[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Offtopic: TCP/IP ICMP/IP Header

Oi Pessoal,

  Perdoem o offtopic, mas acho que alguém desta lista deve saber a
resposta...

  É o seguinte: estou estudando um pouco as normas IP ICMP TCP:
      http://rfc.net/std5.html
      http://rfc.net/rfc792.html
      http://rfc.net/std7.html

  E para ver como funciona, fiz alguns testes com ping/telnet/etc...

  # tcpdump -w /tmp/arquivo.raw &
  # ping -c 1 192.168.131.9
  # killall tcpdump
  # cat /tmp/arquivo.raw | hexdump -C | less

  e ai o resultado com meus comentarios abaixo:

00000000  45 00 00 54 88 10 00 00  40 01 6b 37 c0 a8 83 07
-- begin of ip header --
45: 4=version 5=header length (32bits*0x5)
00: type of service
0054: total length: 8bits*0x0054
8810: identification
0000: fragmentation (flags+offset)
40: time to live
01: protocol (0x01=ICMP)
6b37: header checksum
c0a88307: source address (192.168.131.7)

00000010  c0 a8 83 09 08 00 94 30  5c 4a 00 00 3c 02 28 03
c0a88309: dest address (192.168.131.9)
-- end of IP header -- begin of protocol header (ICMP) --
08: type (ICMP Echo)
00: code (always 0 for ICMP Echo)
9430: checksum
5c4a: identifier
0000: sequence number
3c022803... databytes...

00000020  00 07 b8 75 08 09 0a 0b  0c 0d 0e 0f 10 11 12 13
00000030  14 15 16 17 18 19 1a 1b  1c 1d 1e 1f 20 21 22 23
00000040  24 25 26 27 28 29 2a 2b  2c 2d 2e 2f 30 31 32 33
00000050  34 35 03 28 02 3c 30 bb  07 00 60 00 00 00 62 00
                 end | begin of what?

00000060  00 00 00 00 21 f1 cd bd  00 00 21 4f da d8 08 00

00000070  45 00 00 54 02 83 00 00  ff 01 31 c4 c0 a8 83 09
45000054... aqui começou o ICMP Echo Reply... 

00000080  c0 a8 83 07 00 00 9c 30  5c 4a 00 00 3c 02 28 03
00000090  00 07 b8 75 08 09 0a 0b  0c 0d 0e 0f 10 11 12 13
[cortei o resto]

Então a pergunta: segundo o totallength, o pacote ICMP/IP Echo termina
em 34350328. e a resposta começa em 45000054...
O que são estes dados que começam com 023c30bb...até...dad80800 ????

percebi isso também quando efetuo um telnet para uma porta fechada no
outro host. E também percebi isso em muitos outros casos...

No caso do telnet, é assim:
   local->remoto TCP com SYN
   alguns bytes que não sei o que são, como o do exemplo acima
   remoto->local TCP com PSH+RST  (indicando porta fechada)
vejam no anexo...

e ai, o que são estes bytes que aparecem entre os pacotes?

   Abraços,
   Obrigado,
    Pedro

-- 
  .''`.   Pedro Zorzenon Neto <pzn@terra.com.br>
 : :'  :  Debian GNU/Linux | GNU/Hurd: <http://www.debian.org>
 `. `'`   Debian BR: <http://debian-br.cipsga.org.br>
   `-     Be Happy! Be FREE!

000000e0  45 10 00 3c 8e a9 40 00  40 06 24 a1 c0 a8 83 07  |E..<.©@.@.$¡À¨..|
45: 4=version 5=header length (32bits*0x5)
10: type of service (0x10=low delay)
003c: total length: 8bits*0x003c
8ea9: identification
4000: fragmentation (flags+offset) DF set, dont fragment
40: time to live
06: protocol (0x06=TCP)
24a1: header checksum
c0a88307: source address (192.168.131.7)

000000f0  c0 a8 83 09 05 9b 00 50  83 d7 cf 27 00 00 00 00  |À¨.....P.×Ï'....|
c0a88309: dest address (192.168.131.9)
-- end of IP header --
-- begin of protocol header (TCP) --
059b: source port
0050: destination port (0x50=80=http)
83d7cf27: sequence number
00000000: acknoledge number

00000100  a0 02 3e bc 85 29 00 00  02 04 05 b4 04 02 08 0a  | .>¼.).....´....|
a002: dataoffset(4bit) reserved(6bit) (flags URG ACK PSH RST SYN FIN)
3ebc: window
8529: checksum
0000: urgent pointer
0204: option (max segment size)
05b4: maxsegsize (only in SYN connections)
0402080a: data...
                                          end | begin of what?
00000110  00 7d a3 58 00 00 00 00  01 03 03 00 20 31 02 3c  |.}£X........ 1.<|
00000120  d2 09 0c 00 3c 00 00 00  3c 00 00 00 00 00 21 f1  |Ò...<...<.....!ñ|

                           end of what? | begin of ip packet
00000130  cd bd 00 00 21 4f da d8  08 00 45 10 00 28 03 38  |ͽ..!OÚØ..E..(.8|
45: 4=version 5=header length (32bits*0x5)
10: type of service (0x10=low delay)
0028: total length: 8bits*0x0028
0338: identification
00000140  00 00 ff 06 31 26 c0 a8  83 09 c0 a8 83 07 00 50  |..ÿ.1&À¨..À¨...P|

0000: fragmentation (flags+offset)
ff: time to live
06: protocol (0x06=TCP)
3126: header checksum
c0a88309: source address (192.168.131.9)
c0a88307: dest address (192.168.131.7)
-- end of IP header --
-- begin of protocol header (TCP) --
0050: source port (http)

00000150  05 9b 00 00 00 00 83 d7  cf 28 50 14 00 00 cf 83  |.......×Ï(P...Ï.|
059b: destination port
00000000: sequence number
83d7cf28: acknoledge number
5014: dataoffset(4bit) reserved(6bit) (flags URG ACK PSH RST SYN FIN)  PSH+RST
0000: window
cf83: checksum

               | begin of what?
00000160  00 00 0c 0d 0e 0f 10 11                           |........|
0000: urgent pointer
-- end of protocol header ---
Reply to: