報(bào)文分析,技術(shù)介紹,OSPF的報(bào)文格式,報(bào)文類型及含義

1、profibus-dp站點(diǎn)可分為主站和從站，開(kāi)發(fā)從站設(shè)備要比開(kāi)發(fā)主站設(shè)備容易得多，因?yàn)閺?站只需要響應(yīng)來(lái)白主站的請(qǐng)求即可。從站接收總線上的每條報(bào)文，如果與自己無(wú)關(guān)，則忽略 不處理，如果是發(fā)給自己的則按照下圖給出的狀態(tài)機(jī)進(jìn)行響應(yīng)。該狀態(tài)機(jī)屮有四個(gè)狀態(tài)：1 > powcr_on （上電）狀態(tài)在上電后從站進(jìn)入power.on狀態(tài)，在這個(gè)狀態(tài)下從站首先需耍進(jìn)行初始化，設(shè)置各 項(xiàng)參數(shù)如站地址和報(bào)文緩沖區(qū)等等。2、wait-prm （等待參數(shù)化）狀態(tài)初始化完畢后，從站進(jìn)入wait-prm狀態(tài)，等待來(lái)自一個(gè)主站的set.prm報(bào)文。通俗地 講，參數(shù)化相當(dāng)于一個(gè)主站告訴一個(gè)從站，你是屬于我的，同吋也指定

2、了從站的一些運(yùn)行參 數(shù)。主站只對(duì)被它參數(shù)化的從站進(jìn)行數(shù)據(jù)輪詢。3、wait.cfg （等待組態(tài)）狀態(tài)在進(jìn)行正確的參數(shù)化后，從站進(jìn)入wait.cfg狀態(tài)，等待check_cfg報(bào)文。check.cfg 報(bào)文規(guī)定輸入和輸出字節(jié)數(shù)，也就是主站和從站每次交換的數(shù)據(jù)量。4> date_exchange（數(shù)據(jù)交換）狀態(tài)當(dāng)進(jìn)行正確的參數(shù)化和組態(tài)后，從站進(jìn)入date_exchange狀態(tài)，這個(gè)吋候從站才可以 和主站進(jìn)行正常的數(shù)據(jù)交換。下面是我從一個(gè)profibus-dp網(wǎng)絡(luò)屮采集下來(lái)的部分報(bào)文數(shù)據(jù)，該網(wǎng)絡(luò)屮有一站地 址為1的主站和站地址為3的從站。我結(jié)合有關(guān)報(bào)文解釋一下從站3的工作機(jī)制。（報(bào)文數(shù) 據(jù)為1

3、6進(jìn)制）（從站已經(jīng)完成初始化）100301 49 4d 16（該報(bào)文為主站1發(fā)給從站3的請(qǐng)求幀，查詢從站3的fdl狀態(tài),即從站3是否“活著”。）1001 03 0004 16（該報(bào)文為從站3對(duì)主站1的應(yīng)答幀，告訴主站1 “我活著呢”。）68 05 05 68 83 81 6d 3c 3e eb 16（該報(bào)文為主站1發(fā)給從站3的請(qǐng)求幀，讀取查詢從站3的診斷報(bào)文，以獲取從站3的 進(jìn)一步信息。）68 ob 0b 68 81 83 （）8 3e 3c 02 05 （）0 ff 00 （）8 94 16（該報(bào)文為從站3對(duì)主站1的應(yīng)答幀，其中包含6個(gè)字節(jié)的診斷數(shù)據(jù)：02 05 00 ff00 08, 具體

4、含義可參閱協(xié)議，其屮第四字節(jié)為ff表明從站3尚未被任何主站所參數(shù)化。）68 11 11 68 83 81 5d 3d 3e 88 02 fd 0b 00 08 00 ()0 00 00 ()0 00 76 16(該報(bào)文為主站1發(fā)給從站3的參數(shù)化報(bào)文幀，包含12個(gè)字節(jié)的參數(shù)化數(shù)據(jù)：88 02 fd 0b 00 08 00 00 00 00 00 00)e5（該報(bào)文為從站3對(duì)主站1的短應(yīng)答幀，告訴主站1參數(shù)化成功。）68 07 （）7 68 83 81 7d 3e3e 11 21 2f 16（該報(bào)文為主站1發(fā)給從站3的組態(tài)報(bào)文幀，包含2個(gè)字節(jié)的組態(tài)數(shù)據(jù)：11 21,表明從 站3應(yīng)有兩個(gè)字節(jié)輸入和兩

5、個(gè)字節(jié)輸出。）e5（該報(bào)文為從站3對(duì)主站1的短應(yīng)答幀，告訴主站1組態(tài)成功。）68 05 05 68 83 81 5d 3c 3e db 16（該報(bào)文為主站1發(fā)給從站3的請(qǐng)求幀，讀取查詢從站3的診斷報(bào)文。）68 ob 0b 68 81 83 （）8 3e 3c 00 0c 00 （）1 00 08 9b 16（該報(bào)文為從站3對(duì)主站1的應(yīng)答幀，其屮包含6個(gè)字節(jié)的診斷數(shù)據(jù)：00 0c 00 01 00 08, 其中笫四字節(jié)為01表明從詁3已經(jīng)被主站1成功地參數(shù)化，從站3進(jìn)入數(shù)據(jù)交換狀態(tài)。）68 05 05 68 03 01 7d 00 00 81 16（該報(bào)文為主站1發(fā)給從站3的請(qǐng)求幀，包含兩個(gè)字節(jié)

6、的輸出數(shù)據(jù)：00 00,并請(qǐng)求從 站3的輸入數(shù)據(jù)。此后主站1周期性地發(fā)送此報(bào)文）68 05 05 68 01 03 08 00 00 8c 16（該報(bào)文為從站3對(duì)主站3的應(yīng)答幀，包含兩個(gè)字節(jié)的輸入數(shù)據(jù)：00 80）要求分析的協(xié)議包括：arp,icmp, ftp以及http報(bào)文1、對(duì)捕獲的數(shù)據(jù)包結(jié)構(gòu)進(jìn)行分析2、對(duì)幀頭，ip頭、tcp頭中的各項(xiàng)進(jìn)行分析3、分析tcp連接的3次握手和4次揮手過(guò)程4、對(duì)于ftp用分析出控制連接建立，數(shù)據(jù)連接建立，數(shù)據(jù)連接釋放，控制連接釋放的全過(guò) 程5、arp協(xié)議要能完整的分析arp杏詢以及返回的信息6、對(duì)典型的icmp協(xié)議報(bào)文進(jìn)行分析（ping ,traccrt等應(yīng)用

7、）7、對(duì)tcp/ip協(xié)議體系結(jié)構(gòu)的工作過(guò)程和協(xié)議分布進(jìn)行充分認(rèn)識(shí)。q第9章網(wǎng)烙數(shù)據(jù)掖的捕獲與分析應(yīng)用程序以太網(wǎng) 驅(qū)動(dòng)程序圖9.2數(shù)據(jù)進(jìn)入?yún)f(xié)議棧時(shí)的封裝過(guò)程icmpicmp是ip層的一個(gè)組成部分，通常由ip層或更高層協(xié)議（tcp或udp）調(diào)用， 主要功能是傳遞差錯(cuò)報(bào)文以及其他需要注意的信息。部分icmp報(bào)文把差錯(cuò)信息 返回至用戶進(jìn)程。icmp報(bào)文是在ip數(shù)據(jù)報(bào)內(nèi)部被傳輸?shù)?，如圖9.16所示。圖9.16 icmp數(shù)據(jù)在ip數(shù)據(jù)報(bào)中的封裝icmi漲文4ip首部類型代碼校驗(yàn)和數(shù)據(jù)20字節(jié)1字節(jié)1字節(jié)2字節(jié) 不同類型和代碼有不同內(nèi)容類型字段可以有15個(gè)不同的值，以描述特定類型的icmp報(bào)文。某些icmp

8、報(bào) 文還使用代碼字段的值來(lái)進(jìn)一步描述不同的條件。校驗(yàn)和字段覆蓋了整個(gè)icmp報(bào)文。對(duì)于icmp報(bào)文來(lái)說(shuō)，校驗(yàn)和是必需的。1. icmp報(bào)文類型icmp的報(bào)文類型由報(bào)文中的類型字段和代碼字段來(lái)共同決定，如表9.4 所示。表中的最后兩列表明icmp報(bào)文是查詢報(bào)文還是差錯(cuò)報(bào)文。對(duì)icmp差錯(cuò) 報(bào)文有時(shí)需要作特殊處理，因此需要對(duì)它們進(jìn)行區(qū)分。例如，在對(duì)icmp差錯(cuò)報(bào) 文進(jìn)行響應(yīng)時(shí)，不能生成另一個(gè)icmp差錯(cuò)報(bào)文（如果沒(méi)冇這個(gè)限制規(guī)則，可能 會(huì)遇到一個(gè)差錯(cuò)產(chǎn)生另一個(gè)差錯(cuò)的情況，而差錯(cuò)繼續(xù)產(chǎn)生差錯(cuò)，這樣會(huì)產(chǎn)生無(wú)限 循環(huán)）。icmp差錯(cuò)報(bào)文包含ip的首部和產(chǎn)生icmp差錯(cuò)報(bào)文的ip數(shù)據(jù)報(bào)的前8個(gè)字節(jié), 這樣

9、，接收icmp并錯(cuò)報(bào)文的模塊就會(huì)把它與某個(gè)特定的協(xié)議（根據(jù)ip數(shù)據(jù)報(bào)首 部中的協(xié)議字段來(lái)判斷）和用戶進(jìn)程（根據(jù)包含在ip數(shù)據(jù)報(bào)前8個(gè)字節(jié)中的tcp 或udp報(bào)文首部中的tcp或udp端口號(hào)來(lái)判斷）聯(lián)系起來(lái)。為了防止由于icmp茅錯(cuò)報(bào)文響應(yīng)所引發(fā)的廣播風(fēng)暴，協(xié)議規(guī)定當(dāng)接收端收到下 列的報(bào)文時(shí)不會(huì)產(chǎn)生icmp差錯(cuò)報(bào)文：icmp冋顯請(qǐng)求和冋顯應(yīng)答報(bào)文如圖9.17所示。o類型（0或8）代碼（0）檢驗(yàn)和標(biāo)識(shí)符序列號(hào)數(shù)據(jù)2 o.ooo3 5o32icmp3 0.9911473icmp4 0.9914975 1.988

10、69933icmp icmp6 1.9890427 2.9862633icmp icmp8 2.9866232icmpecho (ping) reply echo (ping) request echo (ping) replyecho (ping) request echo (pi ng) replyecho (p1ng) request echo (pinq)

11、replyffi frame 1 (74 bytes on wire, 74 bytes captured)s) ethernet llt src: glga-byt.ad:14:2c (00:24:ld:ad:14:2c)t dst: glga-byt.ad:2a:a3 (00:24:ld:ad:2a:a3) internet protocol. src: 2 (2). ost: 3 (3)曰 internet control message protocoltype: 8 (echo (ping) re

12、quest) code: 0 ochecksum: 0x4a5c correct identifier: 0x0200sequence number: 256 (0x0100)3 data (32 bytes)f frame 2 (74 bytes on wire, 74 bytes captured)ethernet ii, src: giga-byt_ad:2a:a3 (00:24:ld:ad:2a:a3), dst: giga-byt_ad:14:2c (00:24:ld:ad:14:2c) e internet protocol, src: 3 (10.16.13

13、4.13), dst: 2 (2)i- internet control message protocoltype: 0 (echo (ping) reply)code: 0 ()checksum: 0x525c correctidentifier: 0x0200sequence number: 256 (0x0100)e data (32 bytes)ip分片8 0.996459200ipfraonenredipprotocol(proro-icmp0x01,off-1480.id-273f)9 0.99

14、6466200icmpecho (ping) request10 0.999377002ipfranentedipprotocol(pfoto-icmp0x01.off-o. id-3c93)14 1.993996200ipfragnentedipprotocol(proto-icmp0x01.off-1480.id-2744)ffame 12 (1082 bytes on vd匕 1082 bytes captured)qin i* 194 i-)10'

15、) i«oinnvmr八只八ethernet ii, src: fuji a r»st_bc:血：45 (00:la:a9:bc:de:45), ost: giga-8yt_ad:14 :2c (00:24 ：ld: ad :14:2c)i nr er net protocol. src: 00 (00), dst: 2 (2) version: 4header length: 20 bytes differentiated services field: 0x00 (dscp 0x00

16、: default; ecn： 0x00) total length: 1068identification: 0x3c93 (15507)b flags: 0x000 reserved bit: not set0 don't fragment: not set0 more fragments: not setfragment offset: 2960time to live: 117 protocol: icmp (0x01)9 header checksum: 0xbla3 correctsource: 00 (00) destinati

17、on: 2 (2)3 ip fragmenrs (4008 bytes): #10(1480), #11(1480), #12(1048) internet control message protocoltype: 0 (echo (ping) reply)code: 0 orhprl,i ri frnrrprr 1g frame 7 (1514 bytes on wire, 1514 bytes captured)3 ethernet ii, src: giga-byt_ad:14:2c (00:24:ld:ad:14:2c), dst: fuj

18、ianst_bc:de:45 (00:1a:a9:bc:de:45)3 internet protocol, src: 2 (2), dst: 00 (00) version: 4header length: 20 bytess differentiated services field: 0x00 (dscp 0x00: default; ecn： 0x00)total length: 1500identification: 0x273f ql0047)曰 flags: 0x02 (more fragme

19、nts)0. = reserved bit: not set.0. = don% fragment: not set.1. = more fragments: setfragment offset: 0time to live: 64protocol: icmp (0x01)a header checksum: 0xdbb9 correctsource: 2 (2)destination: 00 (00)reassrmbled ip tn frame: 93 data (1480 bytes)data： 0

20、800eafb020006006162636465666768696a6b6c6d6e6f70.arparp為ip地址到對(duì)應(yīng)的硬件地址z間提供動(dòng)態(tài)映射，即將邏輯的internet地址 翻譯成對(duì)應(yīng)的物理硬件地址1.arp工作過(guò)程假設(shè)在一個(gè)以太網(wǎng)中，客戶端要將一個(gè)ip報(bào)文發(fā)送到服務(wù)器端，那么客 戶端必須把32 bit的ip地址轉(zhuǎn)換成48 bit的以太網(wǎng)地址(1) arp以廣播的方式發(fā)送arp request數(shù)據(jù)幀給以太網(wǎng)上的每個(gè)主機(jī)，如圖 9.14中的虛線所示。arp請(qǐng)求數(shù)據(jù)幀中包含目的主機(jī)的ip地址，意思是“如果你 是這個(gè)ip地址的擁有者，請(qǐng)回答你的硬件地址j(2) 目的主機(jī)的arp層收到這份廣

21、播報(bào)文后，識(shí)別出這是發(fā)送端在尋問(wèn)它的ip 地址，于是發(fā)送一個(gè)arp應(yīng)答。這個(gè)arp應(yīng)答包含ip地址及對(duì)應(yīng)的硬件地址。(3) 收到arp應(yīng)答后，主機(jī)間通過(guò)使用arp協(xié)議獲得的換件地址進(jìn)行通信。2. arp分組格式在以太網(wǎng)上解析ip地址時(shí)，arp請(qǐng)求和應(yīng)答分組的格 式如圖9.15所示(arp亦討用于解析共他類型網(wǎng)絡(luò)的ip地址 以外的地址，緊跟著幀類型字段的前四個(gè)字段決定了最后 四個(gè)字段的類型和長(zhǎng)度)。(1) 日的地址(destination address):該字段為6了節(jié)， 存儲(chǔ)以太網(wǎng)的冃的地址。(2) 源地址(source address):該字段為6字節(jié)，存儲(chǔ)以 人網(wǎng)的源地址。(3) 以太網(wǎng)

22、數(shù)據(jù)幀類型(ether type):該字段為2字節(jié)， 存儲(chǔ)以太網(wǎng)數(shù)抑幀類型，表示后而數(shù)捌的類型。對(duì)于arp 請(qǐng)求/應(yīng)答來(lái)說(shuō)，該字段的值為0x0608o上述三個(gè)字段組成了以太網(wǎng)幀首部(見(jiàn)圖9.2),以太網(wǎng)報(bào)頭屮destination address 為全1的特殊地址是廣播地址，電纜上的所有以太網(wǎng)接口都必須接收廣播的數(shù)據(jù) 幀。因此arp協(xié)議在詢問(wèn)硬件地址吋將口的地址設(shè)置為oxffffffffffff,表 明該數(shù)據(jù)幀是向全體駛件接口發(fā)出的。第9章網(wǎng)絡(luò)救據(jù)掖的捕獲與分析目的地址目的地址源地址源地址以太網(wǎng)數(shù)據(jù)幀類型0151631以太網(wǎng)首部碘件接口類型協(xié)議類型硬件地址長(zhǎng)度協(xié)議地址長(zhǎng)度操作類型發(fā)送端硬件地址

23、發(fā)送端硬件地址發(fā)送端囪議地址目的端硬件地址ii的端碩件地址目的端協(xié)議地址目的端囪議地址28字節(jié)arpirv求/應(yīng)答圖9.15以太網(wǎng)傳輸?shù)腶rp請(qǐng)求和應(yīng)答分組格式協(xié)議類型(protocol type)：該字段為2字節(jié)，標(biāo)識(shí)發(fā)送設(shè)備所使用的協(xié)議，在 tcp/ip屮，這些協(xié)議通常是ether type,以0x0008表示。 硬件地址長(zhǎng)度(length of hareware address)：該字段為1字節(jié)。(7) 協(xié)議地址長(zhǎng)度(length of protocol address)：該字段為1字節(jié)。上述兩個(gè)字段以字節(jié)為單位，對(duì)于以太網(wǎng)上ip地址的arp請(qǐng)求或應(yīng)答來(lái)說(shuō)，它 們的值分別為6和4,表明硬

24、件地址即mac地址為6字節(jié)，協(xié)議地址即ip地址 為4字節(jié)。(8) 操作類型(opcode)：該字段為2字節(jié)，區(qū)分辦議的四種操作，即arp請(qǐng)求(值 為1)、arp應(yīng)答(值為2)、rarp請(qǐng)求(值為3)和rarp應(yīng)答(值為4)0 arp請(qǐng)求 和arp應(yīng)答的幀類型字段值是相同的，因此必須用操作類型字段將其區(qū)分1 0.000000glqa-byt ad:14:2cbroadcastarpwho has 372 0.000679giga-byt_ad:2a:a3giga-byt_ad:14:2carp3 is at 00:24:ld:ad:2a:a33 0.2

25、56863giga-byt.ad:2a:bfbroadcastarpwho has 4?tell 54 1.257201d-link_68:83:0ebroadcastarpwho has 1?tell 5 2.501508giga-byt.ac:9e:68broadcastarpwho has 4tell 66 4.353958giga-byr.ad:29:a7broadcastarpwho has 5?tell 57

26、 9.415463glga-byt_ad:2b:63broadcastarpwho has 52?tell 58 20.865855d-link.68:83:0ebroadcastarpwho has 6?tell frame 1 (42 bytes on wire, 42 bytes captured)王 ethernet ii, src: giga-byt_ad:14:2c (00:24:ld:ad:14:2c), dst: broadcast (ff:ff:ff:ff:ff:ff) 三 address

27、 resolution protocol (request)hardware type: ethernet (0x0001)protocol type: ip (0x0800)hardware size: 6protocol size: 4opcode: request (0x0001)sender mac address: giga-byt_ad:14:2c (00:24:id:ad:14:2c)sender ip address: 2 (2)target mac address: 00:00:00.00:00:00 (00:00:00:00:00

28、:00)target ip address: 3 (3)no. i tim*i sourcei destinationi protocol i info2 0.000679g"iqa-byt_ad:2a:a3gfga-byt_ad:14:2carp10.16134.13 "is at 00:24 :ld:ad:2a:a31 0.000000glga-byt_ad:14:2c broadcastarp who has 37tell 2 ± frame 2 (60 bytes on

29、 wire, 60 bytes captured) ethernet ii. src: g4ga-byt_ad:2a:a3 (00:24:ld:ad:2a:a3) dst: ggabyt_ad:14:2c (00:24:ld:ad:14:2c)address resolution protocol (reply)hardware type: ethernet (0x0001)protocol type: ip (0x0800)hardware size: 6protocol size: 4opcode: reply (0x0002)sender mac address: giga-byt_ad

30、:2a:a3 (00:24:ld:ad:2a:a3)sender ip address: 3 (3)target mac address: giga-byt_ad:14:2c (00:24:ld:ad:14:2c)target ip address: 2 (2)tcp三次握手wlmlwj10.16.13u2 ilomjj tcp 4607 > http 5yn $eq=o mw len=b 1287.028u0.81.238.b10.16.13112 tcp http4607 皿 o測(cè) add vin

31、o l 涮嶺 146011q血川出冊(cè) 舸唧ackj玻h眥虬和啲旳l恫nxketinzirscn四次揮手w viivii/a*jova>i41751213.50812410.16.b4.12222.73.78.b84605 > http o seq«376 ack«3131 win«65325 ien«0417612b. 52694726tcp4606 > http sfnl seq«0 win«65535 len«0 mss«1460 w5«0

32、tarnvrv41771213.81130762s1b026tcp 4606 > httpojseq=laci：=l win=65535 len=ohttp gettcp http > 4606 syn, ack seq=o ack=l win=584o len=o mss4460 ws=241801214.0m0154181 1214.09481241821214.094886119.147.&76119.147. & 766210.

33、16.134.12二 http > 4606 ack seq=l ac已46 win=6932 len=o tcp tcp segnent of a reassembled pduhttp http4.1 200 ok (png)41841b4.im6m7119j47.8j61il16.134.12tcp http4606啊kk勻加n46仰嫩l°418mm6仍10.15.lkl26tcp 4m6 > http41861235.101m8222.7178.1382tcp http > 4605 fin

34、, <k歸皿躺76 mlaht| 0123$. 1675238 tcp 4m5 > httpl64606 > httl3 ack1 seq«546 ad:辺)54wi n«65535 ien-04184 1234.046647624186 1235.101648382tcp 4wo > niip ialktcp hup > 4606 fin, ack seq«2353 ack«

35、;546 ?！?932 len»otcp http > 4605 fin, ack seq=3bl ack=376 win=6912 len=o7t q丄871235.10167c10.16.1ji '氣i ff f f / %/> v 0 v w | k ' j wrep 4w5 > hu【a<1/ i ci fll k sfc>n：-j”-<7h if'-'1'-j/q丄:2 wl0=65325 len»oq丄xx 1/(j/<ki. 10.16.1a43j 4 a4 j1 1i i ui

36、f li亠* v vw*1 f nrcp 4606 > httfrjt, mba ji 5eq«546 a(k<354 win«0 len«oa 41rq /、q.0/<qqc10.16.vf 4 0叫4.氣j盧i j9 i 1/ < /mw w w t 9 0 v wi 4 50 lel50rep 4605 > hua亡 #k . ausgq“76 ack3132 win«0 len«orcp 4607 > httsyn stimi ien«0 mss«1460 ws«0107

37、11a 01 "c mtcp/ip三次握手和四次揮手在tcp/ip協(xié)議中-tcp協(xié)議提供可菲的連接眼務(wù)采川三次擁建立一個(gè)連接， 如圖1所示。(1) 第一次握手：建立連接時(shí)，客八端a發(fā)送syn包syn=j到服務(wù)器b, 并進(jìn)入syn_send狀態(tài)，等待服務(wù)器b確認(rèn)。(2) 笫二-次握，：股務(wù)器b收到syn乞，必須確認(rèn)客八a的syn( ack=j+1兒同時(shí)口 l_l也發(fā)送一個(gè)syn(syn=k八i卩syn+ack包此時(shí)膠務(wù)器b進(jìn)入syn recv 狀態(tài)。(3) 第三次握于：客戶端a收鞏収務(wù)黔b的syn + ack包向眼務(wù)器b發(fā)送 確認(rèn)包ack (ack=k+1 ),此包發(fā)送完畢.客戶端a和

38、服務(wù)器b進(jìn)入 established狀態(tài)完成三次握手。完成三次押于、客戶端與服務(wù)器開(kāi)始傳送數(shù)擁.旳1 tcp二次握r述立連按111 r tcp按圧個(gè)雙 匚的 內(nèi)此何個(gè)方向郁必須單獨(dú)進(jìn)行關(guān)。這個(gè)腹則足呷方完成它的數(shù)抑;發(fā)送仃務(wù)頁(yè)就能發(fā)送一個(gè)fin來(lái)終止這個(gè)方向的連接。收九 個(gè) fin只總味若這一方向上沒(méi)有數(shù)拓流動(dòng).一個(gè)tcp連接在牧刊一個(gè)fin后 仍能發(fā)送數(shù)抓» ?t先進(jìn)行關(guān)的一方將執(zhí)行主“j關(guān)閉而另一方執(zhí)行被"j關(guān)。（1 客八瑞a發(fā)送一個(gè)fiz.用冰:決客八a到服務(wù)器b的數(shù)抉:傳送（報(bào)文段4）。眼務(wù)器b收到這個(gè)fin它發(fā)回一個(gè)ack,確認(rèn)序號(hào)為收到的序號(hào)加1 （報(bào) 文段5）

39、 o和syn樣.一個(gè)fin將占用一個(gè)序號(hào).（3）服務(wù)器b關(guān)閉與客戶端a的連接.發(fā)送一個(gè)fin給客戶端a （報(bào)文段6） °（4）客八端a發(fā)回ack報(bào)文確認(rèn).并將確認(rèn)庁出設(shè)置為收到序號(hào)加1 （報(bào)文段7）。tcp采用四次揮乎關(guān)閉連接如圖2所示n圖2 tcp四次揮乎關(guān)閉連接左機(jī)a忙機(jī)b1. 為什么建&連接協(xié)議是二次握已 血關(guān)閉連接卻是四次握手呢？這是因?yàn)榉?wù)端的listen狀態(tài)卜的socket 收到syn報(bào)文的建連請(qǐng)求后. 它可以把a(bǔ)ck和syn （ack起應(yīng)答作用.而syn起同步作用）放在一個(gè)報(bào)文 里來(lái)發(fā)送。但關(guān)閉連接時(shí)，當(dāng)收到對(duì)方的fin報(bào)文適知時(shí)，它僅僅表示對(duì)方?jīng)] 有數(shù)據(jù)發(fā)送給

40、你了；但未必你眇有的數(shù)據(jù)都全部發(fā)送給對(duì)方了.所以你可以未必 會(huì)馬上會(huì)關(guān)閉socket,也即你對(duì)能還需要發(fā)送一些數(shù)抵給對(duì)方z后.再發(fā)送 fin報(bào)文給対方來(lái)龍示你同意現(xiàn)在可以關(guān)閉連接了所以它這出的ack報(bào)文和 fin報(bào)文多數(shù)情況下都是分開(kāi)發(fā)送的，2. 為什么time wait狀態(tài)還需耍等2msl后才能返回利closed狀態(tài)？httphttp詰求報(bào)文t)msourcedeitinatioaprotocol info1 0.000000324tcp2 0.038568220.181.hl.1243tcp3 0.03862610.12.1

41、0.53220.181.1u.124tcp5 0.077863243tcp6 0.078748220.181.hl.1241 r1 111 31 n 17 m <5tcpmttdf s mr 0778 0.0790193au.j j24ni 1 rtcp(ck-tapestry2 > http syn seq-0 wln-65535 len»0 mss-1460 ws-3 http > d2k-tape$try2 syn. ack seq-0 ack-1

42、 w1n-65535 len-0 mss-1452 d2k-tapestry2 > http ack seq-1 adc-l win-65535 len«0http > d2k-tapestry2 ack seq-1 ack-704 w1n«7030 len-0 tcp segnent of a reassembled pduhttp/1.1 200 ok (png)d2k-xapestry2 > hxtp ack seq»7o4 ack»2583 w1n«65535 len»02 frame 4 (757 byte

43、s on wire. 757 bytes captured)2 ethernet ii9 src: 48:5b:39:90:0e:84 (48:5b:39:90:0e:84)t ost: fujianstj.c:f5:5f (oo:la:a9:lc:f5:5f)9 internet protocol, src: 3 (3). dst: 24 (24) 2 transmission control protocol, src port: d2k-tape$try2 (3394), dst port: ht

44、tp (80), seq: 19 adc: 1, len: 703m hypertext transfer protocolb get /ser1 alald/bgbuttonhover.png http/l.lrnrequest method: getrequest uri： /ser1alald/bgbuttonhover.pngrequest version: http/1.1accept: /叭rnref er er: http:/aaccept-language: zh-cnrnuser-agent: m02們la/4.0 (compatible; msie 7.0; windows

45、 nt 5.1; tr1dent/4.0; gtb6.5; .net clr 2.0.50727; 360se)rnaccept-encoding: gz1p9 deflaternhost: 11 rnconnection: keep-al1verntruncated cookie： baiduid-cbaeobeao1658ad184e61a2dax：2ad73：fg-1； bduss-zvcwzecdr2mgnlt013vdbfq2tywnaevfnethva24yy0pltjzsymztdkpbefjqqvfbqufbjcqaaaaaaaaaaaokh vnhttp響應(yīng)報(bào)文8 0.079

46、019324tcp d2k-tapestry2 > http ack seq-704 ack-2583 win-65535 len-0s frame 7 (1196 bytes on wire, 1196 bytes captured)s ethernet ii, src: fujianstj.c:f5:5f (oo:la:a9:lc:f5:5f), dst: 48:5b:39:90:0e:84 (48:5b:39:90:0e:84)s internet protocol, src: 220.181.1h. 124 (220.181.111.

47、124), dst: 10.12.10.s3 (3)s transmission control protocol, src port: http (80), dst port: d2k-tapestry2 (3394), seq: 1441, ack: 704, len: 1142s reassembled tcp segnents (2582 bytes): #6(1440), #7(1142)日 hypertext transfer protocol9 http/1.1 200 okrnrequest version: http/1.1response code: 2

48、00content-type: 1mage/pngrnetag: °1661469433hrnaccept-ranges: bytesrnlast-modified: tue, 27 sep 2011 15:00:27 gmtrn3 conrenr-length: 2375rndate: thu, 05 jan 2012 12:59:48 gmtrnserver: apachernvns portable network graphicsftp匸 1 o.ooooooi2 0.3053723 0.3054064 0.6157905 0.7866486 5.9503997 6.2625

49、898 6.474337ilr9 9.18622900800008008008800008 ftp > cernsysagnagt sm, ack seq«0 ack-1 tfin«16384 len-0 mss-1380 ws-0 cernsysigragt >

50、; ftp ack seq«l ack-1 iirin«65535 len«0 response: 220 serv-u ftp server v6.3 for winsock ready. cernsysignagt > ftp ack seq»l ack»50 win«65486 len»0 request: user jxrstutcpftptcpftpftp response: 331 user nase okay, need password.tcp cern5ys«gffragt > ftp

51、 ack seq=14 ack=86 win=6545o leno10 9.49024811 9.64632112 14.992634* frame 9 (w bytes on wire, 64 bytes captured)± etherner ii, src: intelcorj2:cb:5a (oo:22:fb:12:cb:5a), dst: d8:5d:4c:3c:98:62 (d8:5d:4c:3c:98:62)3 internet protocol, src: 00 (00), dst: 8 (59.77.

52、139.88)± transmission control protocol, src port: cernsysmgntagt (3830), dst port: ftp (21), seq: 14f ack: 86, len: 103 file transfer protocol (ftp)e pass 123rnrequest conrand: passrequest arg: 12300000088ftp response: 230 user logged in, p

53、roceed.tcp cernsysayitagt > ftp ack seq=24 ack=h6 0n=6542o len=o ftpreouesr: port 00.14.248frame 6 (67 bytes on wire, 67 bytes captured)l± ethernet ii, src: lntelcor_12:cb:5a (00:22:fb:12:cb:5a), dst: d8:5d:4c:3c:98:62 (d8:5d:4c:3c:98:62)s internet prorocol, src: 00 (19

54、00), dst: 8 (8)e transmission control protocol, src port: cernsysmgmtagt (3830), dst port: ftp (21), seq: 1, ack: 50, len: 13 source port: cernsysmgmtagt (3830)destination port: ftp (21)stream dex: osequencm number: 1 (relative sequence number)next sequence number: 14

55、(relative sequence number)acknowledgement numbmr: 50 (relative ack number)header length: 20 bytess flags: 0x18 (psh, ack)window size: 654860 checksum: 0x96e8 validation disabled0 seq/ack analysisb file transfer protocol (ftp)b user jxrsturnrequest command: userrequest arq: jxrstu在通過(guò)ftp協(xié)議進(jìn)行數(shù)據(jù)傳輸時(shí)，必須先建立控制連接21,再建立數(shù)據(jù)連接20?？刂七B接 和數(shù)據(jù)連接，控制連接專門用于ftp控制命令及命令執(zhí)行信息傳送，數(shù)據(jù)連接專門用于傳 輸數(shù)據(jù)?？刂七B接在整個(gè)ftp會(huì)話過(guò)程中一直保持，直到會(huì)話結(jié)束為止，而數(shù)據(jù)連接可以 隨時(shí)創(chuàng)建和取消。在主動(dòng)模式下，ftp客戶端隨機(jī)開(kāi)啟一個(gè)大于1024的端口 n向服務(wù)器的21號(hào) 端口發(fā)起連接，然后開(kāi)放n+1號(hào)端口進(jìn)行監(jiān)聽(tīng)，并向服務(wù)器發(fā)出port n