软件使用－科来网络分析系统5.0常见协议数据包解码详解.doc

科来网络分析系统5.0常见协议解码详解数据包封包分层数据包解码说明数据链路层 Data Link Layer如：设备驱动网络层 Network Layer如：IP，ICMP，IGMP等传输层 Transport Layer如：TCP，UDP应用层 Application Layer如：FTP，HTTP，Email等图示是科来网5.0对数据包的解码图，其中对数据包中的每一层协议分别进行了解码分析： 这上面，我们可以发现协议由外向内封装，分别是：数据链路层对应“Ethernet II”协议；网络层对应“IP”协议；传输层对应“UDP”协议；应用层对应“DNS”协议。下面我们就分别对这四层协议做具体解释。以太网数据包结构Ethernet II的详尽资料，可参看网页：/protocols/protocol_Ethernet%20Type%202.php协议结构为： 7166246-1500bytes4PreSFDDASALength TypeData unit + padFCS下图是科来网5.0对Ethernet II协议解码后的内容，我们运用此例子进行说明：目标MAC地址0位开始/6 bytes长源MAC地址6位开始/6 bytes长上层协议12位开始/2 bytes长数组说明Destination addressDA，目标MAC地址6 字节Source addressesSA，源MAC地址6 字节ProtocolLength Type科来网络分析系统 工控协议分析，承载的上层协议类型Data unit + pad，数据字段（46-1500bytes）FCS检验（4bytes）MAC地址：MAC地址为16进制编码，在解码中可以将前3 bytes代表厂商的数组翻译起来，方便定位问题，如网络上有两台设备IP地址冲突，可以借助厂商信息方便的将故障设备找到，如00e04C为TP-LINK，000AKB为迅捷，00A0C9为Intel等等，此资料能参见科来软件提供的Ethernet Codes master page (Ethernet.txt)。

上层协议：Ethernet II 承载的上层协议主要包含0x800为IP协议和0x806为ARP协议。IP协议结构IP的详尽资料，可参看网页：/protocols/protocol_IP.phpIP头的结构如下：48161932bitsVerIHLType of serviceTotal lengthIdentificationFlagsFragment offsetTime to liveProtocolHeader checksumSource addressDestination addressOption + PaddingData下图是科来网5.0对IP层解码后的内容，我们运用此例子进行说明： 下面是IP协议解码的对应字段解释：字段表明Version: 4版本号为4，即IPv4协议，Header Length: 5头部重量20字节，5 bitsType of service: 000 0000服务提供类别，显示参数摘要。Precedence优先路由信息Delay迟延Throughput吞吐量Reliability可靠性Total Length: 131总长131（单位字节，最长为65535字节）Identification: 10403标识Fragmentation Flags: 000. 标志Reserved:保留Fragment:片断More Fragment:最后片断Fragment Offset: 0偏移量Time to Live:TTL, 科来网络分析系统5.0TTL=0的数据包Protocol: 17是那种协议，1–ICMP，6 – TCP， 17 – UDP，89 – OSPFCheck Sum: 0xCE73对IP协议头的校验合，0xCE73 为正确Source IP: 源IP地址Destination IP: 目标IP地址ARP协议结构ARP的详尽资料，可参看网页：/protocols/protocol_ARP.php以下是ARP协议结构：81632 bits Hardware Type Protocol Type Hardware address lengthProtocol address lengthOpcodeSender Hardware Address Sender Protocol Address Target Hardware Address Target Protocol Address 下图是科来网5.0对ARP协议进行解码视图： 我们对上图中的ARP字段进行详细说明：字段表明Hardware Type:1（硬件类别) 占16 bits，用来定义运行ARP的网络类别，每一个局域网基于其类别被选定一个整数，例如，以太网是种类1，ARP可以使用在任何网络上。

Protocol Type: 0x0800（协议类型）占16 bits，用来定义协议的类别。如：0x0800代表IP协议，ARP可用于任何高层协议。Hardware Length: 6（硬件长度）占8 bits科来网络分析系统 工控协议分析，用来定义物理地址跟长度。以太网值为6。Protocol Length: 4（协议长度）占8 bits，用来定义物理地址跟长度。IPv4值为4。Type: 1（操作类型）占16 bits，用来定义操作类型，请求为1，回答为2。Source Physics:00:A0:C9:BB:21:2A源MAC地址Source IP: Source Ip源IP地址Destination Physics:00:00:00:00:00:00 目标MAC地址，对于ARP请求数据包，此值全为0，因为请求主机并不知道目标主机的MAC地址Destination IP:目标IP地址TCP协议结构ARP的详尽资料，可参看网页：/protocols/protocol_TCP.php以下是DNS协议的结构：16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Reserved UAPRSFWindow Checksum Urgent pointer Option + Padding Data 下图是科来网5.0对TCP协议进行解码视图： 我们对上图中的TCP字段进行详细说明：字段表明Source Port: 80源端口，HTTP为80端口Destination Port: 3406目标端口Sequence Number: 416175999032 bits. The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present, the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.Ack Number: 032 bits. If the ACK control bit is set, this field contains the value of the next sequence number which the sender of the segment is expecting to receive. Once a connection is established, this value is always sent.Data Offset: 80Header Length: 804 bits. The number of 32-bit words in the TCP header. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.Reserved: 06 bits. Reserved for future use. Must be cleared to zero.Urgent pointer:Urgent pointer field significant.Acknowledgment numberAcknowledgment field significant.Push Function:Push function.Reset the connection:Reset the connection.Synchronize sequence:Synchronize sequence numbers.End of data: No more data from sender.Window16 bits. It specifies the size of the sender's receive window, that is, the buffer space available in octets for incoming data.Check Sum:16 bits. The checksum field is the 16 bit one?ˉs complement of the one?ˉs complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.Urgent Pointer16 bits. This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field can only be interpreted in segments for which the URG control bit has been set.HTTP协议结构ARP的详尽资料，可参看网页：/protocols/protocol_HTTP.php以下是HTTP协议的结构： DNS 协议结构ARP的详尽资料，可参看网页：/protocols/protocol_DNS.php以下是DNS协议的结构：1617212223242526272832IdentificationQROpcodeAATCRDRAZADCDRcodeQuestion countAnswer count Authority countAdditional count 下图是科来网5.0对DNS协议进行解码视图： 我们对上图中的DNS字段进行详细说明：字段表明Identification: 43标识，占16 bitsFlags:Query/Response: 1用于定义是Query还是Response。

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/ruanjian/article-134130-1.html