168.1.178, Destination IP: 192.168.1.117 syn 0 ack 1 check b196 seq 9be0ded5 ack_seq ee35349a
二、服务端数据分析:
spu@spu:~/code/pcap$ tcpdump -r server_all.pcap -X
reading from file server_all.pcap, link-type EN10MB (Ethernet)
17:58:47.812796 ARP, Request who-has 192.168.1.178 tell 192.168.1.1, length 46
0x0000: 0001 0800 0604 0001 7439 8998 c0f9 c0a8 ........t9......
0x0010: 0101 0000 0000 0000 c0a8 01b2 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
17:58:57.302898 IP 192.168.1.178.55814 > 192.168.1.117.socks: Flags [S], seq 2615205588, win 64240, options [mss 1460,sackOK,TS val 2960015764 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c 6c75 4000 4006 49cf c0a8 01b2 E..<lu@.@.I.....
0x0010: c0a8 0175 da06 0438 9be0 ded4 0000 0000 ...u...8........
0x0020: a002 faf0 7da0 0000 0204 05b4 0402 080a ....}...........
0x0030: b06e 4194 0000 0000 0103 0307 .nA.........
17:58:57.302957 IP 192.168.1.117.socks > 192.168.1.178.55814: Flags [S.], seq 3996464281, ack 2615205589, win 65160, options [mss 1460,sackOK,TS val 902936060 ecr 2960015764,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 4006 b644 c0a8 0175 E..<..@.@..D...u
0x0010: c0a8 01b2 0438 da06 ee35 3499 9be0 ded5 .....8...54.....
0x0020: a012 fe88 84a6 0000 0204 05b4 0402 080a ................
0x0030: 35d1 b5fc b06e 4194 0103 0307 5....nA.....
17:58:57.312199 IP 192.168.1.178.55814 > 192.168.1.117.socks: Flags [.], ack 1, win 502, options [nop,nop,TS val 2960015772 ecr 902936060], length 0
0x0000: 4500 0034 6c76 4000 4006 49d6 c0a8 01b2 E..4lv@.@.I.....
0x0010: c0a8 0175 da06 0438 9be0 ded5 ee35 349a ...u...8.....54.
0x0020: 8010 01f6 96b1 0000 0101 080a b06e 419c .............nA.
0x0030: 35d1 b5fc 5...
spu@spu:~/code/containrc$ ./test/pcap_parse ../pcap/server_all.pcap
Capturing packets from ../pcap/server_all.pcap...
Source IP: 192.168.1.178, Destination IP: 192.168.1.117 syn 1 ack 0 check a07d seq 9be0ded4 ack_seq 0
Source IP: 192.168.1.117, Destination IP: 192.168.1.178 syn 1 ack 1 check a684 seq ee353499 ack_seq 9be0ded5
Source IP: 192.168.1.178, Destination IP: 192.168.1.117 syn 0 ack 1 check b196 seq 9be0ded5 ack_seq ee35349a
这里服务端发送的syn ack数据包的check 与客户端收到的syn ack数据包的check 不知道为什么不同。