How to analyze network layer related packets and data of TCP and IP

1. TCP/IP network layer related packets and data

1) IP packet encapsulation: IPv4 has 32 bits and IPv6 has 128 bits. The maximum size of an IP packet can be 65535 bytes. Its structure is as follows:

Additional explanations are required:

Service type: Mainly divided into PPP, indicating the priority of this IP packet. Currently Rarely used; D, if it is 0, it means normal delay (delay), if it is 1, it means low delay; T, if it is 0, it means normal transmission volume, if it is 1, it means high transmission volume; R, if it is 0, it means high transmission volume Expressed as general reliability, if it is 1, it indicates high reliability; UU: reserved and not yet used; the total format is PPPDTRUU.

Flag: The format is DM, where D, if it is 0, it means it can be fragmented, if it is 1, it means it cannot be fragmented; M, if it is 0, it means that this IP is the last fragment, if it is 1, it means Not the final segment.

                                                                                                                                                                                          # Small IP segments can be combined at the receiving end through TotalLength, Identification, Flags and Fragment Offset.

Survival time: range 0-255. When the IP packet passes through a router, the TTL will be reduced by one. When the TTL is 0, the packet will be discarded.

Protocol code: The meaning of each code is, 1. ICMP (Internet Message Control); 2. IGMP (Internet Group Management Protocol); 3. GGP (Gateway-to-GatewayProtocol); 4. IP (IP in IP encapsulation); 6, TCP (Transmission Control Protocol); 8, EGP (ExteriorGateway Protocol); 17, UDP (Use Data Program).

Header check code: used to check the error check code of this IP header.

Destination address: Destination IP address

Other parameters: Additional options, including security processing mechanisms, routing records, timestamps, strict and loose source routing, etc.

Supplementary project: Since the content of Options is not necessarily too large, each data of the IP must be 32bits. Therefore, if the data of Options is less than 32bits, there will be padding supplement.

2) The composition and classification of IP addresses:

IP composition: network number and host number.

The same network domain (network segment): In the same physical network segment, the IP of the host has the same network number and an independent host number. IPs whose host numbers are all 0 and all 1 (broadcast address) are unavailable. If hosts in the same network segment are set to the same domain IP range (non-duplicate), they can use the CSMA/CD function to directly broadcast network connections in the local network (that is, they can directly transmit data from network card to network card). Within the same physical network segment, if two hosts are set to different IP network segments, the connection cannot be made through broadcast due to different broadcast addresses. At this time, communication must be carried out through a router to connect the two domains together.

ip grading: The entire IP is divided into five levels, as shown in the figure below:

# D: Generally used as a special feature of group broadcasting ( Most commonly used for network restore of large numbers of computers).

Class E: Reserve unused network segments.

3) IP type and acquisition method

IP type: Public IP, an IP planned by InterNIC. Only this kind of IP can connect to the Internet; Private (reserved) IP: cannot connect to the Internet IP is mainly used for host connection planning within the local area network.

Private IP classification: Class A, 10.0.0.0~10.255.255.255; Class B, 172.16.0.0~172.31.255.255; Class C, 192.168.0.0~192.168.255.255

Obtained automatically Network parameters: There will be a host in the local area network that is responsible for managing the network parameters of all computers. When other hosts start the network, they will actively request IP parameters from the service. If the network-related parameters are obtained, the host can set them by itself. All servers give you network parameters to connect to the Internet.

4) Netmask, subnet and CIDR (Classless Interdomain Routing)

                                                                                                                                         

       Netmask: an IP address whose network number is all 1 and the host number is all 0.

Network: The first IP address of the network segment, that is, the network number is the network number, and the host number is all 0

Network domain representation method: Network and Netmask are commonly used to represent a network area. 192.168.0.0/255.255.255.0 or 192.168.0.0/24 (24 means the network number occupies 24 bits)

                                                                                                                                                                                                                                        number, so that multiple network domains can be written as one. This way of breaking the original IP hierarchy is called non-hierarchical inter-domain routing (which can reduce routing information and thus improve performance).

5) The concept of routing: When a host sends data to another host, the host will check its own routing information and compare it with the target address of the data. If the target IP is found, it will be sent to The specified machine, otherwise it is transmitted to the default gateway and then transmitted. Repeat this process until the data reaches its destination.

6) route [-n]: Instruction to observe the routing table, parameters

a) -n: Display the host name as IP.

b) Interpretation of data display,

Destination: The meaning of Network

Gateway: Default gateway, if it is 0.0.0.0, it means no additional IP is required

Genmask: Netmask

Flags: Flags, U, represents that the route is available; G, represents that the network needs to be delivered through Gateway; H: represents that the route is a host, not an entire network

Iface: The interface is the network card code.

7) ARP (Address Resolution Protocol, Network Address Resolution Protocol), RARP (Revers ARP, Reverse Address Resolution Protocol.

8) arp [-nd];arp –s hostname( IP) Hardware_address: Get the data corresponding to the IP/MAC in the ARP table of the local machine. Parameters:

a) -n: Display in the form of host IP

b) -d: Will The hardware_address of hostname is deleted from the ARP table.

c) -s: Set the MAC of a certain IP or hostname into the ARP table (used to create static ARP).

9) ICMP (Internet Control Message Protocol): It is an error detection and reporting mechanism. Its biggest function is to ensure the connection status and correctness of our network. ICMP is also one of the important packets in the network layer. However, this packet does not exist independently, but is included in the IP packet. In other words, ICMP also transmits data through IP packets. ICMP The more common ICMP categories:

0: Echo Reply, representing a response message

3: Destination Unreachable, indicating that the destination is unreachable

4: Source Quench ( When the load of the router is too high, this category code can be used to stop the sending end from sending messages)

5: Redirect, (used to redirect routing path information)

8: Echo Request, Request response message

11: Time Exceeded for a Datagram. When the data packet causes a timeout state in certain route transmissions, this category code can inform the source that the packet has been ignored.

      12: Parameter Problem on a Datagram, when an ICMP packet repeats the previous error, it will reply to the source host with a message about the parameter error.

  13: Timestamp Request, requiring the other party to send time information to calculate the routing time difference to meet the requirements of the synchronization protocol

14: Timestamp Replay, this message is purely used in response to TImestamp Request 15: Information Request. Before the RARP protocol is applied, this message is used to obtain network information when booting.

16: Information Replay, used to respond to the Information Request message

17: Address Mask Request, this message is used to query the subnet mask setting information

18: Address Mask Reply, responds to the subnet mask query message.

The two commands ping and trcaceroute can confirm and report the status of network hosts through ICMP packets,

The above is the detailed content of How to analyze network layer related packets and data of TCP and IP. For more information, please follow other related articles on the PHP Chinese website!