实验场景:自己电脑开启apache服务器,主页有一个文件上传的表单,用舍友的电脑访问并上传一个小文件,抓包到TCP连接以及上传文件时的数据包进行分析,文件位置:上传文件分析.pcapng,用显示过滤器:tcp&&ip.addr==10.108.203.52,一次对显示的报文进行分析
首先分析TCP建立连接的三次握手:
1、TCP连接第一次握手
summary:
99 4.725696000 10.108.203.52 10.108.203.50 TCP 66 6533 → http [SYN] Seq=0Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
Detail:
首先分析一下IP报文:
在2E~2F位置是标志和片偏移共2B,0x4000即:0100 00000000 0000片偏移全为0,而低2位的为bit1表示这个IP数据包不要分片。
在2G位置是TTL:这里0x40即:64,在2H是协议字段这里是0x06:表示后面的是TCP报文
正式分析TCP报文:
19 | 85 |
源端口号:0x1985即:6533,表示对方浏览器用TCP6553端口访问我的服务器
00 | 50 |
目的端口:0x50即:80,表示我的apache服务器是在用TCP8端口
a6 | 87 | 7d | 25 |
序号:这个是对方发送同步请求是选用的一个序号,2793897253
00 | 00 | 00 | 00 |
确认号:由于这是第一次连接请求,所以置空为0
80 | 02 |
分开来说,即:1000 0000 0000 0010
前4bit表示数据偏移,也就是首部的长度,这里是8*4=32B,正好是3C~5B(最后)的字节数。
往后6bit做保留置空
后面6bit分别来说:
第一个,URG:表示紧急激活后面的紧急指针字段,这里为0
第二个,ACK:激活确认号字段,因为是第一次请求所以ACK置空为0
第三个,PSH:推送,让收到这个TCP报文的TCP处理模块加快上传到应用程序中,这里为0,一般都不用
第四个,RST:复位,表示连接出现差错需要重新连接,也用来拒绝非法报文段或拒绝打开
第五个,SYN:同步,在连接时用来同步序号,这里为1再加上ACK为0表示这是一个TCP连接请求报文
第六个,FIN:终止,用来释放一个连接,表示发送方的数据已经发送完毕,并要求释放链接,这里为0
ff | ff |
窗口:表示自己能接受的TCP控制窗口,这里0xffff即:65535B,表示自己能接受的发送窗口值为65535B,自己的缓存够用
86 | 4f |
检验和:检验包括首部和数据部分,略。
00 | 00 |
紧急指针:本报文段中的紧急数据的字节数,这里为0,暂且认为表示的是紧急数据的字节数,紧急数据属于TCP数据字段其后就是普通的数据
向下是可选项:
02 | 04 | 05 | b4 |
Maximumsegment size: 1460 bytes
其中:
0x02:类型,这里表示这个是MSSsize设置的选项
0x04:长度,这里表示这个可选项的长度是4字节
0x05b4:MSS Value,这里表示MSS Value的值是1460,即这个链接传送的TCP数据字段最大字节数是1460个字节,由此来看分配的很紧凑,1460+20(TCP头)+20(IP头)=1500B(MAC帧长度限制)
01 |
No-Operation(NOP),不知道什么意思
03 | 03 | 08 |
Windowscale: 8 (multiply by 256):不明白什么意思,但是有下面的信息:
0x03:Kind: WindowScale (3)
0x03:Length: 3
0x08:Shift count:8
01 |
No-Operation(NOP),不知道什么意思
01 |
No-Operation(NOP),不知道什么意思
04 | 02 |
TCPSACK Permitted Option: True
其中:
0x04:Kind: SACK Permission(4)
0x02:Length: 2
2、TCP连接第二次握手
Summary:
102 4.726743000 10.108.203.50 10.108.203.52 TCP 66 http → 6533 [SYN, ACK]Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
Detail:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | c8 | 60 | 00 | 46 | 55 | 22 | 28 | d2 | 44 | c7 | d2 | 62 | 08 | 00 | 45 | 00 |
2 | 00 | 34 | 16 | 18 | 40 | 00 | 40 | 06 | 79 | 6d | 0a | 6c | cb | 32 | 0a | 6c |
3 | cb | 34 | 00 | 50 | 19 | 85 | c7 | 46 | e0 | b5 | a6 | 87 | 7d | 26 | 80 | 12 |
4 | 20 | 00 | be | 41 | 00 | 00 | 02 | 04 | 05 | b4 | 01 | 03 | 03 | 08 | 01 | 01 |
5 | 04 | 02 |
|
直接分析TCP报文:
0x00 50,即:80,源端口,是字节apache服务器的端口
0x19 85,即:6533,目的端口,对方浏览器连接视同的端口,和上面的分析对应
c7 | 46 | e0 | b5 |
序号:自己Apache服务器选的序号:3343311029
a6 | 87 | 7d | 26 |
确认序号:确认的对方下次应该发送的字节序号:2793897254,是上面的值加1
80 | 12 |
分开来说:0x1000 0000 0001 0010
前4bit位是数据偏移即TCP报文首部数据长度,这里表示32B
之后6bit保留置空为0
后面的6bit分开来说:
第一个:URG,用于激活下面的紧急指针字段,这里没有激活
第二个:ACK,表示是确认的报文,激活确认号字段,这里激活
第三个:PSH:置空为0
第四个:RST,复位,置空为0
第五个:SYN,同步SYN,这里为1结合ACK,表示这是一个对同步求组确认的报文
第六个:FIN,这里为0
20 | 00 |
窗口大小:这里表示对方可用的发送端口是8192B,可见服务器这边的窗口和客户端的窗口值不一样啊
be | 41 |
校验和:略
00 | 00 |
紧急指针:置空为0
下面是可选项:
02 | 04 | 05 | b4 |
MSS选项: Maximumsegment size: 1460 bytes
其中:
0x02:Kind: MSSsize (2)
0x04:Length: 4
0x05b4:MSS Value: 1460
01 |
No-Operation(NOP)
03 | 03 | 08 |
Windowscale: 8 (multiply by 256)
01 |
No-Operation(NOP)
01 |
No-Operation(NOP)
04 | 02 |
TCP SACKPermitted Option: True
3、TCP连接第三次握手
Summary:
103 4.727668000 10.108.203.52 10.108.203.50 TCP 60 6533 → http [ACK] Seq=1Ack=1 Win=262144 Len=0
Detail:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 5d | 05 | 40 | 00 | 40 | 06 | 32 | 8c | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 85 | 00 | 50 | a6 | 87 | 7d | 26 | c7 | 46 | e0 | b6 | 50 | 10 |
4 | 04 | 00 | 1b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
|
先分析IP包,首部2E部分中又包含报文段不能分片的选项,与前面两个一样
分析TCP段:
19 | 85 |
源端口号:即6553,对方浏览器TCP的端口号
00 | 50 |
目的端口号:即80,Apache的TCP端口号
a6 | 87 | 7d | 26 |
序号:这里是2793897254和前一个报文的确认号是一样的
c7 | 46 | e0 | b6 |
确认号:这里是3343311029,是上一个序号的值加1
50 | 10 |
要分开来说:即:0101 0000 0001 0000
其中前4bit位是:5表示首部数据长度是20B,终于是标准的长度了
向后6bit保留置空为0
后面六个:
第一个:0,URG:表示不激活后面的紧急指针字段
第二个:1,ACK:表示确认激活确认号字段
第三个:0,PSH:表示不推送
第四个:0,RST:表示不复位
第五个:0,SYN:表示不是同步请求或者同步确认,结合ACK表示这是一个确认报文
第六个:0,FIN:表示这不是一个结束相关报文
04 | 00 |
窗口大小:这里是0x0400即:1024,表示自己(浏览器)可以接受的窗口值是1024,很奇怪第一次的同步请求的时候还说自己0xff ff窗口值呢,怎么现在又突然少了,纳闷!
1b | 15 |
校验和:略
00 | 00 |
紧急指针:置空为0
00 | 00 | 00 | 00 | 00 | 00 |
由于报文总长度未达到MAC帧的最小长度46字节故填充这八个字节为0
4、下面是HTTP请求:
Summary:
104 4.727781000 10.108.203.52 10.108.203.50 HTTP 303 GET / HTTP/1.1
Detail:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
01 | 21 | 5d | 06 | 40 | 00 | 40 | 06 | 31 | 92 | 0a | 6c | cb | 34 | 0a | 6c | |
3 | cb | 32 | 19 | 85 | 00 | 50 | a6 | 87 | 7d | 26 | c7 | 46 | e0 | b6 | 50 | 18 |
4 | 04 | 00 | 75 | 86 | 00 | 00 | 47 | 45 | 54 | 20 | 2f | 20 | 48 | 54 | 54 | 50 |
5 | 2f | 31 | 2e | 31 | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 3a | 20 | 74 | 65 |
6 | 78 | 74 | 2f | 68 | 74 | 6d | 6c | 2c | 20 | 61 | 70 | 70 | 6c | 69 | 63 | 61 |
7 | 74 | 69 | 6f | 6e | 2f | 78 | 68 | 74 | 6d | 6c | 2b | 78 | 6d | 6c | 2c | 20 |
8 | 2a | 2f | 2a | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 2d | 4c | 61 | 6e | 67 |
9 | 75 | 61 | 67 | 65 | 3a | 20 | 7a | 68 | 2d | 43 | 4e | 0d | 0a | 55 | 73 | 65 |
10 | 72 | 2d | 41 | 67 | 65 | 6e | 74 | 3a | 20 | 4d | 6f | 7a | 69 | 6c | 6c | 61 |
11 | 2f | 35 | 2e | 30 | 20 | 28 | 57 | 69 | 6e | 64 | 6f | 77 | 73 | 20 | 4e | 54 |
12 | 20 | 36 | 2e | 33 | 3b | 20 | 54 | 72 | 69 | 64 | 65 | 6e | 74 | 2f | 37 | 2e |
13 | 30 | 3b | 20 | 72 | 76 | 3a | 31 | 31 | 2e | 30 | 29 | 20 | 6c | 69 | 6b | 65 |
14 | 20 | 47 | 65 | 63 | 6b | 6f | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 2d | 45 |
15 | 6e | 63 | 6f | 64 | 69 | 6e | 67 | 3a | 20 | 67 | 7a | 69 | 70 | 2c | 20 | 64 |
16 | 65 | 66 | 6c | 61 | 74 | 65 | 0d | 0a | 48 | 6f | 73 | 74 | 3a | 20 | 31 | 30 |
17 | 2e | 31 | 30 | 38 | 2e | 32 | 30 | 33 | 2e | 35 | 30 | 0d | 0a | 44 | 4e | 54 |
18 | 3a | 20 | 31 | 0d | 0a | 43 | 6f | 6e | 6e | 65 | 63 | 74 | 69 | 6f | 6e | 3a |
19 | 20 | 4b | 65 | 65 | 70 | 2d | 41 | 6c | 69 | 76 | 65 | 0d | 0a | 0d | 0a |
|
首先来分析IP部分:在首部依然有指示本IP报不能分片
分析TCP部分:
19 | 85 |
源端口号:6553
00 | 50 |
目的端口号:80
a6 | 87 | 7d | 26 |
序号:2793897254,这个和浏览器三次握手中最后发的确认报文用的是同一个序号,看上面的
c7 | 46 | e0 | b6 |
确认序号:3343311029,这个和浏览器三次握手中最后发的确认报文段是同一个确认号
50 | 18 |
这个分开来说:0101 0000 0001 1000
前四个bit即5,表示TCP首部数据共20B,标准的首部
后面的6bit置空为0
向后六个分开说:
第一个0,URG,表示不激活紧急指针字段
第二个1,ACK,表示激活确认号字段
第三个1,PSH,表示推送此报文段,让接收方的TCP模块加快处理这个报文
第四个0,RST,表示不复位
第五个0,SYN,表示这个不是同步请求或同步确认报文
第六个0,FIN,表示这个不是结束相关报文
04 | 00 |
窗口值大小:0x04 00,即1024B,表示自己(浏览器)能接受的TCP窗口值大小是1024B
75 | 86 |
校验和:略
00 | 00 |
紧急指针:置空为0
A c c e p t : □ t e x t / h t m l , a p p l I c a t I o n / x h t m l + x m l , * / * \ r \ n
再向下为HTTP部分,分析一下:对应的ASCII码填入即可:
|
|
|
|
|
| 47 | 45 | 54 | 20 | 2f | 20 | 48 | 54 | 54 | 50 |
|
|
|
|
|
| G | E | T | □ | / | □ | H | T | T | P |
2f | 31 | 2e | 31 | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 3a | 20 | 74 | 65 |
/ | 1 | . | 1 | [CR] | [LF] | A | C | C | E | P | T | : | □ | t | e |
78 | 74 | 2f | 68 | 74 | 6d | 6c | 2c | 20 | 61 | 70 | 70 | 6c | 69 | 63 | 61 |
x | t | / | h | t | m | l | , | □ | a | p | p | l | i | c | a |
74 | 69 | 6f | 6e | 2f | 78 | 68 | 74 | 6d | 6c | 2b | 78 | 6d | 6c | 2c | 20 |
t | i | o | n | / | x | h | t | m | l | + | x | m | l | , | □ |
2a | 2f | 2a | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 2d | 4c | 61 | 6e | 67 |
* | / | * | [cr] | [lf] | A | c | c | e | p | t | - | l | a | n | g |
75 | 61 | 67 | 65 | 3a | 20 | 7a | 68 | 2d | 43 | 4e | 0d | 0a | 55 | 73 | 65 |
u | a | g | e | : | □ | z | h | - | C | N | [cr] | [lf] | U | s | e |
72 | 2d | 41 | 67 | 65 | 6e | 74 | 3a | 20 | 4d | 6f | 7a | 69 | 6c | 6c | 61 |
r | - | A | g | e | n | t | : | □ | M | o | z | i | l | l | a |
2f | 35 | 2e | 30 | 20 | 28 | 57 | 69 | 6e | 64 | 6f | 77 | 73 | 20 | 4e | 54 |
/ | 5 | . | 0 | □ | ( | W | i | n | d | o | w | s | □ | N | T |
20 | 36 | 2e | 33 | 3b | 20 | 54 | 72 | 69 | 64 | 65 | 6e | 74 | 2f | 37 | 2e |
□ | 6 | . | 3 | ; | □ | T | r | i | d | e | n | t | / | 7 | . |
30 | 3b | 20 | 72 | 76 | 3a | 31 | 31 | 2e | 30 | 29 | 20 | 6c | 69 | 6b | 65 |
0 | ; | □ | r | v | : | 1 | 1 | . | 0 | ) | □ | l | i | k | e |
20 | 47 | 65 | 63 | 6b | 6f | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 2d | 45 |
□ | G | e | c | k | o | [cr] | [lf] | A | c | c | e | p | t | - | E |
6e | 63 | 6f | 64 | 69 | 6e | 67 | 3a | 20 | 67 | 7a | 69 | 70 | 2c | 20 | 64 |
n | c | o | d | i | n | g | : | □ | g | z | i | p | , | □ | d |
65 | 66 | 6c | 61 | 74 | 65 | 0d | 0a | 48 | 6f | 73 | 74 | 3a | 20 | 31 | 30 |
e | f | l | a | t | e | [cr] | [lf] | H | o | s | t | : | □ | 1 | 0 |
2e | 31 | 30 | 38 | 2e | 32 | 30 | 33 | 2e | 35 | 30 | 0d | 0a | 44 | 4e | 54 |
. | 1 | 0 | 8 | . | 2 | 0 | 3 | . | 5 | 0 | [cr] | [lf] | D | N | T |
3a | 20 | 31 | 0d | 0a | 43 | 6f | 6e | 6e | 65 | 63 | 74 | 69 | 6f | 6e | 3a |
: | □ | 1 | [cr] | [lf] | C | o | n | n | e | c | t | i | o | n | : |
20 | 4b | 65 | 65 | 70 | 2d | 41 | 6c | 69 | 76 | 65 | 0d | 0a | 0d | 0a |
|
□ | K | e | e | p | - | A | l | i | v | e | [cr] | [lf] | [cr] | [lf] |
|
5、下面是HTTP应答:
Summary:
105 4.728951000 10.108.203.50 10.108.203.52 HTTP 1208 HTTP/1.1 200 OK (text/html)
Detail:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | c8 | 60 | 00 | 46 | 55 | 22 | 28 | d2 | 44 | c7 | d2 | 62 | 08 | 00 | 45 | 00 |
2 | 04 | aa | 16 | 19 | 40 | 00 | 40 | 06 | 74 | f6 | 0a | 6c | cb | 32 | 0a | 6c |
3 | cb | 34 | 00 | 50 | 19 | 85 | c7 | 46 | e0 | b6 | a6 | 87 | 7e | 1f | 50 | 18 |
4 | 01 | 00 | 27 | fa | 00 | 00 | 48 | 54 | 54 | 50 | 2f | 31 | 2e | 31 | 20 | 32 |
5 | 30 | 30 | 20 | 4f | 4b | 0d | 0a | 44 | 61 | 74 | 65 | 3a | 20 | 57 | 65 | 64 |
6 | 2c | 20 | 30 | 33 | 20 | 44 | 65 | 63 | 20 | 32 | 30 | 31 | 34 | 20 | 30 | 34 |
7 | 3a | 31 | 36 | 3a | 30 | 37 | 20 | 47 | 4d | 54 | 0d | 0a | 53 | 65 | 72 | 76 |
8 | 65 | 72 | 3a | 20 | 41 | 70 | 61 | 63 | 68 | 65 | 2f | 32 | 2e | 32 | 2e | 32 |
9 | 35 | 20 | 28 | 57 | 69 | 6e | 33 | 32 | 29 | 0d | 0a | 4c | 61 | 73 | 74 | 2d |
10 | 4d | 6f | 64 | 69 | 66 | 69 | 65 | 64 | 3a | 20 | 57 | 65 | 64 | 2c | 20 | 30 |
11 | 33 | 20 | 44 | 65 | 63 | 20 | 32 | 30 | 31 | 34 | 20 | 30 | 34 | 3a | 31 | 32 |
12 | 3a | 35 | 34 | 20 | 47 | 4d | 54 | 0d | 0a | 45 | 54 | 61 | 67 | 3a | 20 | 22 |
13 | 31 | 30 | 30 | 30 | 30 | 30 | 30 | 30 | 31 | 33 | 38 | 38 | 37 | 2d | 33 | 35 |
14 | 38 | 2d | 35 | 30 | 39 | 34 | 38 | 30 | 65 | 64 | 37 | 35 | 36 | 35 | 65 | 22 |
15 | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 2d | 52 | 61 | 6e | 67 | 65 | 73 | 3a |
16 | 20 | 62 | 79 | 74 | 65 | 73 | 0d | 0a | 43 | 6f | 6e | 74 | 65 | 6e | 74 | 2d |
17 | 4c | 65 | 6e | 67 | 74 | 68 | 3a | 20 | 38 | 35 | 36 | 0d | 0a | 4b | 65 | 65 |
18 | 70 | 2d | 41 | 6c | 69 | 76 | 65 | 3a | 20 | 74 | 69 | 6d | 65 | 6f | 75 | 74 |
19 | 3d | 35 | 2c | 20 | 6d | 61 | 78 | 3d | 31 | 30 | 30 | 0d | 0a | 43 | 6f | 6e |
20 | 6e | 65 | 63 | 74 | 69 | 6f | 6e | 3a | 20 | 4b | 65 | 65 | 70 | 2d | 41 | 6c |
21 | 69 | 76 | 65 | 0d | 0a | 43 | 6f | 6e | 74 | 65 | 6e | 74 | 2d | 54 | 79 | 70 |
22 | 65 | 3a | 20 | 74 | 65 | 78 | 74 | 2f | 68 | 74 | 6d | 6c | 0d | 0a | 0d | 0a |
23 | 3c | 68 | 74 | 6d | 6c | 3e | 0d | 0a | 3c | 68 | 65 | 61 | 64 | 3e | 0d | 0a |
24 | 3c | 21 | 2d | 2d | 09 | 3c | 6c | 69 | 6e | 6b | 20 | 68 | 72 | 65 | 66 | 3d |
25 | 22 | 68 | 74 | 74 | 70 | 3a | 2f | 2f | 6c | 6f | 63 | 61 | 6c | 68 | 6f | 73 |
26 | 74 | 2f | 30 | 2e | 70 | 6e | 67 | 22 | 20 | 72 | 65 | 6c | 3d | 22 | 73 | 68 |
27 | 6f | 72 | 74 | 63 | 75 | 74 | 20 | 69 | 63 | 6f | 6e | 22 | 20 | 2f | 3e | 2d |
28 | 2d | 3e | 0d | 0a | 09 | 3c | 6c | 69 | 6e | 6b | 20 | 68 | 72 | 65 | 66 | 3d |
29 | 22 | 68 | 74 | 74 | 70 | 3a | 2f | 2f | 6c | 6f | 63 | 61 | 6c | 68 | 6f | 73 |
30 | 74 | 2f | 31 | 2e | 69 | 63 | 6f | 22 | 20 | 72 | 65 | 6c | 3d | 22 | 73 | 68 |
31 | 6f | 72 | 74 | 63 | 75 | 74 | 20 | 69 | 63 | 6f | 6e | 22 | 20 | 2f | 3e | 0d |
32 | 0a | 09 | 3c | 21 | 2d | 2d | 3c | 6c | 69 | 6e | 6b | 20 | 68 | 72 | 65 | 66 |
33 | 3d | 22 | 68 | 74 | 74 | 70 | 3a | 2f | 2f | 6c | 6f | 63 | 61 | 6c | 68 | 6f |
34 | 73 | 74 | 2f | 30 | 2e | 70 | 6e | 67 | 22 | 20 | 72 | 65 | 6c | 3d | 22 | 61 |
35 | 70 | 70 | 6c | 65 | 2d | 74 | 6f | 75 | 63 | 68 | 2d | 69 | 63 | 6f | 6e | 22 |
36 | 20 | 2f | 3e | 0d | 0a | 09 | 3c | 6c | 69 | 6e | 6b | 20 | 72 | 65 | 6c | 3d |
37 | 22 | 61 | 70 | 70 | 6c | 65 | 2d | 74 | 6f | 75 | 63 | 68 | 2d | 69 | 63 | 6f |
38 | 6e | 22 | 20 | 73 | 69 | 7a | 65 | 73 | 3d | 22 | 31 | 34 | 34 | 78 | 31 | 34 |
39 | 34 | 22 | 20 | 68 | 72 | 65 | 66 | 3d | 22 | 68 | 74 | 74 | 70 | 3a | 2f | 2f |
40 | 6c | 6f | 63 | 61 | 6c | 68 | 6f | 73 | 74 | 2f | 30 | 2e | 70 | 6e | 67 | 22 |
41 | 20 | 2f | 3e | 0d | 0a | 09 | 3c | 6c | 69 | 6e | 6b | 20 | 72 | 65 | 6c | 3d |
42 | 22 | 61 | 70 | 70 | 6c | 65 | 2d | 74 | 6f | 75 | 63 | 68 | 2d | 69 | 63 | 6f |
43 | 6e | 22 | 20 | 73 | 69 | 7a | 65 | 73 | 3d | 22 | 31 | 31 | 34 | 78 | 31 | 31 |
44 | 34 | 22 | 20 | 68 | 72 | 65 | 66 | 3d | 22 | 68 | 74 | 74 | 70 | 3a | 2f | 2f |
45 | 6c | 6f | 63 | 61 | 6c | 68 | 6f | 73 | 74 | 2f | 30 | 2e | 70 | 6e | 67 | 22 |
46 | 20 | 2f | 3e | 2d | 2d | 3e | 0d | 0a | 3c | 2f | 68 | 65 | 61 | 64 | 3e | 0d |
47 | 0a | 3c | 62 | 6f | 64 | 79 | 3e | 0d | 0a | 09 | 3c | 68 | 31 | 3e | 49 | 74 |
48 | 20 | 77 | 6f | 72 | 6b | 73 | 61 | 20 | 66 | 61 | 66 | 61 | 73 | 21 | 3c | 2f |
49 | 68 | 31 | 3e | 0d | 0a | 09 | 3c | 21 | 2d | 2d | 20 | 3c | 76 | 69 | 64 | 65 |
50 | 6f | 20 | 73 | 72 | 63 | 3d | 22 | 66 | 69 | 6c | 65 | 3a | 5c | 5c | 5c | 47 |
51 | 3a | 5c | d3 | b0 | ca | d3 | d0 | c0 | c9 | cd | 5c | bb | c6 | bd | f0 | ca |
52 | b1 | b4 | fa | 2e | 6d | 70 | 34 | 22 | 20 | 63 | 6f | 6e | 74 | 72 | 6f | 6c |
53 | 73 | 3d | 22 | 63 | 6f | 6e | 74 | 72 | 6f | 6c | 73 | 22 | 3e | 20 | 31 | 31 |
54 | 31 | 3c | 2f | 76 | 69 | 64 | 65 | 6f | 3e | 0d | 0a | 09 | 3c | 76 | 69 | 64 |
55 | 65 | 6f | 20 | 73 | 72 | 63 | 3d | 22 | 30 | 2e | 61 | 76 | 69 | 22 | 20 | 63 |
56 | 6f | 6e | 74 | 72 | 6f | 6c | 73 | 3d | 22 | 63 | 6f | 6e | 74 | 72 | 6f | 6c |
57 | 73 | 22 | 3e | 32 | 32 | 31 | 32 | 3c | 2f | 76 | 69 | 64 | 65 | 6f | 3e | 20 |
58 | 2d | 2d | 3e | 0d | 0a | 09 | 3c | 21 | 2d | 2d | 20 | 3c | 76 | 69 | 64 | 65 |
59 | 6f | 20 | 73 | 72 | 63 | 3d | 22 | 31 | 2e | 77 | 65 | 62 | 6d | 22 | 20 | 63 |
60 | 6f | 6e | 74 | 72 | 6f | 6c | 73 | 3d | 22 | 63 | 6f | 6e | 74 | 72 | 6f | 6c |
61 | 73 | 22 | 3e | 35 | 34 | 35 | 34 | 35 | 3c | 2f | 76 | 69 | 64 | 65 | 6f | 3e |
62 | 20 | 2d | 2d | 3e | 3c | 62 | 72 | 20 | 2f | 3e | 0d | 0a | 09 | 3c | 66 | 6f |
63 | 72 | 6d | 20 | 61 | 63 | 74 | 69 | 6f | 6e | 3d | 22 | 68 | 74 | 74 | 70 | 3a |
64 | 2f | 2f | 31 | 30 | 2e | 31 | 30 | 38 | 2e | 32 | 30 | 33 | 2e | 35 | 30 | 22 |
65 | 20 | 65 | 6e | 63 | 74 | 79 | 70 | 65 | 3d | 22 | 6d | 75 | 6c | 74 | 69 | 70 |
66 | 61 | 72 | 74 | 2f | 66 | 6f | 72 | 6d | 2d | 64 | 61 | 74 | 61 | 22 | 20 | 6d |
67 | 65 | 74 | 68 | 6f | 64 | 3d | 22 | 70 | 6f | 73 | 74 | 22 | 3e | 0d | 0a | 09 |
68 | 09 | 3c | 69 | 6e | 70 | 75 | 74 | 20 | 74 | 79 | 70 | 65 | 3d | 22 | 66 | 69 |
69 | 6c | 65 | 22 | 20 | 6e | 61 | 6d | 65 | 3d | 22 | 66 | 69 | 6c | 65 | 4e | 61 |
70 | 6d | 65 | 22 | 20 | 2f | 3e | 3c | 62 | 72 | 2f | 3e | 0d | 0a | 09 | 09 | 3c |
71 | 69 | 6e | 70 | 75 | 74 | 20 | 74 | 79 | 70 | 65 | 3d | 22 | 73 | 75 | 62 | 6d |
72 | 69 | 74 | 22 | 20 | 76 | 61 | 6c | 75 | 65 | 3d | 22 | c9 | cf | b4 | ab | ce |
73 | c4 | bc | fe | 22 | 20 | 6e | 61 | 6d | 65 | 3d | 22 | 73 | 75 | 62 | 6d | 69 |
74 | 74 | 69 | 6d | 70 | 75 | 74 | 22 | 20 | 2f | 3e | 0d | 0a | 09 | 3c | 2f | 66 |
75 | 6f | 72 | 6d | 3e | 0d | 0a | 0d | 0a | 3c | 2f | 62 | 6f | 64 | 79 | 3e | 0d |
76 | 0a | 3c | 2f | 68 | 74 | 6d | 6c | 3e |
|
首先来分析IP首部:依然有指示这个报文段不能分片的信息
分析TCP报文段:
00 | 50 |
源端口号:apache的服务端口号80
19 | 85 |
对方浏览器端口号:6553
c7 | 46 | e0 | b6 |
序号:3343311029,和上个浏览器的http请求报文中TCP的确认号相同
a6 | 87 | 7e | 1f |
确认号:2793897503,比上个浏览器的http请求报文中TCP的序号大249B,经计算上个浏览器的http请求报文中的HTTP部分总共249B
50 | 18 |
分开来说:0101 0000 0001 1000
前4bit表示TCP首部长度,这里是5即20B,标准长度
中间6bit置空为0
后面6bit,分开来说:
第一个:0,表示不激活紧急指针
第二个:1,表示这个是确认报文
第三个:0,表示不推送该TCP报文
第四个:0,表示不复位
第五个:0,表示这个不是同步请求或同步确认报文
第六个:0,表示这个不是终止报文相关
01 | 00 |
窗口大小:0x0100,即:256,表示Apache服务器还能允许接受的TCP窗口值为256B
27 | fa |
检验和:略。
00 | 00 |
紧急指针:未启用
向下就是HTTP报文了:下面直接从wireshark复制了过来:
HTTP/1.1 200 OK
Date: Wed, 03 Dec 2014 04:16:07 GMT
Server: Apache/2.2.25 (Win32)
Last-Modified: Wed, 03 Dec 2014 04:12:54GMT
ETag:"1000000013887-358-509480ed7565e"
Accept-Ranges: bytes
Content-Length: 856
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>
<head>
<!-- <linkhref="http://localhost/0.png" rel="shortcut icon"/>-->
<linkhref="http://localhost/1.ico" rel="shortcut icon" />
<!--<linkhref="http://localhost/0.png" rel="apple-touch-icon" />
<linkrel="apple-touch-icon" sizes="144x144"href="http://localhost/0.png" />
<linkrel="apple-touch-icon" sizes="114x114"href="http://localhost/0.png" />-->
</head>
<body>
<h1>Itworksa fafas!</h1>
<!--<video src="file:\\\G:\\.mp4" controls="controls">111</video>
<videosrc="0.avi" controls="controls">2212</video>-->
<!--<video src="1.webm"controls="controls">54545</video> --><br />
<formaction="http://10.108.203.50" enctype="multipart/form-data"method="post">
<inputtype="file" name="fileName" /><br/>
<inputtype="submit" value="" name="submitimput" />
</form>
</body>
</html>
6、下面紧跟着有一个浏览器的确认报文,分析一下:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 5d | 07 | 40 | 00 | 40 | 06 | 32 | 8a | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 85 | 00 | 50 | a6 | 87 | 7e | 1f | c7 | 46 | e5 | 38 | 50 | 10 |
4 | 03 | fb | 15 | 9f | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
|
首先分析一下IP报文首部:依然有不让该报文分片的信息
分析TCP报文:
19 | 85 |
源端口:6553,浏览器的TCP端口
00 | 50 |
目的端口:80,apache的服务端口
a6 | 87 | 7e | 1f |
序号:2793897503,和上面Apache发送的200应答报文的TCP部分确认号一样
c7 | 46 | e5 | 38 |
确认号:3343312184,上面浏览器应答的报文的HTTP总共1154B,加上上一次的序号正好就是这次的确认号
50 | 10 |
分开来说:0101 0000 0001 0000
前四个bit:5表示数据偏移,是20B标准的TCP头部长度
中间六个bit置空为0
后面的六个bit分开说:
第一个,0,表示不激活紧急指针字段
第二个,1表示这个确认报文
第三个,0,表示不推送这个报文
第四个,0,表示不复位
第五个,0,表示不是同步请求或同步确认报文,结合ACK,这就是一个确认报文
第六个,0,表示这个不是终止相关的报文
03 | fb |
窗口大小:这里是:0x03fb,即:1019B,表示自己(浏览器)还允许发送1019B的TCP窗口值
15 | 9f |
校验和:略
00 | 00 |
紧急指针:没使用
再向后由于IP报文总共40B所以MAC层填充6B数据
7、下面开始TCP连接释放的分析:(很奇怪的是,这个释放链接由服务器开的头)
紧接着有一个TCP报文:(很奇怪这个报文段没有MAC层的填充)
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | c8 | 60 | 00 | 46 | 55 | 22 | 28 | d2 | 44 | c7 | d2 | 62 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 16 | 23 | 40 | 00 | 40 | 06 | 79 | 6e | 0a | 6c | cb | 32 | 0a | 6c |
3 | cb | 34 | 00 | 50 | 19 | 85 | c7 | 46 | e5 | 38 | a6 | 87 | 7e | 1f | 50 | 11 |
4 | 01 | 00 | 18 | 99 | 00 | 00 |
|
首先分析IP段:依然是有让该报文不要分片的指令
TCP段:
00 | 50 |
源端口:Apache的80端口
19 | 85 |
浏览器的6553端口
c7 | 46 | e5 | 38 |
序号:3343312184,和上面的确认号一样
a6 | 87 | 7e | 1f |
确认号:2793897503 和上面的序号一样,这是因为上面的TCP报文并没有数据
50 | 11 |
这个分开说:0101 0000 0001 0001
前面四个bit,5表示TCP的首部字段20B,标准的TCP首部长度
中间的六bit,置空为0
后面的六个bit,分开说:
第一个0,URG:表示不激活紧急指针字段
第二个1,ACK:表示这是一个确认TCP报文
第三个0,PSH:表示不推送这个报文
第四个0,RST:表示这个不是复位
第五个0,SYN:表示这个不是同步请求或同步确认报文
第六个1,FIN:表示这是一个要求释放链接的报文,此时Apache已完成了数据发送完毕要求浏览器释放链接
01 | 00 |
窗口值:256B,表示Apache还允许浏览器TCP发送窗口值为256
18 | 99 |
校验和:略
00 | 00 |
紧急指针字段:没使用
(奇怪的是命名数据的长度未达到MAC帧的最小长度,但是没有填充!)
8、下面是浏览器确认Apache发送的要求释放链接的TCP报文:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 5d | 09 | 40 | 00 | 40 | 06 | 32 | 88 | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 85 | 00 | 50 | a6 | 87 | 7e | 1f | c7 | 46 | e5 | 39 | 50 | 10 |
4 | 03 | fb | 15 | 9e | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
|
首先来分析一下IP报文:仍然有不让该报文分片的指令
TCP报文段:
19 | 85 |
源端口:浏览器的6553的TCP端口
00 | 50 |
Apache的80端口
a6 | 87 | 7e | 1f |
序号:2793897503 和上面的确认号一样
c7 | 46 | e5 | 39 |
确认号:3343312185是上面的序号的值+1,猜测,FIN报文不携带数据也要消耗一个序号
50 | 10 |
这个分开来说:0101 0000 0001 0000
前四个bit:5,表示TCP报文段的首部共20B,标准的TCP首部长度
中间的六个bit保留:置空为0
后面的六个bit,分开说:
第一个bit:0,表示不激活紧急指针
第二个bit:1,表示这是一个确认报文
第三个bit:0,表示这个报文不推送
第四个bit:0,表示表示这个报文不是复位的
第五个bit:0,表示这个报文不是同步请求或者同步确认报文,结合ACK知着是一个确认报文
第六个bit:0,表示这不是一个要求连接释放报文
03 | fb |
窗口值:表示浏览器允许ApacheTCP发送的窗口值是:1019B
15 | 9e |
检验和:略
00 | 00 |
紧急指针:没使用
后面六个字节是由于IP报文段只有40B没达到46B而在MAC层填充的、
9、下面分析浏览器接着发送的FIN报文:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 5d | 0a | 40 | 00 | 40 | 06 | 32 | 87 | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 85 | 00 | 50 | a6 | 87 | 7e | 1f | c7 | 46 | e5 | 39 | 50 | 11 |
4 | 03 | fb | 15 | 9d | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
|
首先分析一下IP报文:仍然有不让该报文分片的指令
分析TCP:
19 | 85 |
源端口:浏览器的端口6553
00 | 50 |
Apache的服务端口:80
a6 | 87 | 7e | 1f |
序号:2793897503 ,和上面的自己发送的确认报文的序号值一样
c7 | 46 | e5 | 39 |
确认号:3343312185,和上面的自己发送的确认报文的确认号值一样
50 | 11 |
这个分开来说: 0101 0000 0001 0001
前四个bit:5,表示TCP报文的数据头部字节为20B标准的TCP报文段头部
中间的六个bit:保留,置空为0
后面的六个bit:分开来说
第一个bit:0,表示不激活紧急指针
第二个bit:1,表示这是个确认报文
第三个bit:0,表示这不是一个推送报文
第四个bit:0,表示这不是一个复位的报文
第五个bit:0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit:1,表示这是一个要求释放链接的报文,浏览器已经将数据发送完毕了,并要求释放链接
03 | fb |
窗口值:1019B,表示浏览器允许Apache的TCP发送窗口值为1019B
15 | 9d |
检验和:略
00 | 00 |
紧急指针:没有使用
后面的六个字节是由于IP报总过40B没有达到16B所以在MAC层填充了六个字节的数据
10、下面是服务器发送的确认连接断开报文
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | c8 | 60 | 00 | 46 | 55 | 22 | 28 | d2 | 44 | c7 | d2 | 62 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 16 | 34 | 40 | 00 | 40 | 06 | 79 | 5d | 0a | 6c | cb | 32 | 0a | 6c |
3 | cb | 34 | 00 | 50 | 19 | 85 | c7 | 46 | e5 | 39 | a6 | 87 | 7e | 20 | 50 | 10 |
4 | 01 | 00 | 18 | 98 | 00 | 00 |
|
首先分析一下IP报文:仍然有不让该报文分片的指令
分析TCP报文:
00 | 50 |
Apache服务端口:80
19 | 85 |
浏览器端口:6553
c7 | 46 | e5 | 39 |
序号:3343312185,和上面的报文的确认号相同
a6 | 87 | 7e | 20 |
确认号:2793897504 ,是上面的报文的序号值+1,猜测FIN报文要消耗掉一个序号
50 | 10 |
分开来说:0101 0000 0001 0000
前四个bit:5,表示TCP报文的首部长度为20B,标准的TCP报文长度
中间6个bit:保留置空为0
后面的六个bit,分开来说:
第一个bit:0,表示不激活紧急指针字段
第二个bit:1,表示这是一个确认报文
第三个bit:0,表示这不是一个推送的报文
第四个bit:0,表示这不是一个复位的报文
第五个bit:0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit:0,表示这不是一个要求终止连接的报文
下一帧:浏览器连接同步请求报文
554 19.500058000 10.108.203.52 10.108.203.50 TCP 66 lds-dump→ http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 00 | 34 | 5d | 22 | 40 | 00 | 40 | 06 | 32 | 63 | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 90 | 00 | 50 | f9 | d2 | 34 | 39 | 00 | 00 | 00 | 00 | 80 | 02 |
4 | ff | ff | 7b | e5 | 00 | 00 | 02 | 04 | 05 | b4 | 01 | 03 | 03 | 08 | 01 | 01 |
5 | 04 | 02 |
|
直接分析TCP:
19 | 90 |
源端口号:6544
00 | 50 |
目的端口号:80
f9 | d2 | 34 | 39 |
序号:4191302713
00 | 00 | 00 | 00 |
确认号:第一次置空
80 | 02 |
分开来说:0101 0000 0000 0010
前四个bit:8,即32字节,表示TCP报文首部32B
中间六个bit:保留置空
后面六个bit分开说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,0,表示不使用确认号字段
第三个bit,0,表示不推送本报文
第四个bit,0,表示不是复位报文
第五个bit,1,表示这是一个同步请求或同步确认报文,结合ACK知这是一个同步请求报文
第六个bit:0,不是要求释放对方释放链接的报文
ff | ff |
窗口值:表示自己允许对方发送TCP窗口值为65535B
7b | e5 |
校验和:略
00 | 00 |
紧急指针:未使用
下面是TCP报文首部的可选项
02 | 04 | 05 | b4 |
Maximum segmentsize: 1460 bytes
01 |
No-Operation(NOP)
03 | 03 | 08 |
Windowscale: 8 (multiply by 256)
01 |
No-Operation(NOP)
01 |
No-Operation (NOP)
04 | 02 |
TCPSACK Permitted Option: True
下一帧报文:服务器连接同步确认报文
555 19.500198000 10.108.203.50 10.108.203.52 TCP 66 http → lds-dump [SYN, ACK]Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | c8 | 60 | 00 | 46 | 55 | 22 | 28 | d2 | 44 | c7 | d2 | 62 | 08 | 00 | 45 | 00 |
2 | 00 | 34 | 16 | 35 | 40 | 00 | 40 | 06 | 79 | 50 | 0a | 6c | cb | 32 | 0a | 6c |
3 | cb | 34 | 00 | 50 | 19 | 90 | d8 | 41 | fa | 1f | f9 | d2 | 34 | 3a | 80 | 12 |
4 | 20 | 00 | 89 | 72 | 00 | 00 | 02 | 04 | 05 | b4 | 01 | 03 | 03 | 08 | 01 | 01 |
5 | 04 | 02 |
|
00 | 50 |
:80
19 | 90 |
:6554
d8 | 41 | fa | 1f |
序号:3628202527,自己选的和上一个报文没关系
f9 | d2 | 34 | 3a |
确认号:4191302714,是上一个报文的的序号的+1
80 | 12 |
分开来说:1000 0000 0001 0010
前四个bit:8,即32字节,表示TCP报文首部32B
中间六个bit:保留置空
后面六个bit分开说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,1,表示使用确认号字段
第三个bit,0,表示不推送本报文
第四个bit,0,表示不是复位报文
第五个bit,1,表示这是一个同步请求或同步确认报文,结合ACK知这是一个同步确认报文
第六个bit:0,不是要求释放对方释放链接的报文
20 | 00 |
窗口值:8192,表示允许对方发送TCP窗口值为8192B
89 | 72 |
检验和:略
00 | 00 |
紧急字段:没有使用
向下是TCP报文首部的可选项:
Options: (12 bytes), Maximum segment size,No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACKpermitted
02 | 04 | 05 | b4 |
Maximumsegment size: 1460 bytes
01 |
No-Operation(NOP)
03 | 03 | 08 |
Window scale: 8(multiply by 256)
01 |
No-Operation(NOP)
01 |
No-Operation(NOP)
04 | 02 |
TCPSACK Permitted Option: True
下一帧:浏览器同步确认报文
556 19.501084000 10.108.203.52 10.108.203.50 TCP 60 lds-dump → http [ACK] Seq=1Ack=1 Win=1024 Len=0
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 5d | 23 | 40 | 00 | 40 | 06 | 32 | 6e | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 90 | 00 | 50 | f9 | d2 | 34 | 3a | d8 | 41 | fa | 20 | 50 | 10 |
4 | 04 | 00 | e6 | 45 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
|
直接分析TCP报文:
19 | 90 |
源端口:浏览器,6554
00 | 50 |
目的端口:Apache80
f9 | d2 | 34 | 3a |
序号:4191302714,和上面的确认号一样
d8 | 41 | fa | 20 |
确认号:3628202527,是上面报文的序号+1
50 | 10 |
分开来说:0101 0000 0001 0000
前四个bit:20,即20字节,表示TCP报文首部32B
中间六个bit:保留置空
后面六个bit分开说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,1,表示使用确认号字段
第三个bit,0,表示不推送本报文
第四个bit,0,表示不是复位报文
第五个bit,0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit:0,不是要求释放对方释放链接的报文
04 | 00 |
窗口值:1024,表示允许对方(apache)发送TCP的窗口大小为1024B
e6 | 45 |
校验和:略。
00 | 00 |
紧急指针:没有使用
后面六个字节因为ICP报文总共才40B,没有达到46B所以填充的。
下一帧:浏览器上传文件第一个分片
557 19.501976000 10.108.203.52 10.108.203.50 TCP 471 [TCP segment of a reassembled PDU]
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 01 | c9 | 5d | 24 | 40 | 00 | 40 | 06 | 30 | cc | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 90 | 00 | 50 | f9 | d2 | 34 | 3a | d8 | 41 | fa | 20 | 50 | 18 |
4 | 04 | 00 | 44 | af | 00 | 00 | 50 | 4f | 53 | 54 | 20 | 2f | 20 | 48 | 54 | 54 |
5 | 50 | 2f | 31 | 2e | 31 | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 3a | 20 | 74 |
6 | 65 | 78 | 74 | 2f | 68 | 74 | 6d | 6c | 2c | 20 | 61 | 70 | 70 | 6c | 69 | 63 |
7 | 61 | 74 | 69 | 6f | 6e | 2f | 78 | 68 | 74 | 6d | 6c | 2b | 78 | 6d | 6c | 2c |
8 | 20 | 2a | 2f | 2a | 0d | 0a | 52 | 65 | 66 | 65 | 72 | 65 | 72 | 3a | 20 | 68 |
9 | 74 | 74 | 70 | 3a | 2f | 2f | 31 | 30 | 2e | 31 | 30 | 38 | 2e | 32 | 30 | 33 |
10 | 2e | 35 | 30 | 2f | 0d | 0a | 41 | 63 | 63 | 65 | 70 | 74 | 2d | 4c | 61 | 6e |
11 | 67 | 75 | 61 | 67 | 65 | 3a | 20 | 7a | 68 | 2d | 43 | 4e | 0d | 0a | 43 | 6f |
12 | 6e | 74 | 65 | 6e | 74 | 2d | 54 | 79 | 70 | 65 | 3a | 20 | 6d | 75 | 6c | 74 |
13 | 69 | 70 | 61 | 72 | 74 | 2f | 66 | 6f | 72 | 6d | 2d | 64 | 61 | 74 | 61 | 3b |
14 | 20 | 62 | 6f | 75 | 6e | 64 | 61 | 72 | 79 | 3d | 2d | 2d | 2d | 2d | 2d | 2d |
15 | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d |
16 | 2d | 2d | 2d | 2d | 2d | 37 | 64 | 65 | 32 | 31 | 61 | 32 | 63 | 64 | 30 | 36 |
17 | 37 | 63 | 0d | 0a | 55 | 73 | 65 | 72 | 2d | 41 | 67 | 65 | 6e | 74 | 3a | 20 |
18 | 4d | 6f | 7a | 69 | 6c | 6c | 61 | 2f | 35 | 2e | 30 | 20 | 28 | 57 | 69 | 6e |
19 | 64 | 6f | 77 | 73 | 20 | 4e | 54 | 20 | 36 | 2e | 33 | 3b | 20 | 54 | 72 | 69 |
20 | 64 | 65 | 6e | 74 | 2f | 37 | 2e | 30 | 3b | 20 | 72 | 76 | 3a | 31 | 31 | 2e |
21 | 30 | 29 | 20 | 6c | 69 | 6b | 65 | 20 | 47 | 65 | 63 | 6b | 6f | 0d | 0a | 41 |
22 | 63 | 63 | 65 | 70 | 74 | 2d | 45 | 6e | 63 | 6f | 64 | 69 | 6e | 67 | 3a | 20 |
23 | 67 | 7a | 69 | 70 | 2c | 20 | 64 | 65 | 66 | 6c | 61 | 74 | 65 | 0d | 0a | 48 |
24 | 6f | 73 | 74 | 3a | 20 | 31 | 30 | 2e | 31 | 30 | 38 | 2e | 32 | 30 | 33 | 2e |
25 | 35 | 30 | 0d | 0a | 43 | 6f | 6e | 74 | 65 | 6e | 74 | 2d | 4c | 65 | 6e | 67 |
26 | 74 | 68 | 3a | 20 | 31 | 31 | 32 | 34 | 37 | 39 | 0d | 0a | 44 | 4e | 54 | 3a |
27 | 20 | 31 | 0d | 0a | 43 | 6f | 6e | 6e | 65 | 63 | 74 | 69 | 6f | 6e | 3a | 20 |
28 | 4b | 65 | 65 | 70 | 2d | 41 | 6c | 69 | 76 | 65 | 0d | 0a | 43 | 61 | 63 | 68 |
29 | 65 | 2d | 43 | 6f | 6e | 74 | 72 | 6f | 6c | 3a | 20 | 6e | 6f | 2d | 63 | 61 |
30 | 63 | 68 | 65 | 0d | 0a | 0d | 0a |
|
直接分析TCP报文:
19 | 90 |
源端口:6554(浏览器)
00 | 50 |
目的端口:Apache80
f9 | d2 | 34 | 3a |
序号:4191302714,和上面报文的确认号一样
d8 | 41 | fa | 20 |
确认号:3628202527,和上面报文的序号是一样的
50 | 18 |
分开来说:0101 0000 0001 1000
前四个bit:5,表示20B,即TCP报文首部共20字节
中间六个bit:保留置空为0
后面六个bit分开说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,1,表示使用确认号字段
第三个bit,1,表示推送本报文
第四个bit,0,表示不是复位报文
第五个bit,0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit:0,不是要求释放对方释放链接的报文
04 | 00 |
窗口值:1024,表示允许对方(apache)发送TCP的窗口大小为1024B
44 | af |
校验和:略
00 | 00 |
紧急指针:没有使用
后面的都是数据部分了:共417B
POST / HTTP/1.1
Accept: text/html, application/xhtml+xml,*/*
Referer: http://10.108.203.50/
Accept-Language: zh-CN
Content-Type: multipart/form-data;boundary=---------------------------7de21a2cd067c
User-Agent: Mozilla/5.0 (Windows NT 6.3;Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 10.108.203.50
Content-Length: 112479
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
下一帧:浏览器上传文件第二个分片
558 19.503494000 10.108.203.52 10.108.203.50 TCP 1514 [TCP segment of a reassembled PDU]
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 05 | dc | 5d | 25 | 40 | 00 | 40 | 06 | 2c | b8 | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 90 | 00 | 50 | f9 | d2 | 35 | db | d8 | 41 | fa | 20 | 50 | 10 |
4 | 04 | 00 | 01 | 8c | 00 | 00 | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d |
5 | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d | 2d |
6 | 2d | 2d | 2d | 37 | 64 | 65 | 32 | 31 | 61 | 32 | 63 | 64 | 30 | 36 | 37 | 63 |
7 | 0d | 0a | 43 | 6f | 6e | 74 | 65 | 6e | 74 | 2d | 44 | 69 | 73 | 70 | 6f | 73 |
8 | 69 | 74 | 69 | 6f | 6e | 3a | 20 | 66 | 6f | 72 | 6d | 2d | 64 | 61 | 74 | 61 |
9 | 3b | 20 | 6e | 61 | 6d | 65 | 3d | 22 | 66 | 69 | 6c | 65 | 4e | 61 | 6d | 65 |
10 | 22 | 3b | 20 | 66 | 69 | 6c | 65 | 6e | 61 | 6d | 65 | 3d | 22 | 32 | 30 | 31 |
11 | 33 | 31 | 32 | 5f | 32 | 30 | 31 | 30 | bc | b6 | a1 | b6 | cb | ae | d7 | ca |
12 | d4 | b4 | cf | b5 | cd | b3 | d4 | cb | d0 | d0 | b5 | f7 | b6 | c8 | a1 | b7 |
13 | bf | ce | b3 | cc | c9 | e8 | bc | c6 | c8 | ce | ce | f1 | ca | e9 | 2e | 64 |
14 | 6f | 63 | 22 | 0d | 0a | 43 | 6f | 6e | 74 | 65 | 6e | 74 | 2d | 54 | 79 | 70 |
15 | 65 | 3a | 20 | 61 | 70 | 70 | 6c | 69 | 63 | 61 | 74 | 69 | 6f | 6e | 2f | 6d |
16 | 73 | 77 | 6f | 72 | 64 | 0d | 0a | 0d | 0a | d0 | cf | 11 | e0 | a1 | b1 | 1a |
17 | e1 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
18 | 00 | 3e | 00 | 03 | 00 | fe | ff | 09 | 00 | 06 | 00 | 00 | 00 | 00 | 00 | 00 |
19 | 00 | 00 | 00 | 00 | 00 | 02 | 00 | 00 | 00 | d4 | 00 | 00 | 00 | 00 | 00 | 00 |
20 | 00 | 00 | 10 | 00 | 00 | d7 | 00 | 00 | 00 | 01 | 00 | 00 | 00 | fe | ff | ff |
21 | ff | 00 | 00 | 00 | 00 | d2 | 00 | 00 | 00 | d3 | 00 | 00 | 00 | ff | ff | ff |
22 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
23 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
24 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
25 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
26 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
27 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
28 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
29 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
30 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
31 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
32 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
33 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
34 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
35 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
36 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
37 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
38 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
39 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
40 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
41 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
42 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
43 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
44 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
45 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
46 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
47 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff | ff |
48 | ff | ff | ff | ff | ff | ff | ff | ff | ff | ec | a5 | c1 | 00 | 67 | c0 | 09 |
49 | 04 | 00 | 00 | f0 | 52 | bf | 00 | 00 | 00 | 00 | 00 | 00 | 10 | 00 | 00 | 00 |
50 | 00 | 00 | 08 | 00 | 00 | 72 | b5 | 00 | 00 | 0e | 00 | 62 | 6a | 62 | 6a | 10 |
51 | 56 | 10 | 56 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
52 | 00 | 00 | 00 | 00 | 00 | 04 | 08 | 16 | 00 | 7e | bc | 00 | 00 | 72 | 3c | 01 |
53 | 00 | 72 | 3c | 01 | 00 | 34 | 13 | 00 | 00 | 00 | 00 | 00 | 00 | 39 | 00 | 00 |
54 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
55 | 00 | 00 | 00 | 00 | 00 | ff | ff | 0f | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
56 | 00 | ff | ff | 0f | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | ff | ff | 0f |
57 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
58 | 00 | b7 | 00 | 00 | 00 | 00 | 00 | f2 | 07 | 00 | 00 | 00 | 00 | 00 | 00 | f2 |
59 | 07 | 00 | 00 | 5b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 |
60 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 |
61 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 24 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
62 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | 7f | 15 | 00 | 00 | 00 |
63 | 00 | 00 | 00 | 7f | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 7f | 15 | 00 | 00 | 50 |
64 | 00 | 00 | 00 | cf | 15 | 00 | 00 | c4 | 00 | 00 | 00 | 93 | 16 | 00 | 00 | a4 |
65 | 01 | 00 | 00 | 7f | 15 | 00 | 00 | 00 | 00 | 00 | 00 | c4 | 36 | 00 | 00 | ec |
66 | 01 | 00 | 00 | 37 | 18 | 00 | 00 | 00 | 00 | 00 | 00 | 37 | 18 | 00 | 00 | 28 |
67 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 |
68 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 |
69 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 |
70 | 00 | 00 | 00 | ef | 35 | 00 | 00 | 02 | 00 | 00 | 00 | f1 | 35 | 00 | 00 | 00 |
71 | 00 | 00 | 00 | f1 | 35 | 00 | 00 | 00 | 00 | 00 | 00 | f1 | 35 | 00 | 00 | 00 |
72 | 00 | 00 | 00 | f1 | 35 | 00 | 00 | 00 | 00 | 00 | 00 | f1 | 35 | 00 | 00 | 00 |
73 | 00 | 00 | 00 | f1 | 35 | 00 | 00 | 24 | 00 | 00 | 00 | b0 | 38 | 00 | 00 | b2 |
74 | 02 | 00 | 00 | 62 | 3b | 00 | 00 | 4e | 00 | 00 | 00 | 15 | 36 | 00 | 00 | 69 |
75 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
76 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 00 |
77 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
78 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 |
79 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 00 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 00 |
80 | 00 | 00 | 00 | 15 | 36 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
81 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 |
82 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
83 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 34 | 01 | 00 | 00 | 7e | 36 | 00 | 00 | 16 |
84 | 00 | 00 | 00 | 7b | 23 | 00 | 00 | 00 | 00 | 00 | 00 | 7b | 23 | 00 | 00 | 00 |
85 | 00 | 00 | 00 | 7b | 23 | 00 | 00 | 00 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 86 |
86 | 05 | 00 | 00 | 5b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 |
87 | 00 | 00 | 00 | 5b | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 |
88 | 00 | 00 | 00 | ef | 35 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
89 | 00 | 00 | 00 | 7b | 23 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
90 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
91 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
92 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 00 |
93 | 00 | 00 | 00 | ef | 35 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
94 | 00 | 00 | 00 | 7b | 23 | 00 | 00 | 00 | 00 | 00 | 00 | 7b | 23 | 00 | 00 | 16 |
95 | 02 | 00 | 00 | 7d | 30 | 00 | 00 | 80 | 01 | 00 |
|
直接分析TCP报文:
19 | 90 |
源端口:6554(浏览器)
00 | 50 |
目的端口:Apache80
f9 | d2 | 35 | db |
序号:4191303131,正好是上一个报文的序号(4191302714)加上一个报文的数据长度(417B)
d8 | 41 | fa | 20 |
确认号:3628202527,和上面的报文的确认号一样
50 | 10 |
分开来说:0101 0000 0001 0000
前四个bit:5,表示20B,即TCP报文首部长度20B
中间6bit:保留置空为0
后面6bit分开来说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,1,表示使用确认号字段
第三个bit,0,表示不推送本报文
第四个bit,0,表示不是复位报文
第五个bit,0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit:0,不是要求释放对方释放链接的报文
04 | 00 |
窗口值:1024,表示允许对方(apache)发送TCP的窗口大小为1024B
01 | 8c |
校验和:略
00 | 00 |
紧急指针:没有使用
向下面都是数据了:TCP segment data (1460 bytes),可以看到这是上传的文件的数据,这里copy的时候只从wireshark哪里copy的可打印的字符,但是有1460B
-----------------------------7de21a2cd067c
Content-Disposition: form-data;name="fileName"; filename="201312_2010.doc"
Content-Type: application/msword
> g RrbjbjVV~r<r<49[[[[[$P677(___5555555$8b;N6i[OOO6[[__4~6{#{#{#O[_[_5{#O5{#{#}0
下一帧:服务器确认报文
559 19.504202000 10.108.203.50 10.108.203.52 TCP 54 http → lds-dump [ACK]Seq=1 Ack=1878 Win=256 Len=0
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | c8 | 60 | 00 | 46 | 55 | 22 | 28 | d2 | 44 | c7 | d2 | 62 | 08 | 00 | 45 | 00 |
2 | 00 | 28 | 16 | 36 | 40 | 00 | 40 | 06 | 79 | 5b | 0a | 6c | cb | 32 | 0a | 6c |
3 | cb | 34 | 00 | 50 | 19 | 90 | d8 | 41 | fa | 20 | f9 | d2 | 3b | 8f | 50 | 10 |
4 | 01 | 00 | e1 | f0 | 00 | 00 |
|
直接分析TCP报文:
00 | 50 |
源端口号:apache80
19 | 90 |
目的端口号:浏览器6554
d8 | 41 | fa | 20 |
序号:3628202527,和上面的报文的确认号一样
f9 | d2 | 3b | 8f |
确认号:4191304591,正好等于上面报文的序号和上面TCP数据段的长度之和
50 | 10 |
分开来说:0101 0000 0001 0000
前四个bit:5,表示20B,即TCP报文首部长度20B
中间6bit:保留置空为0
后面6bit分开来说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,1,表示使用确认号字段
第三个bit,0,表示不推送本报文
第四个bit,0,表示不是复位报文
第五个bit,0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit,0,表示这个不是要求释放链接的报文
01 | 00 |
窗口值:256,即允许对方(浏览器)发送的TCP窗口值为256B
e1 | f0 |
检验和:略
00 | 00 |
紧急指针:没有使用
下一帧:浏览器上传文件第三个分片
560 19.504274000 10.108.203.52 10.108.203.50 TCP 1514 [TCP segment of a reassembled PDU]
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P |
1 | 28 | d2 | 44 | c7 | d2 | 62 | c8 | 60 | 00 | 46 | 55 | 22 | 08 | 00 | 45 | 00 |
2 | 05 | dc | 5d | 26 | 40 | 00 | 40 | 06 | 2c | b7 | 0a | 6c | cb | 34 | 0a | 6c |
3 | cb | 32 | 19 | 90 | 00 | 50 | f9 | d2 | 3b | 8f | d8 | 41 | fa | 20 | 50 | 10 |
4 | 04 | 00 | 51 | 48 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
5 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
6 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
7 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
8 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 9d |
9 | 32 | 00 | 00 | 00 | 00 | 00 | 00 | 5f | 18 | 00 | 00 | 00 | 00 | 00 | 00 | ff |
10 | ff | ff | ff | 00 | 00 | 00 | 00 | f0 | ed | 00 | 01 | a3 | fc | ce | 01 | 00 |
11 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | d5 |
12 | 20 | 00 | 00 | b2 | 00 | 00 | 00 | fd | 31 | 00 | 00 | 2c | 00 | 00 | 00 | 00 |
13 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | db | 35 | 00 | 00 | 14 | 00 | 00 | 00 | 94 |
14 | 36 | 00 | 00 | 30 | 00 | 00 | 00 | c4 | 36 | 00 | 00 | 00 | 00 | 00 | 00 | 29 |
15 | 32 | 00 | 00 | 74 | 00 | 00 | 00 | b0 | 3b | 00 | 00 | 00 | 00 | 00 | 00 | 87 |
16 | 21 | 00 | 00 | d6 | 00 | 00 | 00 | b0 | 3b | 00 | 00 | 58 | 00 | 00 | 00 | 9d |
17 | 32 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
18 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
19 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
20 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
21 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 9d | 32 | 00 | 00 | b6 | 00 | 00 | 00 | b0 |
22 | 3b | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 5b |
23 | 15 | 00 | 00 | 00 | 00 | 00 | 00 | 53 | 33 | 00 | 00 | 88 | 02 | 00 | 00 | 93 |
24 | 19 | 00 | 00 | 30 | 00 | 00 | 00 | c3 | 19 | 00 | 00 | 22 | 00 | 00 | 00 | 7b |
25 | 23 | 00 | 00 | 00 | 00 | 00 | 00 | e5 | 19 | 00 | 00 | 1c | 00 | 00 | 00 | 01 |
26 | 1a | 00 | 00 | 4e | 01 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
27 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
28 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
29 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 15 |
30 | 36 | 00 | 00 | 00 | 00 | 00 | 00 | 15 | 36 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
31 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
32 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 5d |
33 | 22 | 00 | 00 | 1e | 01 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
34 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
35 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
36 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | c4 |
37 | 36 | 00 | 00 | 00 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 00 | 00 | 00 | 00 | 4f |
38 | 1b | 00 | 00 | 00 | 00 | 00 | 00 | 4f | 1b | 00 | 00 | 00 | 00 | 00 | 00 | 4f |
39 | 1b | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | ff |
40 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
41 | ff | ff | ff | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | ff |
42 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
43 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
44 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
45 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
46 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
47 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | ff |
48 | ff | ff | ff | 00 | 00 | 00 | 00 | ff | ff | ff | ff | 00 | 00 | 00 | 00 | b0 |
49 | 3b | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
50 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
51 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
52 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
53 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
54 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
55 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
56 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | 93 |
57 | 19 | 00 | 00 | 00 | 00 | 00 | 00 | f2 | 07 | 00 | 00 | 2f | 0c | 00 | 00 | 21 |
58 | 14 | 00 | 00 | 3a | 01 | 00 | 00 | 05 | 00 | 12 | 01 | 00 | 00 | 09 | 04 | 04 |
59 | 08 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
60 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
61 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
62 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
63 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
64 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
65 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
66 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
67 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
68 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
69 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
70 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
71 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
72 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
73 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
74 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
75 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
76 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
77 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
78 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
79 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
80 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
81 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
82 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
83 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
84 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
85 | 00 | 00 | 00 | 00 | 00 | 0d | 00 | 66 | 6b | 49 | 6c | 27 | 59 | 66 | 5b | 34 |
86 | 6c | 29 | 52 | 34 | 6c | 35 | 75 | 66 | 5b | 62 | 96 | 0d | 00 | 0a | 30 | 34 |
87 | 6c | 93 | 5e | 34 | 6c | 35 | 75 | d9 | 7a | d0 | 8f | 4c | 88 | 03 | 8c | a6 |
88 | 5e | 0b | 30 | 0d | 00 | fe | 8b | 0b | 7a | be | 8b | a1 | 8b | fb | 4e | a1 |
89 | 52 | 66 | 4e | 0d | 00 | 0d | 00 | 0d | 00 | 0d | 00 | 0d | 00 | 0d | 00 | 0d |
90 | 00 | 0d | 00 | 0d | 00 | 0d | 00 | 0d | 00 | 13 | 4e | 1a | 4e | 74 | 5e | a7 |
91 | 7e | 1a | ff | 34 | 6c | 87 | 65 | 0e | 4e | 34 | 6c | 44 | 8d | 90 | 6e | e5 |
92 | 5d | 0b | 7a | 13 | 4e | 1a | 4e | 32 | 00 | 30 | 00 | 31 | 00 | 30 | 00 | a7 |
93 | 7e | 0d | 00 | be | 8b | a1 | 8b | fb | 4e | a1 | 52 | 1a | ff | 34 | 6c | 35 |
94 | 75 | d9 | 7a | 34 | 6c | 93 | 5e | 2d | 4e | 7f | 95 | 1f | 67 | 18 | 4f | 16 |
95 | 53 | 03 | 8c | a6 | 5e | 0d | 00 | be | 8b | a1 |
|
|
|
|
|
|
直接分析TCP报文:
19 | 90 |
源端口号:浏览器,6554
00 | 50 |
目的端口号:apache80
f9 | d2 | 3b | 8f |
序号:4191304591,和上面的报文的序号一样
d8 | 41 | fa | 20 |
确认号:3628202527,和上面报文的序号一样。
50 | 10 |
分开来说:0101 0000 0001 0000
前四个bit:5,表示20B,即TCP报文首部长度20B
中间6bit:保留置空为0
后面6bit分开来说:
第一个bit,0,表示不使用紧急指针字段
第二个bit,1,表示使用确认号字段
第三个bit,0,表示不推送本报文
第四个bit,0,表示不是复位报文
第五个bit,0,表示这不是一个同步请求或同步确认报文,结合ACK知这是一个确认报文
第六个bit,0,表示这个不是要求释放链接的报文
04 | 00 | 51 | 48 | 00 | 00 |
04 | 00 |
|
窗口值:1024,允许对方(apache)发送TCP的窗口值。
51 | 48 |
检验和:略
00 | 00 |
紧急指针:没有使用
再向下就是TCP的数据部分了:这里只是copy了可打印的字符,但是总共有1460B
TCP segment data (1460 bytes)
2_1,5606)2t;!;X22;[S30"{#N66]"6OOOO;/!: fkIl'Yf[4l)R4l5uf[b
04l^4l5uzL^0zNRfNNNt^~4leN4lDn]zNN2010~NR4l5uz4l^-NgOS^
下一帧:浏览器上传文件第四个分片
561 19.505136000 10.108.203.52 10.108.203.50 TCP 1514 [TCP segment of a reassembled PDU]
下一帧:服务器确认报文
562 19.505240000 10.108.203.50 10.108.203.52 TCP 54 http → lds-dump [ACK]Seq=1 Ack=4798 Win=256 Len=0
下一帧:浏览器上传报文第五个分片
563 19.506170000 10.108.203.52 10.108.203.50 TCP 1514 [TCP segment of a reassembled PDU]
下一帧:浏览器上传报文第六个分片
564 19.506244000 10.108.203.52 10.108.203.50 TCP 1514 [TCP segment of a reassembled PDU]
一直到这一帧:某一个服务器确认报文
673 19.524493000 10.108.203.50 10.108.203.52 TCP 54 http → lds-dump [ACK]Seq=1 Ack=112838 Win=256 Len=0
再向下一帧:浏览器上传文件的最后一个分片这里wireshark将之前的分片组装了一块提供显示
674 19.524524000 10.108.203.52 10.108.203.50 HTTP 113 POST / HTTP/1.1 (application/msword)