一、抓包准备工作
安装wireshark
sudo apt update
sudo apt install wireshark
运行
二、WireShark工具面板分析
上图中所显示的信息从上到下分布在 3 个面板中,每个面板包含的信息含义如下:
Packet List 面板:显示 Wireshark 捕获到的所有数据包,这些数据包从 1 进行顺序编号。
Packet Details 面板:显示一个数据包的详细内容信息,并且以层次结构进行显示。这些层次结构默认是折叠起来的,用户可以展开查看详细的内容信息。
Packet Bytes 面板:显示一个数据包未经处理的原始样子,数据是以十六进制和 ASCII 格式进行显示。
在Packet Details面板中:
Frame:物理层的数据帧概况。
Ethernet II:数据链路层以太网帧头部信息。
Internet Protocol Version 4:互联网层IP包头部信息。
Transmission Control Protocol:传输层的数据段头部信息,此处是TCP协议。
2.1面板数据解析
双击packet list面板数据包
Frame 6: 87 bytes on wire (696 bits), 87 bytes captured (696 bits) on interface lo, id 0 (第6帧数据,线路87字节,实际捕获87字节)
Section number: 1
Interface id: 0 (lo)(接口id)
Encapsulation type: Ethernet (1)(封装类型)
Arrival Time: Jan 9, 2024 09:07:39.315583109 CST(捕获日期和时间)
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1704762459.315583109 seconds
[Time delta from previous captured frame: 0.000184924 seconds]
(此包与前一个包的时间间隔)
[Time delta from previous displayed frame: 0.000184924 seconds]
[Time since reference or first frame: 1.000935456 seconds]
(此包与第一帧的时间间隔)
Frame Number: 6 (帧序号)
Frame Length: 87 bytes (696 bits) (帧长度)
Capture Length: 87 bytes (696 bits)(捕获长度)
[Frame is marked: False] (此帧是否做了标记,false否)
[Frame is ignored: False](此帧是否做了标记,false否)
[Protocols in frame: eth:ethertype:ip:tcp:data](帧内封装层次协议结构,eth:ethertype:ip:tcp,以太网,以太网协议,ip,tcp)
[Coloring Rule Name: TCP](着色标记的协议名称)
[Coloring Rule String: tcp](着色显示的字符串)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)(目标地址)
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)(源mac地址)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1(ipv4协议)
Transmission Control Protocol, Src Port: 8877, Dst Port: 60856, Seq: 1, Ack: 17, Len: 21
Data (21 bytes)(tcp协议)
三、TCP三次握手抓取
1.第一次握手
第一次握手建立连接时,客户端向服务器发送SYN报文(Seq=x,SYN=1),并进入SYN_SENT状态,等待服务器确认。
2.第二次握手
第二次握手实际上是分两部分来完成的,即SYN+ACK(请求和确认)报文。
(1)服务器收到了客户端的请求,向客户端回复一个确认信息(Ack=x+1)。
(2)服务器再向客户端发送一个SYN包(Seq=y)建立连接的请求,此时服务器进入SYN_RECV状态。
3.第三次握手
第三次握手客户端收到服务器的回复(SYN+ACK报文)。此时,客户端也要向服务器发送确认包(ACK)。此包发送完毕客户端和服务器进入ESTABLISHED 状态,完成三次握手。此时就可以进行数据传输了。
右键追踪流,点击tcp
右边为服务端发送给客户端数据,左边为客户端发送给服务端数据
以下为完整的三次握手数据:
第一次握手抓包分析
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 0, Len: 0
Source Port: 47544(源端口号)
Destination Port: 8887(目标端口号)
[Stream index: 0](流节点号)
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)(序列号)
Sequence Number (raw): 98905648
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)(标头长度)
Flags: 0x002 (SYN)(标志syn)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set(紧急指针)
.... ...0 .... = Acknowledgment: Not set(确认编号)
.... .... 0... = Push: Not set(紧急位)
.... .... .0.. = Reset: Not set(重置)
.... .... ..1. = Syn: Set(设置syn为一)
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 8887]
[Connection establish request (SYN): server port 8887](专家信息)
[Severity level: Chat](安全级别)
[Group: Sequence]
.... .... ...0 = Fin: Not set(fin标志位)
[TCP Flags: ··········S·]
Window: 65495(窗口大小)
[Calculated window size: 65495](估计的窗口大小)
Checksum: 0xfe30 [unverified]
[Checksum Status: Unverified](校验和)
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 65495 bytes(最大段大小)
TCP Option - SACK permitted(tcp sack允许选项)
TCP Option - Timestamps(时间戳)
TCP Option - No-Operation (NOP)(无操作指令)
TCP Option - Window scale: 7 (multiply by 128)(窗口比例)
[Timestamps]
第二次握手抓包分析
Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 8887, Dst Port: 47544, Seq: 0, Ack: 1, Len: 0
Source Port: 8887(源端口)
Destination Port: 47544(目标端口)
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)(序列号seq=0)
Sequence Number (raw): 1715005940
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)(确认编号ack1((seq)0+1))
Acknowledgment number (raw): 98905649
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)(标志位)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set(ack确认设置)
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set(请求位)
第三次握手抓包分析
Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 1, Ack: 1, Len: 0
Source Port: 47544(源端口号)
Destination Port: 8887(目标端口号)
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)(序列号seq1(sck))
Sequence Number (raw): 98905649
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)(确认编号ack1((seq)0+1))
Acknowledgment number (raw): 1715005941
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)(标志位)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set(确认编号已经设置)
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
四、TCP四次挥手抓取
(1)客户端通过发送一个设置了 FIN和ACK标志的TCP数据包,告诉服务器通信已经完成。
(2)服务器收到客户端发送的数据包后,发送一个 ACK 数据包来响应客户端
(3)服务器再向客户端传输一个自己的 FIN/ACK 数据包。
(4)客户端收到服务器的FIN/ACK 包时,响应服务器一个ACK数据包。然后结束通信过程。
第一次挥手抓包分析
Frame 8: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 17, Ack: 22, Len: 0
Source Port: 47544(源端口号)
Destination Port: 8887(目标端口号)
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 17 (relative sequence number)(序列号seq17)
Sequence Number (raw): 98905665
[Next Sequence Number: 18 (relative sequence number)](下一个序列号18)
Acknowledgment Number: 22 (relative ack number)(确认编号ack22)
Acknowledgment number (raw): 1715005962
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)(标志位)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set(确认编号已设置)确认收到上次数据
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set(确认编号已设置)报文发送完毕,要求释放连接
[TCP Flags: ·······A···F]
第二次挥手抓包分析
Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 8887, Dst Port: 47544, Seq: 22, Ack: 18, Len: 0
Source Port: 8887(源端口号)
Destination Port: 47544(目标端口号)
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 22 (relative sequence number)(序列号seq2)
Sequence Number (raw): 1715005962
[Next Sequence Number: 22 (relative sequence number)]
Acknowledgment Number: 18 (relative ack number)(确认编号ack18)
Acknowledgment number (raw): 98905666
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)(标志位)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set(确认编号已设置)
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
第三次挥手抓包分析
Frame 10: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 8887, Dst Port: 47544, Seq: 22, Ack: 18, Len: 0
Source Port: 8887(源端口号)
Destination Port: 47544(目标端口号)
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 22 (relative sequence number)(序列号seq22)
Sequence Number (raw): 1715005962
[Next Sequence Number: 23 (relative sequence number)](下一个序列号23)
Acknowledgment Number: 18 (relative ack number)(确认编号ack18)
Acknowledgment number (raw): 98905666
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)(标志位)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set(确认编号已设置)
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set(确认编号已设置)
第四次挥手抓包分析
Frame 11: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 47544, Dst Port: 8887, Seq: 18, Ack: 23, Len: 0
Source Port: 47544(源端口号)
Destination Port: 8887(目标端口号)
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 18 (relative sequence number)(序列号seq18)
Sequence Number (raw): 98905666
[Next Sequence Number: 18 (relative sequence number)]
Acknowledgment Number: 23 (relative ack number)(确认编号ack23)
Acknowledgment number (raw): 1715005963
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)(标志位)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set(确认编号已设置)
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
在使用软件对四次挥手抓包过程中,会出现只抓到三个包的情况,第二个包和第三个包出现了合并,这种情况通常是由于TCP的优化机制——捎带确认(piggybacking ACKs)。当服务器准备好关闭连接并发送FIN报文时,如果发现上一次接收到的客户端数据还没有发出ACK确认,则可以在同一个报文中同时设置FIN和ACK标志,即合并了第二个和第三个挥手动作。这样,原本的第二次挥手(ACK)和第三次挥手(FIN)就合并在了一个TCP报文中,因此抓包工具只会抓取到这个合并后的FIN+ACK报文以及后续的客户端ACK报文,总共是三个包。