日志
ping 之内幕(初步)
|
1) sniffer
winpcap+windump(tcpdump)
命令:
d:\>windump -D
1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{50D9B6D0-340B-45E0-A910-4C968BA488A3} (Dell Wireless 1390 WLAN Mini-Card)
3.\Device\NPF_{C69CE71A-7790-4CE7-821F-D3926363E707} (Broadcom NetXtreme Gigabit Ethernet Driver)
4.\Device\NPF_{C84B1727-25FB-4C06-8FC1-A54F030FF71A} (TAP-Win32 Adapter V8 (coLinux))
此命令用于列出系统中所有网卡
D:\>windump -i 3 -e -v -vv -vvv -X -XX > log.txt
windump: listening on \Device\NPF_{C69CE71A-7790-4CE7-821F-D3926363E707}
开始捕捉网卡3上所有报文并存入log.txt
命令详细参考与下载见:
http://www.winpcap.org/windump/docs/manual.htm
以下将用此工具分析ping相关的数据包,网络环境为一个ARM开发板(RTL8019 NIC,IP 192.168.2.2)通过交叉线连接至PC(IP 192.168.2.1)上,
过程如下:
1) 由于开发板仅仅知道目的IP地址(由PING命令参数给出),并不知道目的MAC地址,故先通过ARP协议广播获取IP地址为192.168.2.1的主机MAC地址
SRC ---------------------------> DEST
00:50:c2:1e:af:fb ff:ff:ff:ff:ff:ff
192.168.2.2(ARM) 192.168.2.1(PC)
00:50:c2:1e:af:fb (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 192.168.2.1 tell 192.168.2.2
0x0000: ffff ffff ffff 0050 c21e affb 0806 0001 .......P........
0x0010: 0800 0604 0001 0050 c21e affb c0a8 0202 .......P........
0x0020: 0000 0000 0000 c0a8 0201 0004 00d7 0003 ................
0x0030: 00d7 0000 0000 7c82 610c 0200 ......|.a...
2) PC 回应自己的MAC地址
SRC ---------------------------> DEST
00:1c:23:86:48:2f 00:50:c2:1e:af:fb
192.168.2.1(PC) 192.168.2.1(ARM)
00:1c:23:86:48:2f (oui Unknown) > 00:50:c2:1e:af:fb (oui Unknown), ethertype ARP (0x0806), length 42: arp reply DLH6JR72X.Asia.DelphiAuto.net is-at 00:1c:23:86:48:2f (oui Unknown)
0x0000: 0050 c21e affb 001c 2386 482f 0806 0001 .P......#.H/....
0x0010: 0800 0604 0002 001c 2386 482f c0a8 0201 ........#.H/....
0x0020: 0050 c21e affb c0a8 0202 .P........
3)ARM开发板发送ICMP/IP/802.3 PING REQ数据包给PC
00:50:c2:1e:af:fb (oui Unknown) > 00:1c:23:86:48:2f (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 255, id 2, offset 0, flags [DF], proto: ICMP (1), length: 28) 192.168.2.2 > 192.168.2.1 ICMP echo request, id 0, seq 2, length 8
0x0000: 001c 2386 482f 0050 c21e affb 0800 4500 ..#.H/.P......E.
0x0010: 001c 0002 4000 ff01 f68a c0a8 0202 c0a8 ....@...........
0x0020: 0201 0800 f7fd 0000 0002 0004 00d7 0003 ................
0x0030: 00d7 0000 0000 7c82 610c 0200 ......|.a...
4)PC 返回ICMP/IP/802.3 PING ECHO数据包给开发板
00:1c:23:86:48:2f (oui Unknown) > 00:50:c2:1e:af:fb (oui Unknown), ethertype IPv4 (0x0800), length 42: (tos 0x0, ttl 128, id 28309, offset 0, flags [DF], proto: ICMP (1), length: 28, bad cksum 0 (->6f8)!) DLH6JR72X.Asia.DelphiAuto.net > 192.168.2.2: ICMP echo reply, id 0, seq 2, length 8
0x0000: 0050 c21e affb 001c 2386 482f 0800 4500 .P......#.H/..E.
0x0010: 001c 6e95 4000 8001 0000 c0a8 0201 c0a8 ..n.@...........
0x0020: 0202 0000 fffd 0000 0002 ..........
/1 
eetop公众号
创芯大讲堂
创芯人才网