抓了个IPv6包
发表于 · 归类于
技术 · 阅读完需 69 分钟 ·
阅读量 报告错误
最近百度云发布了BCC服务器 IPv6支持,就试着搭起了一个,百度智能云IPv6搭建LNMP站点,刚好,最近在学习CentOS7 tcpdump抓包,参考IPv4抓包过程,写个这个IPv6抓包文档。您也可以查看这篇关于 IPv6 的文章:IPv6笔记。
(一)IPv4的HTTP请求包
在抓 IPv6 包之前,先来抓个 IPv4 包,反正不要钱。
1.204.29.213.10484 > 172.17.27.211.http: Flags [P.], cksum 0x5580 (correct), seq 1:517, ack 1, win 258, length 516: HTTP, length: 516
GET /?plat=pc HTTP/1.1
0x0000: 4514 022c 1ddf 4000 7306 0054 01cc 1dd5 E..,..@.s..T....
0x0010: ac11 1bd3 28f4 0050 fb41 fd3f 7716 0212 ....(..P.A.?w...
0x0020: 5018 0102 5580 0000 4745 5420 2f3f 706c P...U...GET./?pl
0x0030: 6174 3d70 6320 4854 5450 2f31 2e31 0d0a at=pc.HTTP/1.1..
- 前面一行:说明了这个数据包是从 1.204.29.213 的10484端口发送到 172.17.27.211 的80端口,是HTTP的请求包,后面是TCP头部信息。
- (IP解析)每一行占16字节。第一行4514的4代表IPv4,5表示该IP头只有20字节,没有选项,14即为TOS。022c表示数据总长度(2*256+32+12=512+44=556),7306 0054:73为TTL,06为TCP协议(协议编号),0054为头部校验和。后两段为源地址,01cc 1dd5为源地址1.204.29.213;第二行前两段为目的地址,ac11 1bd3即目的地址为172.17.27.211。
- (TCP解析)第二行第三段第四段表示源端口和目的端口:28f4 0050,源端口为28f4(10484),目的端口为50(80)。fb41 fd3f 7716 0212前两段是seq号,后两段是ack号(自己去转换进制)。
- 第三行:5018,5表示5个32bit(这个TCP头大小是5*4=20个字节,10段) ,0是保留,18是标志位,对应tcpdump中的flag。
- 0102这个是数据窗口大小(10进制258),TCP流量控制关键的技术手段就是这个,具体什么意思我也不知道。5580校验和,不管他。0000这个通常和“标志位”配合使用,标志位设置URG (0x20)表示开启“紧急数据”,这个字段就是“紧急数据的序号”。
- (HTTP解析)4745 5420 2f3f 706c 6174 3d70,从这个部分开始,是HTTP解析内容,这里解出“GET /?plat=pc HTTP/1.1”,不用解释了吧。
(二)IPv6的HTTP包
抓包命令
tcpdump -X -i eth0 -vvvv -n port 80
(1)第一段包:三次握手
18:33:03.960296 IP6 (hlim 236, next-header TCP (6) payload length: 40) 2409:896a:430:773c:2:1:a23d:5414.41535 > 240c:4082:0:1e03::5.http: Flags [S], cksum 0xdedb (correct), seq 1463932929, win 65535, options [mss 1350,sackOK,TS val 15594760 ecr 0,nop,wscale 6], length 0
0x0000: 6000 0000 0028 06ec 2409 896a 0430 773c `....(..$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23f 0050 5741 d801 .........?.PWA..
0x0030: 0000 0000 a002 ffff dedb 0000 0204 0546 ...............F
0x0040: 0402 080a 00ed f508 0000 0000 0103 0306 ................
18:33:03.960360 IP6 (hlim 64, next-header TCP (6) payload length: 40) 240c:4082:0:1e03::5.http > 2409:896a:430:773c:2:1:a23d:5414.41535: Flags [S.], cksum 0xa1f9 (incorrect -> 0x14ae), seq 398543506, ack 1463932930, win 28560, options [mss 1440,sackOK,TS val 6092673 ecr 15594760,nop,wscale 7], length 0
0x0000: 6000 0000 0028 0640 240c 4082 0000 1e03 `....(.@$.@.....
0x0010: 0000 0000 0000 0005 2409 896a 0430 773c ........$..j.0w<
0x0020: 0002 0001 a23d 5414 0050 a23f 17c1 4a92 .....=T..P.?..J.
0x0030: 5741 d802 a012 6f90 a1f9 0000 0204 05a0 WA....o.........
0x0040: 0402 080a 005c f781 00ed f508 0103 0307 .....\..........
18:33:04.029632 IP6 (hlim 236, next-header TCP (6) payload length: 32) 2409:896a:430:773c:2:1:a23d:5414.41535 > 240c:4082:0:1e03::5.http: Flags [.], cksum 0xadfd (correct), seq 1, ack 1, win 1266, options [nop,nop,TS val 15594767 ecr 6092673], length 0
0x0000: 6000 0000 0020 06ec 2409 896a 0430 773c `.......$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23f 0050 5741 d802 .........?.PWA..
0x0030: 17c1 4a93 8010 04f2 adfd 0000 0101 080a ..J.............
0x0040: 00ed f50f 005c f781 .....\..
- 第一个握手包:
6000 0000 0028 06ec:6即IP版本IPv6,后面00为流量类型,00000为流标签,0028 0有效载荷长度640,6为下一报头,ec为跳数限制236。2409 896a 0430 773c 0002 0001 a23d 5414:即为源IPv6地址。240c 4082 0000 1e03 0000 0000 0000 0005:为目的IPv6地址。a23f 0050:a23f为源端口41535,0050为目的端口80。5741 d801 0000 0000:前两段是seq号1463932929,后两段0000 0000即没有ack。a002 ffff dedb 0000:(这一段能拆分就行了)a为偏移量,002即二进制0000 0000 0010,即标志位SYN为1,ffff为窗口字段,dedb为校验和,0000紧急指针。
- 第二个握手包:
17c1 4a92 5741 d802:seq号为398543506,ack号为1463932930
- 第三个握手包:
5741 d802 17c1 4a93:seq号为1463932930,ack号为398543507
(2)第二段包:HTTP请求
18:33:04.314851 IP6 (hlim 236, next-header TCP (6) payload length: 502) 2409:896a:430:773c:2:1:a23d:5414.41535 > 240c:4082:0:1e03::5.http: Flags [P.], cksum 0xafad (correct), seq 1:471, ack 1, win 1266, options [nop,nop,TS val 15594795 ecr 6092673], length 470: HTTP, length: 470
GET /?t=4 HTTP/1.1
Host: ipv6.ayouleyang.cn
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; 1505-A01 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.97 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.9
Cookie: _ga=GA1.2.142392291.1560353173
0x0000: 6000 0000 01f6 06ec 2409 896a 0430 773c `.......$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23f 0050 5741 d802 .........?.PWA..
0x0030: 17c1 4a93 8018 04f2 afad 0000 0101 080a ..J.............
0x0040: 00ed f52b 005c f781 4745 5420 2f3f 743d ...+.\..GET./?t=
0x0050: 3420 4854 5450 2f31 2e31 0d0a 486f 7374 4.HTTP/1.1..Host
0x0060: 3a20 6970 7636 2e61 796f 756c 6579 616e :.ipv6.ayouleyan
0x0070: 672e 636e 0d0a 436f 6e6e 6563 7469 6f6e g.cn..Connection
0x0080: 3a20 6b65 6570 2d61 6c69 7665 0d0a 5570 :.keep-alive..Up
0x0090: 6772 6164 652d 496e 7365 6375 7265 2d52 grade-Insecure-R
0x00a0: 6571 7565 7374 733a 2031 0d0a 5573 6572 equests:.1..User
0x00b0: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/
0x00c0: 352e 3020 284c 696e 7578 3b20 416e 6472 5.0.(Linux;.Andr
0x00d0: 6f69 6420 362e 303b 2031 3530 352d 4130 oid.6.0;.1505-A0
0x00e0: 3120 4275 696c 642f 4d52 4135 384b 3b20 1.Build/MRA58K;.
0x00f0: 7776 2920 4170 706c 6557 6562 4b69 742f wv).AppleWebKit/
0x0100: 3533 372e 3336 2028 4b48 544d 4c2c 206c 537.36.(KHTML,.l
0x0110: 696b 6520 4765 636b 6f29 2056 6572 7369 ike.Gecko).Versi
0x0120: 6f6e 2f34 2e30 2043 6872 6f6d 652f 3632 on/4.0.Chrome/62
0x0130: 2e30 2e33 3230 322e 3937 204d 6f62 696c .0.3202.97.Mobil
0x0140: 6520 5361 6661 7269 2f35 3337 2e33 360d e.Safari/537.36.
0x0150: 0a41 6363 6570 743a 2074 6578 742f 6874 .Accept:.text/ht
0x0160: 6d6c 2c61 7070 6c69 6361 7469 6f6e 2f78 ml,application/x
0x0170: 6874 6d6c 2b78 6d6c 2c61 7070 6c69 6361 html+xml,applica
0x0180: 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 2c69 tion/xml;q=0.9,i
0x0190: 6d61 6765 2f77 6562 702c 696d 6167 652f mage/webp,image/
0x01a0: 6170 6e67 2c2a 2f2a 3b71 3d30 2e38 0d0a apng,*/*;q=0.8..
0x01b0: 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding:
0x01c0: 2067 7a69 702c 2064 6566 6c61 7465 0d0a .gzip,.deflate..
0x01d0: 4163 6365 7074 2d4c 616e 6775 6167 653a Accept-Language:
0x01e0: 207a 682d 434e 2c65 6e2d 5553 3b71 3d30 .zh-CN,en-US;q=0
0x01f0: 2e39 0d0a 436f 6f6b 6965 3a20 5f67 613d .9..Cookie:._ga=
0x0200: 4741 312e 322e 3134 3233 3932 3239 312e GA1.2.142392291.
0x0210: 3135 3630 3335 3331 3733 0d0a 0d0a 1560353173....
6000 0000 01f6 06ec:6即IP版本IPv6,后面00为流量类型,00000为流标签,01f6 0有效载荷长度xxx,6为下一报头,ec为跳数限制236。2409 896a 0430 773c 0002 0001 a23d 5414:即为源IPv6地址。240c 4082 0000 1e03 0000 0000 0000 0005:为目的IPv6地址。a23f 0050:a23f为源端口41535,0050为目的端口80。5741 d802 17c1 4a93:前两段是seq号1463932930,后两段ack为398543507。
(3)第三段包:未知
18:33:04.314899 IP6 (hlim 64, next-header TCP (6) payload length: 32) 240c:4082:0:1e03::5.http > 2409:896a:430:773c:2:1:a23d:5414.41535: Flags [.], cksum 0xa1f1 (incorrect -> 0xaeb2), seq 1, ack 471, win 232, options [nop,nop,TS val 6093028 ecr 15594795], length 0
0x0000: 6000 0000 0020 0640 240c 4082 0000 1e03 `......@$.@.....
0x0010: 0000 0000 0000 0005 2409 896a 0430 773c ........$..j.0w<
0x0020: 0002 0001 a23d 5414 0050 a23f 17c1 4a93 .....=T..P.?..J.
0x0030: 5741 d9d8 8010 00e8 a1f1 0000 0101 080a WA..............
0x0040: 005c f8e4 00ed f52b .\.....+
(4)第四段包:HTTP响应
18:33:04.315390 IP6 (hlim 64, next-header TCP (6) payload length: 641) 240c:4082:0:1e03::5.http > 2409:896a:430:773c:2:1:a23d:5414.41535: Flags [P.], cksum 0xa452 (incorrect -> 0x49f8), seq 1:610, ack 471, win 232, options [nop,nop,TS val 6093028 ecr 15594795], length 609: HTTP, length: 609
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 06 Jul 2019 10:33:04 GMT
Content-Type: text/html
Content-Length: 371
Last-Modified: Sat, 06 Jul 2019 09:32:38 GMT
Connection: keep-alive
ETag: "5d206ab6-173"
Accept-Ranges: bytes
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8">
0x0000: 6000 0000 0281 0640 240c 4082 0000 1e03 `......@$.@.....
0x0010: 0000 0000 0000 0005 2409 896a 0430 773c ........$..j.0w<
0x0020: 0002 0001 a23d 5414 0050 a23f 17c1 4a93 .....=T..P.?..J.
0x0030: 5741 d9d8 8018 00e8 a452 0000 0101 080a WA.......R......
0x0040: 005c f8e4 00ed f52b 4854 5450 2f31 2e31 .\.....+HTTP/1.1
0x0050: 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server:
0x0060: 206e 6769 6e78 2f31 2e31 322e 320d 0a44 .nginx/1.12.2..D
0x0070: 6174 653a 2053 6174 2c20 3036 204a 756c ate:.Sat,.06.Jul
0x0080: 2032 3031 3920 3130 3a33 333a 3034 2047 .2019.10:33:04.G
0x0090: 4d54 0d0a 436f 6e74 656e 742d 5479 7065 MT..Content-Type
0x00a0: 3a20 7465 7874 2f68 746d 6c0d 0a43 6f6e :.text/html..Con
0x00b0: 7465 6e74 2d4c 656e 6774 683a 2033 3731 tent-Length:.371
0x00c0: 0d0a 4c61 7374 2d4d 6f64 6966 6965 643a ..Last-Modified:
0x00d0: 2053 6174 2c20 3036 204a 756c 2032 3031 .Sat,.06.Jul.201
0x00e0: 3920 3039 3a33 323a 3338 2047 4d54 0d0a 9.09:32:38.GMT..
0x00f0: 436f 6e6e 6563 7469 6f6e 3a20 6b65 6570 Connection:.keep
0x0100: 2d61 6c69 7665 0d0a 4554 6167 3a20 2235 -alive..ETag:."5
0x0110: 6432 3036 6162 362d 3137 3322 0d0a 4163 d206ab6-173"..Ac
0x0120: 6365 7074 2d52 616e 6765 733a 2062 7974 cept-Ranges:.byt
0x0130: 6573 0d0a 0d0a 3c68 746d 6c20 786d 6c6e es....<html.xmln
0x0140: 733d 2268 7474 703a 2f2f 7777 772e 7733 s="http://www.w3
0x0150: 2e6f 7267 2f31 3939 392f 7868 746d 6c22 .org/1999/xhtml"
0x0160: 3e0a 3c68 6561 643e 0a3c 6d65 7461 2063 >.<head>.<meta.c
0x0170: 6861 7273 6574 3d22 7574 662d 3822 3e0a harset="utf-8">.
0x0180: 3c74 6974 6c65 3ee7 bd91 e7ab 99e5 bbba <title>.........
0x0190: e8ae bee4 b8ad 3c2f 7469 746c 653e 0a3c ......</title>.<
0x01a0: 6d65 7461 2068 7474 702d 6571 7569 763d meta.http-equiv=
0x01b0: 2258 2d55 412d 436f 6d70 6174 6962 6c65 "X-UA-Compatible
0x01c0: 2220 636f 6e74 656e 743d 2249 453d 6564 ".content="IE=ed
0x01d0: 6765 223e 0a3c 6d65 7461 206e 616d 653d ge">.<meta.name=
0x01e0: 2276 6965 7770 6f72 7422 2063 6f6e 7465 "viewport".conte
0x01f0: 6e74 3d22 7769 6474 683d 6465 7669 6365 nt="width=device
0x0200: 2d77 6964 7468 2c20 696e 6974 6961 6c2d -width,.initial-
0x0210: 7363 616c 653d 3122 3e0a 3c2f 6865 6164 scale=1">.</head
0x0220: 3e0a 3c62 6f64 793e 0a3c 7020 616c 6967 >.<body>.<p.alig
0x0230: 6e3d 2263 656e 7465 7222 2073 7479 6c65 n="center".style
0x0240: 3d22 666f 6e74 2d73 697a 653a 3238 7078 ="font-size:28px
0x0250: 3b20 666f 6e74 2d77 6569 6768 743a 626f ;.font-weight:bo
0x0260: 6c64 3b6d 6172 6769 6e2d 746f 703a 3530 ld;margin-top:50
0x0270: 7078 3b22 3ee7 b3bb e7bb 9fe7 bbb4 e68a px;">...........
0x0280: a4e4 b8ad 20e6 95ac e8af b7e6 9c9f e5be ................
0x0290: 85ef bc81 3c2f 703e 0a3c 2f62 6f64 793e ....</p>.</body>
0x02a0: 0a3c 2f68 746d 6c3e 0a .</html>.
附:服务器上 /index.html 的内容
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8">
<title>网站建设中</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<p align="center" style="font-size:28px; font-weight:bold;margin-top:50px;">系统维护中 敬请期待!</p>
</body>
</html>
第五段包:(未知,根据TCP协议,不是四次挥手)
18:33:04.389347 IP6 (hlim 236, next-header TCP (6) payload length: 32) 2409:896a:430:773c:2:1:a23d:5414.41535 > 240c:4082:0:1e03::5.http: Flags [.], cksum 0xa819 (correct), seq 471, ack 610, win 1304, options [nop,nop,TS val 15594803 ecr 6093028], length 0
0x0000: 6000 0000 0020 06ec 2409 896a 0430 773c `.......$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23f 0050 5741 d9d8 .........?.PWA..
0x0030: 17c1 4cf4 8010 0518 a819 0000 0101 080a ..L.............
0x0040: 00ed f533 005c f8e4 ...3.\..
18:33:04.729402 IP6 (hlim 236, next-header TCP (6) payload length: 40) 2409:896a:430:773c:2:1:a23d:5414.41534 > 240c:4082:0:1e03::5.http: Flags [S], cksum 0x6b12 (correct), seq 1812936370, win 65535, options [mss 1350,sackOK,TS val 15594836 ecr 0,nop,wscale 6], length 0
0x0000: 6000 0000 0028 06ec 2409 896a 0430 773c `....(..$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23e 0050 6c0f 36b2 .........>.Pl.6.
0x0030: 0000 0000 a002 ffff 6b12 0000 0204 0546 ........k......F
0x0040: 0402 080a 00ed f554 0000 0000 0103 0306 .......T........
18:33:04.729453 IP6 (hlim 64, next-header TCP (6) payload length: 40) 240c:4082:0:1e03::5.http > 2409:896a:430:773c:2:1:a23d:5414.41534: Flags [S.], cksum 0xa1f9 (incorrect -> 0xf40f), seq 3910738701, ack 1812936371, win 28560, options [mss 1440,sackOK,TS val 6093442 ecr 15594836,nop,wscale 7], length 0
0x0000: 6000 0000 0028 0640 240c 4082 0000 1e03 `....(.@$.@.....
0x0010: 0000 0000 0000 0005 2409 896a 0430 773c ........$..j.0w<
0x0020: 0002 0001 a23d 5414 0050 a23e e919 230d .....=T..P.>..#.
0x0030: 6c0f 36b3 a012 6f90 a1f9 0000 0204 05a0 l.6...o.........
0x0040: 0402 080a 005c fa82 00ed f554 0103 0307 .....\.....T....
18:33:04.799463 IP6 (hlim 236, next-header TCP (6) payload length: 32) 2409:896a:430:773c:2:1:a23d:5414.41534 > 240c:4082:0:1e03::5.http: Flags [.], cksum 0x8d5e (correct), seq 1, ack 1, win 1266, options [nop,nop,TS val 15594844 ecr 6093442], length 0
0x0000: 6000 0000 0020 06ec 2409 896a 0430 773c `.......$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23e 0050 6c0f 36b3 .........>.Pl.6.
0x0030: e919 230e 8010 04f2 8d5e 0000 0101 080a ..#......^......
0x0040: 00ed f55c 005c fa82 ...\.\..
第六段:HTTP其他请求
大家都知道,浏览器会默认发一个/favicon.ico的请求,用于获取网页的图标。(如果你不懂的话,你就当你已经懂了。)以下是为该文件的请求与响应。
- 说明一下:
/404.html文件漏掉了<html>标签了
18:33:05.634355 IP6 (hlim 236, next-header TCP (6) payload length: 474) 2409:896a:430:773c:2:1:a23d:5414.41535 > 240c:4082:0:1e03::5.http: Flags [P.], cksum 0x3606 (correct), seq 471:913, ack 610, win 1304, options [nop,nop,TS val 15594926 ecr 6093028], length 442: HTTP, length: 442
GET /favicon.ico HTTP/1.1
Host: ipv6.ayouleyang.cn
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 6.0; 1505-A01 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.97 Mobile Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://ipv6.ayouleyang.cn/?t=4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.9
Cookie: _ga=GA1.2.142392291.1560353173
0x0000: 6000 0000 01da 06ec 2409 896a 0430 773c `.......$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23f 0050 5741 d9d8 .........?.PWA..
0x0030: 17c1 4cf4 8018 0518 3606 0000 0101 080a ..L.....6.......
0x0040: 00ed f5ae 005c f8e4 4745 5420 2f66 6176 .....\..GET./fav
0x0050: 6963 6f6e 2e69 636f 2048 5454 502f 312e icon.ico.HTTP/1.
0x0060: 310d 0a48 6f73 743a 2069 7076 362e 6179 1..Host:.ipv6.ay
0x0070: 6f75 6c65 7961 6e67 2e63 6e0d 0a43 6f6e ouleyang.cn..Con
0x0080: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection:.keep-al
0x0090: 6976 650d 0a55 7365 722d 4167 656e 743a ive..User-Agent:
0x00a0: 204d 6f7a 696c 6c61 2f35 2e30 2028 4c69 .Mozilla/5.0.(Li
0x00b0: 6e75 783b 2041 6e64 726f 6964 2036 2e30 nux;.Android.6.0
0x00c0: 3b20 3135 3035 2d41 3031 2042 7569 6c64 ;.1505-A01.Build
0x00d0: 2f4d 5241 3538 4b3b 2077 7629 2041 7070 /MRA58K;.wv).App
0x00e0: 6c65 5765 624b 6974 2f35 3337 2e33 3620 leWebKit/537.36.
0x00f0: 284b 4854 4d4c 2c20 6c69 6b65 2047 6563 (KHTML,.like.Gec
0x0100: 6b6f 2920 5665 7273 696f 6e2f 342e 3020 ko).Version/4.0.
0x0110: 4368 726f 6d65 2f36 322e 302e 3332 3032 Chrome/62.0.3202
0x0120: 2e39 3720 4d6f 6269 6c65 2053 6166 6172 .97.Mobile.Safar
0x0130: 692f 3533 372e 3336 0d0a 4163 6365 7074 i/537.36..Accept
0x0140: 3a20 696d 6167 652f 7765 6270 2c69 6d61 :.image/webp,ima
0x0150: 6765 2f61 706e 672c 696d 6167 652f 2a2c ge/apng,image/*,
0x0160: 2a2f 2a3b 713d 302e 380d 0a52 6566 6572 */*;q=0.8..Refer
0x0170: 6572 3a20 6874 7470 3a2f 2f69 7076 362e er:.http://ipv6.
0x0180: 6179 6f75 6c65 7961 6e67 2e63 6e2f 3f74 ayouleyang.cn/?t
0x0190: 3d34 0d0a 4163 6365 7074 2d45 6e63 6f64 =4..Accept-Encod
0x01a0: 696e 673a 2067 7a69 702c 2064 6566 6c61 ing:.gzip,.defla
0x01b0: 7465 0d0a 4163 6365 7074 2d4c 616e 6775 te..Accept-Langu
0x01c0: 6167 653a 207a 682d 434e 2c65 6e2d 5553 age:.zh-CN,en-US
0x01d0: 3b71 3d30 2e39 0d0a 436f 6f6b 6965 3a20 ;q=0.9..Cookie:.
0x01e0: 5f67 613d 4741 312e 322e 3134 3233 3932 _ga=GA1.2.142392
0x01f0: 3239 312e 3135 3630 3335 3331 3733 0d0a 291.1560353173..
0x0200: 0d0a ..
18:33:05.634840 IP6 (hlim 64, next-header TCP (6) payload length: 527) 240c:4082:0:1e03::5.http > 2409:896a:430:773c:2:1:a23d:5414.41535: Flags [P.], cksum 0xa3e0 (incorrect -> 0xb5c5), seq 610:1105, ack 913, win 240, options [nop,nop,TS val 6094348 ecr 15594926], length 495: HTTP, length: 495
HTTP/1.1 404 Not Found
Server: nginx/1.12.2
Date: Sat, 06 Jul 2019 10:33:05 GMT
Content-Type: text/html
Content-Length: 318
Connection: keep-alive
ETag: "5d2076a3-13e"
<head>
<meta charset="utf-8">
<title>404</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
0x0000: 6000 0000 020f 0640 240c 4082 0000 1e03 `......@$.@.....
0x0010: 0000 0000 0000 0005 2409 896a 0430 773c ........$..j.0w<
0x0020: 0002 0001 a23d 5414 0050 a23f 17c1 4cf4 .....=T..P.?..L.
0x0030: 5741 db92 8018 00f0 a3e0 0000 0101 080a WA..............
0x0040: 005c fe0c 00ed f5ae 4854 5450 2f31 2e31 .\......HTTP/1.1
0x0050: 2034 3034 204e 6f74 2046 6f75 6e64 0d0a .404.Not.Found..
0x0060: 5365 7276 6572 3a20 6e67 696e 782f 312e Server:.nginx/1.
0x0070: 3132 2e32 0d0a 4461 7465 3a20 5361 742c 12.2..Date:.Sat,
0x0080: 2030 3620 4a75 6c20 3230 3139 2031 303a .06.Jul.2019.10:
0x0090: 3333 3a30 3520 474d 540d 0a43 6f6e 7465 33:05.GMT..Conte
0x00a0: 6e74 2d54 7970 653a 2074 6578 742f 6874 nt-Type:.text/ht
0x00b0: 6d6c 0d0a 436f 6e74 656e 742d 4c65 6e67 ml..Content-Leng
0x00c0: 7468 3a20 3331 380d 0a43 6f6e 6e65 6374 th:.318..Connect
0x00d0: 696f 6e3a 206b 6565 702d 616c 6976 650d ion:.keep-alive.
0x00e0: 0a45 5461 673a 2022 3564 3230 3736 6133 .ETag:."5d2076a3
0x00f0: 2d31 3365 220d 0a0d 0a3c 6865 6164 3e0a -13e"....<head>.
0x0100: 3c6d 6574 6120 6368 6172 7365 743d 2275 <meta.charset="u
0x0110: 7466 2d38 223e 0a3c 7469 746c 653e 3430 tf-8">.<title>40
0x0120: 343c 2f74 6974 6c65 3e0a 3c6d 6574 6120 4</title>.<meta.
0x0130: 6874 7470 2d65 7175 6976 3d22 582d 5541 http-equiv="X-UA
0x0140: 2d43 6f6d 7061 7469 626c 6522 2063 6f6e -Compatible".con
0x0150: 7465 6e74 3d22 4945 3d65 6467 6522 3e0a tent="IE=edge">.
0x0160: 3c6d 6574 6120 6e61 6d65 3d22 7669 6577 <meta.name="view
0x0170: 706f 7274 2220 636f 6e74 656e 743d 2277 port".content="w
0x0180: 6964 7468 3d64 6576 6963 652d 7769 6474 idth=device-widt
0x0190: 682c 2069 6e69 7469 616c 2d73 6361 6c65 h,.initial-scale
0x01a0: 3d31 223e 0a3c 2f68 6561 643e 0a3c 626f =1">.</head>.<bo
0x01b0: 6479 3e0a 3c70 2061 6c69 676e 3d22 6365 dy>.<p.align="ce
0x01c0: 6e74 6572 2220 7374 796c 653d 2266 6f6e nter".style="fon
0x01d0: 742d 7369 7a65 3a32 3870 783b 2066 6f6e t-size:28px;.fon
0x01e0: 742d 7765 6967 6874 3a62 6f6c 643b 6d61 t-weight:bold;ma
0x01f0: 7267 696e 2d74 6f70 3a35 3070 783b 223e rgin-top:50px;">
0x0200: 3430 342d e682 a8e8 aebf e997 aee7 9a84 404-............
0x0210: e8b5 84e6 ba90 e4b8 8de5 ad98 e59c a8e3 ................
0x0220: 8082 3c2f 703e 0a3c 2f62 6f64 793e 0a3c ..</p>.</body>.<
0x0230: 2f68 746d 6c3e 0a /html>.
第七段包:
18:33:05.709495 IP6 (hlim 236, next-header TCP (6) payload length: 32) 2409:896a:430:773c:2:1:a23d:5414.41535 > 240c:4082:0:1e03::5.http: Flags [.], cksum 0x9e9e (correct), seq 913, ack 1105, win 1342, options [nop,nop,TS val 15594935 ecr 6094348], length 0
0x0000: 6000 0000 0020 06ec 2409 896a 0430 773c `.......$..j.0w<
0x0010: 0002 0001 a23d 5414 240c 4082 0000 1e03 .....=T.$.@.....
0x0020: 0000 0000 0000 0005 a23f 0050 5741 db92 .........?.PWA..
0x0030: 17c1 4ee3 8010 053e 9e9e 0000 0101 080a ..N....>........
0x0040: 00ed f5b7 005c fe0c .....\..
第八段包:(啊呀!忘了抓HTTP四次挥手包了,下次补上)
(三)IPv6的DNS请求包-基于Wireshark 2020-11记录
在IPv6环境下请求解析www.cctv.com的UDP包
0000 94 0b 19 0d 09 e6 6c 4b 90 8a 88 02 86 dd 60 02 ......lK......`.
0010 36 b3 00 26 11 40 fe 80 00 00 00 00 00 00 a4 14 6..&.@..........
0020 1e b5 93 1b 4c d2 fe 80 00 00 00 00 00 00 00 00 ....L...........
0030 00 00 00 00 00 01 df 21 00 35 00 26 9f f1 80 68 .......!.5.&...h
0040 01 00 00 01 00 00 00 00 00 00 03 77 77 77 04 63 ...........www.c
0050 63 74 76 03 63 6f 6d 00 00 01 00 01 ctv.com.....
以太网
94 0b 19 0d 09 e6 6c 4b 90 8a 88 02 86 dd 以太网94 0b 19 0d 09 e6 源MAC地址6c 4b 90 8a 88 02 目的MAC地址86 dd 是IPv6协议
IPv6协议,共40字节
60 02 36 b3 00 26 11 40 协议内容00 26 长度3811为下一头部:17 UDP协议(请看页脚的协议类型)40为 hop limit
fe 80 00 00 00 00 00 00 a4 14 1e b5 93 1b 4c d2 源IPfe 80 00 00 00 00 00 00 00 00 00 00 00 00 00 01 目的IP
UDP协议,共8字节
df 21 源端口00 35 目的端口00 26 9f f1 16位UDP长度,26即38字节,数据部分则30字节;16位UDP校验和
UDP一次最多能传输的数据大小:2^16 - 1 - 8 = 65507字节(-8是因为udp头部本身占用8个字节)
DNS请求解析的内容
80 68 01 00 00 01 00 00 00 00 00 00 03 0001为A记录77 77 77 04 63 63 74 76 03 63 6f 6d www.cctv.com00 00 01 00 01
(四)IPv6的ICMP
执行请求
C:\Users\linzening>ping ayouleyang.cn -n 1
正在 Ping ayouleyang.cn [2408:4003:1101:7400::6] 具有 32 字节的数据:
来自 2408:4003:1101:7400::6 的回复: 时间=64ms
2408:4003:1101:7400::6 的 Ping 统计信息:
数据包: 已发送 = 1,已接收 = 1,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 64ms,最长 = 64ms,平均 = 64ms
ICMPv6请求报文:
0000 1c 78 4e 8f c7 e0 1c 4d 70 b9 84 ee 86 dd 60 00 .xN.Çà.Mp¹.î.Ý`.
0010 00 00 00 28 3a 40 24 09 8a 6a 02 27 0d c0 85 4b ...(:@$..j.'.À.K
0020 ef d5 0a 5e af e8 24 08 40 03 11 01 74 00 00 00 ïÕ.^¯è$.@...t...
0030 00 00 00 00 00 06 80 00 f9 91 00 01 04 91 61 62 ........ù.....ab
0040 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 cdefghijklmnopqr
0050 73 74 75 76 77 61 62 63 64 65 66 67 68 69 stuvwabcdefghi
ICMPv6响应报文
0000 1c 4d 70 b9 84 ee 1c 78 4e 8f c7 e0 86 dd 60 40 .Mp¹.î.xN.Çà.Ý`@
0010 ae 29 00 28 3a 06 24 08 40 03 11 01 74 00 00 00 ®).(:.$.@...t...
0020 00 00 00 00 00 06 24 09 8a 6a 02 27 0d c0 85 4b ......$..j.'.À.K
0030 ef d5 0a 5e af e8 81 00 f8 91 00 01 04 91 61 62 ïÕ.^¯è..ø.....ab
0040 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 cdefghijklmnopqr
0050 73 74 75 76 77 61 62 63 64 65 66 67 68 69 stuvwabcdefghi
请求包IPv6数据
60 00 00 00 00 28 3a 40 IPv6头部00 28 长度40字节3a 协议类型 58 即 ICMP for IPv6(请看页脚的协议类型)40 跳数限制 64
ICMP数据
80 00 f9 91 00 01 04 9161 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 ICMP内容 abcdefghijklmnopqrstuvwabcdefghi
响应包IP内容
响应包ICMP内容
81 00 f8 91 00 01 04 9181 Type,类型00 Codef8 91 Checksum 校验和
总结:
(1)整个请求步骤分为TCP三次握手、HTTP请求与响应(多个)、TCP四次挥手。
(2)HTTP/1.1 使用一个连接可以传输多个文件,而HTTP/1.0不能,所以HTTP/1.0很快就被HTTP/1.1替代了。而HTTP2可以同一时间打开多个HTTP请求,而HTTP/1.1不能。
(3)猜想:keep-alive让这个TCP保持连接,等待下次请求再次使用这个连接。
(4)根据HTTP响应包,网站建设中对应的代码为e7 bd91 e7ab 99e5 bbba e8ae bee4 b8ad,该文字使用urlencode编码结果%e7%bd%91%e7%ab%99%e5%bb%ba%e8%ae%be%e4%b8%ad相匹配,可了解中文是如何编码传输的。(我记得以前说的中文占两个字节,到这里占的是3个字节,可以了解下Unicode编码和UTF-8编码)
(5)TCP的seq/ack/syn规则:
(6)SYN攻击则为客户端发送第一个握手包,并不发送第三个握手包,耗尽服务器的TCP资源。
(7)TCP(传输控制协议)作用
- (1)面向连接的、可靠地、基于字节流的传输层通信协议
- (2)将应用层的数据流分割成报文段并发送给目标节点的TCP层
- (3)数据包都有序号,对方收到则发送ACK确认,未收到则重传
- (4)使用校验和来检验数据在传输过程中是否有误
(8)UDP头部占8字节,源端口、目的端口、长度、校验和
(9)ICMPv6是网络层协议
进制转换
参考文章:
30分钟掌握tcpdump
TCP报文格式详解
TCP报文段详解
TCP/IP 数据包报文格式
注释