http 协议的交互过程详细分析。
以wget <file> wireshark 抓包分析。
在<netinet/ip.h> 中,有如下定义
struct iphdr
{
#if __BYTE_ORDER == __LITTLE_ENDIAN
unsigned int ihl:4;
unsigned int version:4;
#elif __BYTE_ORDER == __BIG_ENDIAN
unsigned int version:4;
unsigned int ihl:4;
#else
# error "Please fix <bits/endian.h>"
#endif
u_int8_t tos;
u_int16_t tot_len;
u_int16_t id;
u_int16_t frag_off;
u_int8_t ttl;
u_int8_t protocol;
u_int16_t check;
u_int32_t saddr;
u_int32_t daddr;
/*The options start here. */
};
ip header, 占用20个byte. 按32bits(4btes)为一dword, 占5个dword.
其中最重要的是saddr, daddr, protocol 不变,前3字节总是45 00 00, id, total_len, checksum 会改变
在<netinet/tcp.h> 中,有如下定义
struct tcphdr
{
u_int16_t th_sport; /* source port */
u_int16_t th_dport; /* destination port */
tcp_seq th_seq; /* sequence number */
tcp_seq th_ack; /* acknowledgement number */
# if __BYTE_ORDER == __LITTLE_ENDIAN
u_int8_t th_x2:4; /* (unused) */
u_int8_t th_off:4; /* data offset */
# endif
# if __BYTE_ORDER == __BIG_ENDIAN
u_int8_t th_off:4; /* data offset */
u_int8_t th_x2:4; /* (unused) */
# endif
u_int8_t th_flags;
# define TH_FIN 0x01
# define TH_SYN 0x02
# define TH_RST 0x04
# define TH_PUSH 0x08
# define TH_ACK 0x10
# define TH_URG 0x20
u_int16_t th_win; /* window */
u_int16_t th_sum; /* checksum */
u_int16_t th_urp; /* urgent pointer */
};
tcp header, 占用20bytes, ip地址和端口唯一确定连接, seq,ack保证可靠连接。
flags 说明数据包性质, window 大小,说明作为接受端可以接受的数据大小。调整速率用。
下面实例,用wireshark 抓包, 用以分析建立tcp连接的三次握手过程,http 协议过程, 及断开tcp的过程。
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
24 7.944826000 192.168.3.110 192.168.3.126 TCP 66 kazaa > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
--------------------------------------------------------------------------------
Frame 24: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f), Dst: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Destination: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Source: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.3.110 (192.168.3.110), Dst: 192.168.3.126 (192.168.3.126)
Version: 4 ;45
Header length: 20 bytes ;^^
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) ;00
Total Length: 52 ;00 34
Identification: 0x019b (411) ;01 9b
Flags: 0x02 (Don't Fragment) ;40 00
Fragment offset: 0 ;^^
Time to live: 128 ;80
Protocol: TCP (6) ;06
Header checksum: 0x70ec [correct] ;70 ec
Source: 192.168.3.110 (192.168.3.110) ;c0 a8 03 6e
Destination: 192.168.3.126 (192.168.3.126) ;c0 a8 03 7e
Transmission Control Protocol, Src Port: kazaa (1214), Dst Port: http (80), Seq: 0, Len: 0
Source port: kazaa (1214) ;04 be
Destination port: http (80) ;00 50
[Stream index: 8] ;a1 27 74 61
Sequence number: 0 (relative sequence number) ;00 00 00 00
Header length: 32 bytes ;80
Flags: 0x002 (SYN) ;02
Window size value: 8192 ;20 00
[Calculated window size: 8192]
Checksum: 0xac3c [validation disabled] ;ac 3c
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
;02 04 05 b4 01 03 03 08 01 01 04 02
0000 f0 4d a2 31 48 1f 00 1a a0 8d 1d 7f 08 00 45 00 .M.1H.........E.
0010 00 34 01 9b 40 00 80 06 70 ec c0 a8 03 6e c0 a8 .4..@...p....n..
0020 03 7e 04 be 00 50 a1 27 74 61 00 00 00 00 80 02 .~...P.'ta......
0030 20 00 ac 3c 00 00 02 04 05 b4 01 03 03 08 01 01 ..<............
0040 04 02 ..
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
25 7.944849000 192.168.3.126 192.168.3.110 TCP 66 http > kazaa [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=128
--------------------------------------------------------------------------------
Frame 25: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Ethernet 协议完全相同
Internet Protocol Version 4, Src: 192.168.3.126 (192.168.3.126), Dst: 192.168.3.110 (192.168.3.110)
;version,header length 完全一样。total length 不同 ;45 00 00 34
;Identification会加1, Flags, Fragment offset 相同 ;00 00 40 00
;time to live 可以不同。protocal不变, 因而header checksum不同 ;40 06 b2 87
;src, dst 地址相同。 ;c0 a8 03 7e
;c0 a8 03 6e
Transmission Control Protocol, Src Port: http (80), Dst Port: kazaa (1214), Seq: 0, Ack: 1, Len: 0
Source port: http (80) ;00 50
Destination port: kazaa (1214) ;04 be
[Stream index: 8]
Sequence number: 0 (relative sequence number) ;54 9b 81 4a
Acknowledgment number: 1 (relative ack number) ;a1 27 74 62
Header length: 32 bytes ;80
Flags: 0x012 (SYN, ACK) ;12
Window size value: 14600 ;39 08
[Calculated window size: 14600]
Checksum: 0xbd3e [validation disabled] ;bd 3e
Options: (12 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale
[SEQ/ACK analysis] ;02 04 05 b4 01 01 04 02 01 03 03 07
0000 00 1a a0 8d 1d 7f f0 4d a2 31 48 1f 08 00 45 00 .......M.1H...E.
0010 00 34 00 00 40 00 40 06 b2 87 c0 a8 03 7e c0 a8 .4..@.@......~..
0020 03 6e 00 50 04 be 54 9b 81 4a a1 27 74 62 80 12 .n.P..T..J.'tb..
0030 39 08 bd 3e 00 00 02 04 05 b4 01 01 04 02 01 03 9..>............
0040 03 07 ..
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
26 7.945101000 192.168.3.110 192.168.3.126 TCP 60 kazaa > http [ACK] Seq=1 Ack=1 Win=65536 Len=0
--------------------------------------------------------------------------------
Frame 26: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Ethernet 协议完全相同
Internet Protocol Version 4, Src: 192.168.3.110 (192.168.3.110), Dst: 192.168.3.126 (192.168.3.126)
;version,header length 完全一样。total length 不同 ;45 00 00 28
;Identification会加1, Flags, Fragment offset 相同 ;01 9c 40 00
;time to live 可以不同。protocal不变, 因而header checksum不同 ;80 06 70 f7
;src, dst 地址相同。 ;c0 a8 03 6e
;c0 a8 03 7e
Transmission Control Protocol, Src Port: kazaa (1214), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
;src dst port 会相应设置,sequence number, acknowledge number 会加1.
;flags 说明类型, windows size 及 checksum 被设置。
;至此,三段握手完成,连接已经建立。
Source port: kazaa (1214) ;04 be
Destination port: http (80) ;00 50
[Stream index: 8]
Sequence number: 1 (relative sequence number) ;a1 27 74 62
Acknowledgment number: 1 (relative ack number) ;54 9b 81 4b
Header length: 20 bytes ;50
Flags: 0x010 (ACK) ;10
Window size value: 256 ;01 00
[Calculated window size: 65536]
[Window size scaling factor: 256]
Checksum: 0x3619 [validation disabled] ;36 19
0000 f0 4d a2 31 48 1f 00 1a a0 8d 1d 7f 08 00 45 00 .M.1H.........E.
0010 00 28 01 9c 40 00 80 06 70 f7 c0 a8 03 6e c0 a8 .(..@...p....n..
0020 03 7e 04 be 00 50 a1 27 74 62 54 9b 81 4b 50 10 .~...P.'tbT..KP.
0030 01 00 36 19 00 00 00 00 00 00 00 00 ..6.........
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
27 7.953183000 192.168.3.110 192.168.3.126 HTTP 171 GET /example.php HTTP/1.0
--------------------------------------------------------------------------------
Frame 27: 171 bytes on wire (1368 bits), 171 bytes captured (1368 bits) on interface 0
Internet Protocol Version 4, Src: 192.168.3.110 (192.168.3.110), Dst: 192.168.3.126 (192.168.3.126)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 157 ;45 00 00 9d(total lenth)
Identification: 0x019d (413)
Flags: 0x02 (Don't Fragment) ;01 9d 40 00 (id)
Fragment offset: 0
Time to live: 128 ;80 06 70 81 (checksum)
Protocol: TCP (6)
Header checksum: 0x7081 [correct]
Source: 192.168.3.110 (192.168.3.110) ;c0 a8 03 6e
Destination: 192.168.3.126 (192.168.3.126) ;c0 a8 03 7e
Transmission Control Protocol, Src Port: kazaa (1214), Dst Port: http (80), Seq: 1, Ack: 1, Len: 117
Source port: kazaa (1214) ;04 be 00 50
Destination port: http (80)
[Stream index: 8]
Sequence number: 1 (relative sequence number) ;a1 27 74 62
[Next sequence number: 118 (relative sequence number)]
Acknowledgment number: 1 (relative ack number) ;54 9b 81 4b
Header length: 20 bytes ;50 18 01 00
Flags: 0x018 (PSH, ACK)
Window size value: 256
[Calculated window size: 65536]
[Window size scaling factor: 256]
Checksum: 0x8456 [validation disabled] ;84 56 00 00
[SEQ/ACK analysis]
Hypertext Transfer Protocol
GET /example.php HTTP/1.0\r\n
User-Agent: Wget/1.12 (msys)\r\n
Accept: */*\r\n
Host: 192.168.3.126\r\n
Connection: Keep-Alive\r\n
\r\n
[Full request URI: http://192.168.3.126/example.php]
0000 f0 4d a2 31 48 1f 00 1a a0 8d 1d 7f 08 00 45 00 .M.1H.........E.
0010 00 9d 01 9d 40 00 80 06 70 81 c0 a8 03 6e c0 a8 ....@...p....n..
0020 03 7e 04 be 00 50 a1 27 74 62 54 9b 81 4b 50 18 .~...P.'tbT..KP.
0030 01 00 84 56 00 00 47 45 54 20 2f 65 78 61 6d 70 ...V..GET /examp
0040 6c 65 2e 70 68 70 20 48 54 54 50 2f 31 2e 30 0d le.php HTTP/1.0.
0050 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 57 67 65 .User-Agent: Wge
0060 74 2f 31 2e 31 32 20 28 6d 73 79 73 29 0d 0a 41 t/1.12 (msys)..A
0070 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 74 ccept: */*..Host
0080 3a 20 31 39 32 2e 31 36 38 2e 33 2e 31 32 36 0d : 192.168.3.126.
0090 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 .Connection: Kee
00a0 70 2d 41 6c 69 76 65 0d 0a 0d 0a p-Alive....
我们看到, http get 是一个tcp的push ack 包
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
28 7.953193000 192.168.3.126 192.168.3.110 TCP 54 http > kazaa [ACK] Seq=1 Ack=118 Win=14720 Len=0
--------------------------------------------------------------------------------
Frame 28: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Dell_31:48:1f (f0:4d:a2:31:48:1f), Dst: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Destination: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Source: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.3.126 (192.168.3.126), Dst: 192.168.3.110 (192.168.3.110)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 40
Identification: 0xc01f (49183)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xf273 [correct]
Source: 192.168.3.126 (192.168.3.126)
Destination: 192.168.3.110 (192.168.3.110)
Transmission Control Protocol, Src Port: http (80), Dst Port: kazaa (1214), Seq: 1, Ack: 118, Len: 0
Source port: http (80)
Destination port: kazaa (1214)
[Stream index: 8]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 118 (relative ack number)
Header length: 20 bytes
Flags: 0x010 (ACK)
Window size value: 115
[Calculated window size: 14720]
[Window size scaling factor: 128]
Checksum: 0x3631 [validation disabled]
[SEQ/ACK analysis]
0000 00 1a a0 8d 1d 7f f0 4d a2 31 48 1f 08 00 45 00 .......M.1H...E.
0010 00 28 c0 1f 40 00 40 06 f2 73 c0 a8 03 7e c0 a8 .(..@.@..s...~..
0020 03 6e 00 50 04 be 54 9b 81 4b a1 27 74 d7 50 10 .n.P..T..K.'t.P.
0030 00 73 36 31 00 00 .s61..
;是一个ACK 相应包
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
29 7.953260000 192.168.3.126 192.168.3.110 TCP 305 [TCP segment of a reassembled PDU]
--------------------------------------------------------------------------------
Frame 29: 305 bytes on wire (2440 bits), 305 bytes captured (2440 bits) on interface 0
Ethernet II, Src: Dell_31:48:1f (f0:4d:a2:31:48:1f), Dst: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Destination: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Source: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.3.126 (192.168.3.126), Dst: 192.168.3.110 (192.168.3.110)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 291
Identification: 0xc020 (49184)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xf177 [correct]
Source: 192.168.3.126 (192.168.3.126)
Destination: 192.168.3.110 (192.168.3.110)
Transmission Control Protocol, Src Port: http (80), Dst Port: kazaa (1214), Seq: 1, Ack: 118, Len: 251
Source port: http (80)
Destination port: kazaa (1214)
[Stream index: 8]
Sequence number: 1 (relative sequence number)
[Next sequence number: 252 (relative sequence number)]
Acknowledgment number: 118 (relative ack number)
Header length: 20 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 115
[Calculated window size: 14720]
[Window size scaling factor: 128]
Checksum: 0x8952 [validation disabled]
[SEQ/ACK analysis]
TCP segment data (251 bytes)
0000 00 1a a0 8d 1d 7f f0 4d a2 31 48 1f 08 00 45 00 .......M.1H...E.
0010 01 23 c0 20 40 00 40 06 f1 77 c0 a8 03 7e c0 a8 .#. @.@..w...~..
0020 03 6e 00 50 04 be 54 9b 81 4b a1 27 74 d7 50 18 .n.P..T..K.'t.P.
0030 00 73 89 52 00 00 48 54 54 50 2f 31 2e 31 20 32 .s.R..HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 00 OK..Server: n
0050 67 69 6e 78 2f 31 2e 34 2e 30 0d 0a 44 61 74 65 ginx/1.4.0..Date
0060 3a 20 57 65 64 2c 20 31 38 20 4a 75 6e 20 32 30 : Wed, 18 Jun 20
0070 31 34 20 30 32 3a 33 35 3a 30 32 20 47 4d 54 0d 14 02:35:02 GMT.
0080 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 .Content-Type: a
0090 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 pplication/octet
00a0 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e 74 65 6e 74 -stream..Content
00b0 2d 4c 65 6e 67 74 68 3a 20 31 31 34 0d 0a 4c 61 -Length: 114..La
00c0 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 54 75 65 st-Modified: Tue
00d0 2c 20 31 37 20 4a 75 6e 20 32 30 31 34 20 30 37 , 17 Jun 2014 07
00e0 3a 30 37 3a 31 39 20 47 4d 54 0d 0a 43 6f 6e 6e :07:19 GMT..Conn
00f0 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 ection: keep-ali
0100 76 65 0d 0a 45 54 61 67 3a 20 22 35 33 39 66 65 ve..ETag: "539fe
0110 39 32 37 2d 37 32 22 0d 0a 41 63 63 65 70 74 2d 927-72"..Accept-
0120 52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 0d Ranges: bytes...
0130 0a .
是一个push ack 包,
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
30 8.161748000 192.168.3.110 192.168.3.126 TCP 60 kazaa > http [ACK] Seq=118 Ack=252 Win=65280 Len=0
--------------------------------------------------------------------------------
Frame 30: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f), Dst: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Destination: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Source: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Type: IP (0x0800)
Padding: 000000000000
Internet Protocol Version 4, Src: 192.168.3.110 (192.168.3.110), Dst: 192.168.3.126 (192.168.3.126)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 40
Identification: 0x019e (414)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x70f5 [correct]
Source: 192.168.3.110 (192.168.3.110)
Destination: 192.168.3.126 (192.168.3.126)
Transmission Control Protocol, Src Port: kazaa (1214), Dst Port: http (80), Seq: 118, Ack: 252, Len: 0
Source port: kazaa (1214)
Destination port: http (80)
[Stream index: 8]
Sequence number: 118 (relative sequence number)
Acknowledgment number: 252 (relative ack number)
Header length: 20 bytes
Flags: 0x010 (ACK)
Window size value: 255
[Calculated window size: 65280]
[Window size scaling factor: 256]
Checksum: 0x34aa [validation disabled]
[SEQ/ACK analysis]
0000 f0 4d a2 31 48 1f 00 1a a0 8d 1d 7f 08 00 45 00 .M.1H.........E.
0010 00 28 01 9e 40 00 80 06 70 f5 c0 a8 03 6e c0 a8 .(..@...p....n..
0020 03 7e 04 be 00 50 a1 27 74 d7 54 9b 82 46 50 10 .~...P.'t.T..FP.
0030 00 ff 34 aa 00 00 00 00 00 00 00 00 ..4.........
;是一个响应包 ack
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
31 8.161759000 192.168.3.126 192.168.3.110 HTTP/DL 168 unknown (0x3c)
--------------------------------------------------------------------------------
Frame 31: 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits) on interface 0
Ethernet II, Src: Dell_31:48:1f (f0:4d:a2:31:48:1f), Dst: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Destination: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Source: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.3.126 (192.168.3.126), Dst: 192.168.3.110 (192.168.3.110)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 154
Identification: 0xc021 (49185)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xf1ff [correct]
Source: 192.168.3.126 (192.168.3.126)
Destination: 192.168.3.110 (192.168.3.110)
Transmission Control Protocol, Src Port: http (80), Dst Port: kazaa (1214), Seq: 252, Ack: 118, Len: 114
Source port: http (80)
Destination port: kazaa (1214)
[Stream index: 8]
Sequence number: 252 (relative sequence number)
[Next sequence number: 366 (relative sequence number)]
Acknowledgment number: 118 (relative ack number)
Header length: 20 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 115
[Calculated window size: 14720]
[Window size scaling factor: 128]
Checksum: 0x88c9 [validation disabled]
[SEQ/ACK analysis]
TCP segment data (114 bytes)
[2 Reassembled TCP Segments (365 bytes): #29(251), #31(114)]
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Server: nginx/1.4.0\r\n
Date: Wed, 18 Jun 2014 02:35:02 GMT\r\n
Content-Type: application/octet-stream\r\n
Content-Length: 114\r\n
Last-Modified: Tue, 17 Jun 2014 07:07:19 GMT\r\n
Connection: keep-alive\r\n
ETag: "539fe927-72"\r\n
Accept-Ranges: bytes\r\n
\r\n
SIP/NOE Protocol, unknown (0x3c)
;下面是helloworld.php 的代码, wireshark 按二进制数据分析
Frame (168 bytes):
0000 00 1a a0 8d 1d 7f f0 4d a2 31 48 1f 08 00 45 00 .......M.1H...E.
0010 00 9a c0 21 40 00 40 06 f1 ff c0 a8 03 7e c0 a8 ...!@.@......~..
0020 03 6e 00 50 04 be 54 9b 82 46 a1 27 74 d7 50 18 .n.P..T..F.'t.P.
0030 00 73 88 c9 00 00 3c 68 74 6d 6c 3e 0a 20 3c 68 .s....<html>. <h
0040 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 48 ead>. <title>PH
0050 50 20 e6 b5 8b e8 af 95 3c 2f 74 69 74 6c 65 3e P ......</title>
0060 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 . </head>. <body
0070 3e 0a 20 3c 3f 70 68 70 20 65 63 68 6f 20 27 3c >. <?php echo '<
0080 70 3e 48 65 6c 6c 6f 20 57 6f 72 6c 64 3c 2f 70 p>Hello World</p
0090 3e 27 3b 20 3f 3e 0a 20 3c 2f 62 6f 64 79 3e 0a >'; ?>. </body>.
00a0 3c 2f 68 74 6d 6c 3e 0a </html>.
Reassembled TCP (365 bytes):
0000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 .Server: nginx/1
0020 2e 34 2e 30 0d 0a 44 61 74 65 3a 20 57 65 64 2c .4.0..Date: Wed,
0030 20 31 38 20 4a 75 6e 20 32 30 31 34 20 30 32 3a 18 Jun 2014 02:
0040 33 35 3a 30 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 35:02 GMT..Conte
0050 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 nt-Type: applica
0060 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 tion/octet-strea
0070 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 m..Content-Lengt
0080 68 3a 20 31 31 34 0d 0a 4c 61 73 74 2d 4d 6f 64 h: 114..Last-Mod
0090 69 66 69 65 64 3a 20 54 75 65 2c 20 31 37 20 4a ified: Tue, 17 J
00a0 75 6e 20 32 30 31 34 20 30 37 3a 30 37 3a 31 39 un 2014 07:07:19
00b0 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e GMT..Connection
00c0 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 45 54 : keep-alive..ET
00d0 61 67 3a 20 22 35 33 39 66 65 39 32 37 2d 37 32 ag: "539fe927-72
00e0 22 0d 0a 41 63 63 65 70 74 2d 52 61 6e 67 65 73 "..Accept-Ranges
00f0 3a 20 62 79 74 65 73 0d 0a 0d 0a 3c 68 74 6d 6c : bytes....<html
0100 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 >. <head>. <tit
0110 6c 65 3e 50 48 50 20 e6 b5 8b e8 af 95 3c 2f 74 le>PHP ......</t
0120 69 74 6c 65 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 itle>. </head>.
0130 3c 62 6f 64 79 3e 0a 20 3c 3f 70 68 70 20 65 63 <body>. <?php ec
0140 68 6f 20 27 3c 70 3e 48 65 6c 6c 6f 20 57 6f 72 ho '<p>Hello Wor
0150 6c 64 3c 2f 70 3e 27 3b 20 3f 3e 0a 20 3c 2f 62 ld</p>'; ?>. </b
0160 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a ody>.</html>.
;与上一个包重新组装成一个完整http 包。
;
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
32 8.184183000 192.168.3.110 192.168.3.126 TCP 60 kazaa > http [FIN, ACK] Seq=118 Ack=366 Win=65280 Len=0
--------------------------------------------------------------------------------
Frame 32: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f), Dst: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Destination: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Source: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Type: IP (0x0800)
Padding: 000000000000
Internet Protocol Version 4, Src: 192.168.3.110 (192.168.3.110), Dst: 192.168.3.126 (192.168.3.126)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 40
Identification: 0x019f (415)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x70f4 [correct]
Source: 192.168.3.110 (192.168.3.110)
Destination: 192.168.3.126 (192.168.3.126)
Transmission Control Protocol, Src Port: kazaa (1214), Dst Port: http (80), Seq: 118, Ack: 366, Len: 0
Source port: kazaa (1214)
Destination port: http (80)
[Stream index: 8]
Sequence number: 118 (relative sequence number)
Acknowledgment number: 366 (relative ack number)
Header length: 20 bytes
Flags: 0x011 (FIN, ACK)
Window size value: 255
[Calculated window size: 65280]
[Window size scaling factor: 256]
Checksum: 0x3437 [validation disabled]
[SEQ/ACK analysis]
0000 f0 4d a2 31 48 1f 00 1a a0 8d 1d 7f 08 00 45 00 .M.1H.........E.
0010 00 28 01 9f 40 00 80 06 70 f4 c0 a8 03 6e c0 a8 .(..@...p....n..
0020 03 7e 04 be 00 50 a1 27 74 d7 54 9b 82 b8 50 11 .~...P.'t.T...P.
0030 00 ff 34 37 00 00 00 00 00 00 00 00 ..47........
(FIN, ACK) 包, ACK 是对收到数据的确认。
FIN, 客户端向服务器端断开连接4次挥手的开始。 当然,服务器端也可以主动断开连接,其流程是一样的。
--------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
33 8.184229000 192.168.3.126 192.168.3.110 TCP 54 http > kazaa [FIN, ACK] Seq=366 Ack=119 Win=14720 Len=0
--------------------------------------------------------------------------------
Frame 33: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Dell_31:48:1f (f0:4d:a2:31:48:1f), Dst: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Destination: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Source: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.3.126 (192.168.3.126), Dst: 192.168.3.110 (192.168.3.110)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 40
Identification: 0xc022 (49186)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xf270 [correct]
Source: 192.168.3.126 (192.168.3.126)
Destination: 192.168.3.110 (192.168.3.110)
Transmission Control Protocol, Src Port: http (80), Dst Port: kazaa (1214), Seq: 366, Ack: 119, Len: 0
Source port: http (80)
Destination port: kazaa (1214)
[Stream index: 8]
Sequence number: 366 (relative sequence number)
Acknowledgment number: 119 (relative ack number)
Header length: 20 bytes
Flags: 0x011 (FIN, ACK)
Window size value: 115
[Calculated window size: 14720]
[Window size scaling factor: 128]
Checksum: 0x34c2 [validation disabled]
[SEQ/ACK analysis]
;这是4次挥手的2和3步, 服务器端向客户端的 ACK, FIN包,它们是可以分开发的,这里合并在一起发送。
0000 00 1a a0 8d 1d 7f f0 4d a2 31 48 1f 08 00 45 00 .......M.1H...E.
0010 00 28 c0 22 40 00 40 06 f2 70 c0 a8 03 7e c0 a8 .(."@.@..p...~..
0020 03 6e 00 50 04 be 54 9b 82 b8 a1 27 74 d8 50 11 .n.P..T....'t.P.
0030 00 73 34 c2 00 00 .s4...
No. Time Source Destination Protocol Length Info
34 8.184476000 192.168.3.110 192.168.3.126 TCP 60 kazaa > http [ACK] Seq=119 Ack=367 Win=65280 Len=0
Frame 34: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f), Dst: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Destination: Dell_31:48:1f (f0:4d:a2:31:48:1f)
Source: Dell_8d:1d:7f (00:1a:a0:8d:1d:7f)
Type: IP (0x0800)
Padding: 000000000000
Internet Protocol Version 4, Src: 192.168.3.110 (192.168.3.110), Dst: 192.168.3.126 (192.168.3.126)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 40
Identification: 0x01a0 (416)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x70f3 [correct]
Source: 192.168.3.110 (192.168.3.110)
Destination: 192.168.3.126 (192.168.3.126)
Transmission Control Protocol, Src Port: kazaa (1214), Dst Port: http (80), Seq: 119, Ack: 367, Len: 0
Source port: kazaa (1214)
Destination port: http (80)
[Stream index: 8]
Sequence number: 119 (relative sequence number)
Acknowledgment number: 367 (relative ack number)
Header length: 20 bytes
Flags: 0x010 (ACK)
Window size value: 255
[Calculated window size: 65280]
[Window size scaling factor: 256]
Checksum: 0x3436 [validation disabled]
[SEQ/ACK analysis]
; 4 次挥手的最后一步, 客户端向服务器的 ACK 包。从此便不再联系了.
0000 f0 4d a2 31 48 1f 00 1a a0 8d 1d 7f 08 00 45 00 .M.1H.........E.
0010 00 28 01 a0 40 00 80 06 70 f3 c0 a8 03 6e c0 a8 .(..@...p....n..
0020 03 7e 04 be 00 50 a1 27 74 d8 54 9b 82 b9 50 10 .~...P.'t.T...P.
0030 00 ff 34 36 00 00 00 00 00 00 00 00 ..46........