初識(shí)Traceroute
Traceroute是一種常見(jiàn)的網(wǎng)絡(luò)分析工具搏存,用于探測(cè)數(shù)據(jù)包從源地址到目的地址經(jīng)過(guò)的路由器的IP地址。
以下的示例顯示從一個(gè)MAC電腦到8.8.8.8的路徑探測(cè)結(jié)果:
? ~ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 localhost (10.39.101.1) 8.662 ms 1.307 ms 1.155 ms
2 localhost (192.168.1.1) 2.287 ms 2.157 ms 1.897 ms
3 222.129.32.1 (222.129.32.1) 5.844 ms 13.092 ms 10.332 ms
4 114.244.95.105 (114.244.95.105) 7.541 ms
61.51.101.101 (61.51.101.101) 7.420 ms
61.148.163.81 (61.148.163.81) 7.075 ms
5 61.148.4.213 (61.148.4.213) 7.759 ms
219.232.11.65 (219.232.11.65) 5.976 ms
bt-230-081.bta.net.cn (202.106.230.81) 6.021 ms
6 202.96.12.13 (202.96.12.13) 7.828 ms * *
7 219.158.112.26 (219.158.112.26) 39.486 ms *
219.158.7.22 (219.158.7.22) 45.959 ms
8 219.158.103.218 (219.158.103.218) 48.469 ms
219.158.97.2 (219.158.97.2) 47.146 ms
219.158.103.218 (219.158.103.218) 50.320 ms
9 219.158.103.30 (219.158.103.30) 50.739 ms 50.382 ms 48.348 ms
10 219.158.10.30 (219.158.10.30) 49.927 ms 44.264 ms 56.353 ms
11 219.158.33.174 (219.158.33.174) 54.123 ms 61.131 ms 47.302 ms
12 108.170.241.97 (108.170.241.97) 56.082 ms
108.170.241.33 (108.170.241.33) 52.942 ms 54.393 ms
13 142.250.58.189 (142.250.58.189) 48.958 ms
209.85.143.37 (209.85.143.37) 51.217 ms
108.170.226.115 (108.170.226.115) 141.544 ms
14 dns.google (8.8.8.8) 48.935 ms 46.364 ms 51.043 ms
? ~ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=113 time=52.060 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=44.845 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=52.393 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=51.059 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=113 time=44.437 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=113 time=44.534 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 44.437/48.221/52.393/3.640 ms
輸出結(jié)果表明:
- 從MAC電腦到8.8.8.8的路徑包含14個(gè)網(wǎng)絡(luò)節(jié)點(diǎn)助琐。
- 每個(gè)節(jié)點(diǎn)后面都顯示時(shí)延信息祭埂,表明從MAC電腦到該節(jié)點(diǎn)的往返時(shí)延。您可能會(huì)發(fā)現(xiàn)兵钮,中間的某些節(jié)點(diǎn)往返時(shí)延可能要高于更遠(yuǎn)的節(jié)點(diǎn)的往返時(shí)延蛆橡。這是由于該時(shí)延包含了路由器將TTL=0的報(bào)文交給控制面處理的時(shí)延,因而往往比路徑上的傳播時(shí)延要高掘譬,尤其是當(dāng)控制面CPU繁忙時(shí)泰演。Traceroute對(duì)每一個(gè)節(jié)點(diǎn)發(fā)出3個(gè)探測(cè)報(bào)文,每個(gè)報(bào)文的路徑不盡相同葱轩,例如在第4睦焕、5、7靴拱、8垃喊、12、13跳經(jīng)過(guò)不同的路由器轉(zhuǎn)發(fā)袜炕。
- 有的探測(cè)沒(méi)有得到回應(yīng)本谜,因此在有的節(jié)點(diǎn)本應(yīng)顯示時(shí)延信息的,顯示了*偎窘。這并不能斷定中間的網(wǎng)絡(luò)不可達(dá)乌助,很可能的原因是該節(jié)點(diǎn)的路由器在接口上配置了 no ip unreachable 命令溜在,該接口不回應(yīng)ICMP Unreachable消息,而該消息正是Traceroute探測(cè)路徑所依賴的信息來(lái)源他托。
接下來(lái)掖肋,我們簡(jiǎn)要描述一下,在MAC電腦下赏参,Traceroute的工作原理志笼,并使用Wireshark進(jìn)一步的探究Traceroute的工作過(guò)程。
Traceroute的工作原理
每當(dāng)IP數(shù)據(jù)包經(jīng)過(guò)一個(gè)路由器登刺,其存活時(shí)間TTL就會(huì)減1籽腕。當(dāng)其存活時(shí)間是0時(shí),主機(jī)便取消數(shù)據(jù)包纸俭,并發(fā)送一個(gè)ICMP TTL超時(shí)數(shù)據(jù)包給原數(shù)據(jù)包的發(fā)出者皇耗。Traceroute程序通過(guò)向目的地址發(fā)送一系列的探測(cè)包,設(shè)置探測(cè)包的TTL初始值分別為1,2,3…揍很,根據(jù)返回的超時(shí)通知(ICMP Time Exceeded Message)得到源地址與目的地址之間的每一跳路由信息郎楼。
從源地址發(fā)出一個(gè)UDP探測(cè)包到目的地址,并將TTL設(shè)置為1窒悔;
到達(dá)路由器時(shí)呜袁,將TTL減1;
當(dāng)TTL變?yōu)?時(shí)简珠,包被丟棄阶界,路由器向源地址發(fā)回一個(gè)ICMP超時(shí)通知(ICMP Time Exceeded Message),內(nèi)含發(fā)送IP包的源地址聋庵,IP包的所有內(nèi)容及路由器的IP地址膘融;
當(dāng)源地址收到該ICMP包時(shí),顯示這一跳路由信息祭玉;
重復(fù)1~5氧映,并每次設(shè)置TTL加1;
直至目標(biāo)地址收到探測(cè)數(shù)據(jù)包脱货,并返回端口不可達(dá)通知(ICMP Port Unreachable)岛都;
當(dāng)源地址收到ICMP Port Unreachable包時(shí)停止traceroute。
以上內(nèi)容引自Traceroute/tracert原理和實(shí)踐
通過(guò)Wireshark探究Traceroute
在Traceroute輸出結(jié)果中顯示AS號(hào)
在Mac電腦的Traceroute命令中振峻,通過(guò)'-a'的參數(shù)可以開(kāi)啟路徑中遇到的IP地址所在的BGP AS號(hào)臼疫,以便于獲知路徑中每一跳所歸屬的運(yùn)營(yíng)商,通過(guò)'-q 1'可將缺省發(fā)送3個(gè)探測(cè)報(bào)文改為發(fā)送1個(gè)探測(cè)報(bào)文扣孟,輸出示例如下:
? ~ traceroute -aq 1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 [AS0] bogon (10.39.101.1) 2.424 ms
2 [AS0] localhost (192.168.1.1) 3.031 ms
3 [AS4808] 222.129.32.1 (222.129.32.1) 6.496 ms
4 [AS4808] 61.51.101.101 (61.51.101.101) 8.114 ms
5 [AS17431] 219.232.11.29 (219.232.11.29) 5.865 ms
6 [AS4808] 202.96.12.13 (202.96.12.13) 6.558 ms
7 [AS4837] 219.158.112.46 (219.158.112.46) 44.826 ms
8 [AS4837] 219.158.103.218 (219.158.103.218) 52.181 ms
9 [AS4837] 219.158.103.30 (219.158.103.30) 47.851 ms
10 [AS4837] 219.158.10.30 (219.158.10.30) 56.963 ms
11 [AS4837] 219.158.33.174 (219.158.33.174) 46.523 ms
12 [AS15169] 108.170.241.1 (108.170.241.1) 48.503 ms
13 [AS15169] 172.253.64.111 (172.253.64.111) 142.926 ms
14 [AS15169] dns.google (8.8.8.8) 52.208 ms
上述的AS編號(hào)信息是如何獲得的烫堤?下面我們通過(guò)Wireshark抓取報(bào)文進(jìn)行分析。
上述Traceroute的收發(fā)包過(guò)程簡(jiǎn)述
開(kāi)啟Wireshark,并迅速執(zhí)行traceroute -aq 1 8.8.8.8塔逃,Traceroute完整輸出后,停止Wireshark的報(bào)文抓取料仗。
針對(duì)抓取的報(bào)文進(jìn)行過(guò)濾湾盗,在過(guò)濾框中輸入 udp or icmp or ip.addr == 198.108.0.18
經(jīng)過(guò)Wireshark的報(bào)文分析,以下為Traceroute的簡(jiǎn)要的收發(fā)包過(guò)程:
- 發(fā)起DNS查詢立轧,查詢whois.radb.net域名格粪,得到應(yīng)答為198.108.0.18----上述過(guò)濾器中IP地址來(lái)源于此。
- 發(fā)起TCP連接請(qǐng)求氛改,與198.108.0.18建立TCP連接帐萎。
- 向8.8.8.8發(fā)起UDP報(bào)文,目的端口為33435胜卤,TTL設(shè)置為1
- 收到路由器的ICMP TTL超時(shí)消息疆导,獲取路由器對(duì)應(yīng)的IP地址
- 向whois.radb.net發(fā)起查詢,詢問(wèn)路由器IP地址對(duì)應(yīng)的AS號(hào)葛躏,并得到回應(yīng)澈段,如果是私有地址,其AS號(hào)為0舰攒。
- 嘗試向DNS服務(wù)器查詢路由器IP地址的反向域名解析败富,如果得到域名,就將其顯示在Traceroute的輸出結(jié)果中摩窃。
- 重復(fù)上述第3~6步兽叮,每次將TTL加1,直至目標(biāo)地址接收到探測(cè)報(bào)文猾愿,并返回ICMP Port Unreachable消息鹦聪。
Wireshark抓包詳細(xì)分析
下圖為Wireshark抓取的報(bào)文的前36個(gè):
第1和第2個(gè)報(bào)文為DNS查詢,查詢whois.radb.net的地址為198.108.0.18匪蟀。
第3~5的報(bào)文為TCP三次握手椎麦,并成功建立TCP 連接10.39.101.141:51705<--->198.108.0.18:43,TCP 43端口通常是whois server的端口材彪。
第6個(gè)報(bào)文由10.39.101.141發(fā)向198.108.0.18观挎,并將PSH置位,請(qǐng)求接收端一收到就進(jìn)行向上交付段化,以縮短Traceroute的等待時(shí)間偶妖。
第7個(gè)報(bào)文發(fā)出第一個(gè)UDP的探測(cè)報(bào)文宛官,目標(biāo)端口號(hào)為33435,TTL=1,具體如下:
-
第8個(gè)報(bào)文為網(wǎng)關(guān)回復(fù)的ICMP Time-to-live exceeded (Time to live exceeded in transit)報(bào)文媒楼,Traceroute從IP報(bào)文中的源地址獲取路由器的IP地址10.39.101.1佑附。該報(bào)文包含原始的UDP報(bào)文信息,具體如下:
ICMP TTL超時(shí)
- 第9個(gè)報(bào)文為第6個(gè)報(bào)文的TCP確認(rèn)報(bào)文,第10個(gè)報(bào)文為向whois.radb.net查詢網(wǎng)關(guān)10.39.101.1/32所在的AS號(hào)鼓鲁。第11個(gè)報(bào)文為第10個(gè)報(bào)文的TCP確認(rèn),第12個(gè)報(bào)文答復(fù)查詢結(jié)果港谊,由于該地址為私有IP地址段骇吭,沒(méi)有查詢到結(jié)果,因此Traceroute 將AS號(hào)顯示為[AS0]歧寺。以下使用第29和30報(bào)文燥狰,用于展示AS號(hào)查詢的報(bào)文,如下:
查詢結(jié)果的文本內(nèi)容如下:
route: 222.129.0.0/18
descr: CMI (Customer Route)
origin: AS4808
mnt-by: MAINT-AS58453
changed: qas_support@cmi.chinamobile.com 20160525
source: RADB
route: 222.128.0.0/14
descr: China Unicom Beijing Province Network
country: CN
origin: AS4808
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20160516
source: APNIC
route: 222.129.0.0/18
descr: CMI IP Transit
origin: AS4808
admin-c: MAINT-CMI-INT-HK
tech-c: MAINT-CMI-INT-HK
mnt-by: MAINT-CMI-INT-HK
changed: qas_support@cmi.chinamobile.com 20160525
source: NTTCOM
-
第14~17報(bào)文是DNS解析報(bào)文斜筐,分別對(duì)主機(jī)名WERAO-M-40KA進(jìn)行域名解析龙致,以及對(duì)網(wǎng)關(guān)IP 10.39.101.1進(jìn)行反向域名解析,由于是私有主機(jī)名和私有地址顷链,自然公網(wǎng)DNS是解析不出來(lái)目代。以下將針對(duì)8.8.8.8進(jìn)行反向域名解析為dns.google的截圖作為示例:
DNS反向域名解析
-
報(bào)文18~26重復(fù)報(bào)文7~17的過(guò)程,其中報(bào)文18的TTL為2嗤练,如下:
第二個(gè)UDP探測(cè)報(bào)文
過(guò)程持續(xù)至8.8.8.8返回Code: 3 (Port unreachable)的消息像啼,并對(duì)8.8.8.8進(jìn)行反向域名解析。
以上詳細(xì)的分析了traceroute -aq 1 8.8.8.8的報(bào)文收發(fā)過(guò)程潭苞。
后記
在上述的Traceroute完成輸出后忽冻,Wireshark成功的將Whois的交互報(bào)文進(jìn)行重新組裝,并完成內(nèi)容的解析此疹。
在Wireshark分析完第133個(gè)報(bào)文后僧诚,Wireshark成功的組裝出whois的查詢報(bào)文,如下:
在Wireshark分析完第135個(gè)報(bào)文后蝗碎,Wireshark成功的組裝出Whois的應(yīng)答報(bào)文湖笨,如下:
在Terminal執(zhí)行whois 8.8.8.8/32,并進(jìn)行報(bào)文抓取蹦骑,解析出Whois的報(bào)文應(yīng)答如下:
該報(bào)文也是Wireshark 拼裝了多個(gè)TCP Segment慈省,#101、#103眠菇、#104边败、#106、#109后解析出來(lái)的捎废。對(duì)比該解析結(jié)果和上文中笑窜,Traceroute過(guò)程中的查詢結(jié)果,可以發(fā)現(xiàn)登疗,報(bào)文結(jié)構(gòu)是一致的排截,都被Wireshark解析成Whois的報(bào)文嫌蚤。
據(jù)此,我推測(cè)断傲,MAC電腦上的Traceroute 在增加了-a的參數(shù)后脱吱,會(huì)主動(dòng)發(fā)起Whois查詢,缺省的Whois服務(wù)器是whois.radb.net认罩。
此部分內(nèi)容是在Traceroute收發(fā)包過(guò)程分析完成后急凰,再后知后覺(jué)發(fā)現(xiàn)的,因此將此部分內(nèi)容作為“后記”進(jìn)行記錄猜年。
Traceroute 進(jìn)階版工具M(jìn)TR
MTR (My Traceroute)工具將ping和traceroute命令的功能并入了同一個(gè)工具中,實(shí)現(xiàn)更強(qiáng)大的功能疾忍。相對(duì)于traceroute命令只會(huì)做一次鏈路跟蹤測(cè)試乔外,mtr命令會(huì)對(duì)鏈路上的相關(guān)節(jié)點(diǎn)做持續(xù)探測(cè)并給出相應(yīng)的統(tǒng)計(jì)信息。
如下為MTR的輸出:
? ~ sudo mtr -ry 4 8.8.8.8
Start: 2021-06-27T23:37:21+0800
HOST: WERAO-M-40KA Loss% Snt Last Avg Best Wrst StDev
1. ??? localhost 0.0% 10 1.8 2.2 1.2 10.1 2.8
2. ??? bogon 0.0% 10 2.2 2.3 1.9 3.3 0.5
3. 2003-11-19 222.129.32.1 0.0% 10 6.3 9.5 5.0 29.2 7.7
4. 2000-03-14 61.148.163.181 0.0% 10 5.3 7.4 5.3 8.7 1.2
5. 2002-04-17 219.232.11.65 70.0% 10 5.4 6.1 5.4 6.8 0.7
6. 2006-01-09 124.65.194.153 30.0% 10 28.9 9.6 5.7 28.9 8.5
7. 2002-03-21 219.158.112.26 40.0% 10 38.9 44.2 38.5 63.7 9.7
8. 2002-03-21 219.158.19.66 0.0% 10 74.4 64.1 46.4 74.4 8.8
9. 2002-03-21 219.158.97.25 0.0% 10 90.8 90.8 82.2 96.7 4.3
10. 2002-03-21 219.158.20.94 0.0% 10 97.5 89.8 74.1 104.6 11.8
11. 2002-03-21 219.158.33.174 0.0% 10 73.0 62.1 49.7 74.0 8.5
12. 2012-02-07 108.170.241.65 0.0% 10 59.0 67.3 53.1 75.4 7.2
13. 2013-04-04 172.253.69.229 10.0% 10 62.9 68.3 54.5 76.6 6.5
14. 1992-12-01 dns.google 0.0% 10 71.0 65.6 56.4 71.0 5.7
MTR命令一罩,通過(guò)-r 輸出報(bào)告杨幼,-z 可輸出地址所在的AS號(hào),-y 4 可輸出該地址的分配時(shí)間聂渊。
輸出信息解釋如下:
- 第一列(Host):節(jié)點(diǎn)IP地址和域名差购。如前面所示,按n鍵可以切換顯示汉嗽。
- 第二列(Loss%):節(jié)點(diǎn)丟包率欲逃。
- 第三列(Snt):發(fā)送的Ping包數(shù)。默認(rèn)值是10饼暑,可以通過(guò)參數(shù)“-c”指定稳析。
- 第四列(Last):最近一次的探測(cè)延遲值。
- 第五弓叛、六彰居、七列(Avg、Best撰筷、Wrst):分別是探測(cè)延遲的平均值陈惰、最小值和最大值。
- 第八列(StDev):標(biāo)準(zhǔn)偏差毕籽。越大說(shuō)明相應(yīng)節(jié)點(diǎn)越不穩(wěn)定抬闯。
上述解釋引用自:MTR工具使用說(shuō)明與結(jié)果分析,略有改動(dòng)关筒。
Q&A
-
David Tian: 贊画髓,請(qǐng)教下,為什么ipv4的traceroute 會(huì)觸發(fā)用ipv6去查dns呢平委?
答:好眼力奈虾,好問(wèn)題~~實(shí)際上,我抓取的報(bào)文中,每次得到ICMP報(bào)文后肉微,Traceroute也會(huì)向208.67.222.222發(fā)送DNS請(qǐng)求匾鸥。但是報(bào)文是加密的,看不出是什么內(nèi)容碉纳,不能猜測(cè)勿负,所以我將這些不確定的報(bào)文刪除了。208.67.222.222是OpenDNS的DNS服務(wù)器劳曹,這是Cisco IT設(shè)置的DNS服務(wù)器奴愉。??
附錄
以下是Wireshark抓包文件的前60個(gè)報(bào)文的概覽。
| No. | Source | Destination | Protocol | Info |
|---|---|---|---|---|
| 1 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0xc7d5 A whois.radb.net |
| 2 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0xc7d5 A whois.radb.net A 198.108.0.18 |
| 3 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2785245374 TSecr=0 SACK_PERM=1 |
| 4 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1412 TSval=3642352050 TSecr=2785245374 WS=256 |
| 5 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=1 Ack=1 Win=131584 Len=0 TSval=2785245692 TSecr=3642352050 |
| 6 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=1 Ack=1 Win=131584 Len=3 TSval=2785245692 TSecr=3642352050 [TCP segment of a reassembled PDU] |
| 7 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33435 Len=24 |
| 8 | 10.39.101.1 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
| 9 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [ACK] Seq=1 Ack=4 Win=29184 Len=0 TSval=3642352370 TSecr=2785245692 |
| 10 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=4 Ack=1 Win=131584 Len=19 TSval=2785246039 TSecr=3642352370 [TCP segment of a reassembled PDU] |
| 11 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [ACK] Seq=1 Ack=23 Win=29184 Len=0 TSval=3642352717 TSecr=2785246039 |
| 12 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [PSH, ACK] Seq=1 Ack=23 Win=29184 Len=2 TSval=3642352717 TSecr=2785246039 [TCP segment of a reassembled PDU] |
| 13 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=23 Ack=3 Win=131584 Len=0 TSval=2785246448 TSecr=3642352717 |
| 14 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0x93fc A WERAO-M-40KA |
| 15 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0x93fc No such name A WERAO-M-40KA |
| 16 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0xbcf9 PTR 1.101.39.10.in-addr.arpa |
| 17 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0xbcf9 PTR 1.101.39.10.in-addr.arpa PTR bogon |
| 18 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33436 Len=24 |
| 19 | 192.168.1.1 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
| 20 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=23 Ack=3 Win=131584 Len=19 TSval=2785248590 TSecr=3642352717 [TCP segment of a reassembled PDU] |
| 21 | 10.39.101.141 | 10.39.101.1 | DNS | Standard query 0xc81a A WERAO-M-40KA |
| 22 | 10.39.101.1 | 10.39.101.141 | DNS | Standard query response 0xc81a A WERAO-M-40KA A 10.39.101.141 |
| 23 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [PSH, ACK] Seq=3 Ack=42 Win=29184 Len=2 TSval=3642355278 TSecr=2785248590 [TCP segment of a reassembled PDU] |
| 24 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=42 Ack=5 Win=131584 Len=0 TSval=2785248902 TSecr=3642355278 |
| 25 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0x7504 PTR 1.1.168.192.in-addr.arpa |
| 26 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0x7504 PTR 1.1.168.192.in-addr.arpa PTR localhost |
| 27 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33437 Len=24 |
| 28 | 222.129.32.1 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
| 29 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=42 Ack=5 Win=131584 Len=20 TSval=2785249974 TSecr=3642355278 [TCP segment of a reassembled PDU] |
| 30 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [PSH, ACK] Seq=5 Ack=62 Win=29184 Len=643 TSval=3642356666 TSecr=2785249974 [TCP segment of a reassembled PDU] |
| 31 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=62 Ack=648 Win=130944 Len=0 TSval=2785250324 TSecr=3642356666 |
| 32 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0x4f56 PTR 1.32.129.222.in-addr.arpa |
| 33 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0x4f56 No such name PTR 1.32.129.222.in-addr.arpa |
| 34 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33438 Len=24 |
| 35 | 61.51.101.101 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
| 36 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=62 Ack=648 Win=131072 Len=21 TSval=2785251389 TSecr=3642356666 [TCP segment of a reassembled PDU] |
| 37 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [PSH, ACK] Seq=648 Ack=83 Win=29184 Len=639 TSval=3642358087 TSecr=2785251389 [TCP segment of a reassembled PDU] |
| 38 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=83 Ack=1287 Win=130432 Len=0 TSval=2785251697 TSecr=3642358087 |
| 39 | 10.39.101.141 | 10.39.101.1 | DNS | Standard query 0x521b PTR 1.32.129.222.in-addr.arpa |
| 40 | 10.39.101.1 | 10.39.101.141 | DNS | Standard query response 0x521b No such name PTR 1.32.129.222.in-addr.arpa |
| 41 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0x5931 PTR 101.101.51.61.in-addr.arpa |
| 42 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0x5931 No such name PTR 101.101.51.61.in-addr.arpa |
| 43 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33439 Len=24 |
| 44 | 219.232.11.29 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
| 45 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=83 Ack=1287 Win=131072 Len=21 TSval=2785252732 TSecr=3642358087 [TCP segment of a reassembled PDU] |
| 46 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [PSH, ACK] Seq=1287 Ack=104 Win=29184 Len=418 TSval=3642359437 TSecr=2785252732 [TCP segment of a reassembled PDU] |
| 47 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=104 Ack=1705 Win=130624 Len=0 TSval=2785253042 TSecr=3642359437 |
| 48 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0x7d09 PTR 29.11.232.219.in-addr.arpa |
| 49 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0x7d09 No such name PTR 29.11.232.219.in-addr.arpa |
| 50 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33440 Len=24 |
| 51 | 202.96.12.13 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
| 52 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [PSH, ACK] Seq=104 Ack=1705 Win=131072 Len=20 TSval=2785254068 TSecr=3642359437 [TCP segment of a reassembled PDU] |
| 53 | 10.39.101.141 | 10.39.101.1 | DNS | Standard query 0x961b PTR 101.101.51.61.in-addr.arpa |
| 54 | 10.39.101.1 | 10.39.101.141 | DNS | Standard query response 0x961b No such name PTR 101.101.51.61.in-addr.arpa |
| 55 | 198.108.0.18 | 10.39.101.141 | TCP | 43 → 51705 [PSH, ACK] Seq=1705 Ack=124 Win=29184 Len=642 TSval=3642360779 TSecr=2785254068 [TCP segment of a reassembled PDU] |
| 56 | 10.39.101.141 | 198.108.0.18 | TCP | 51705 → 43 [ACK] Seq=124 Ack=2347 Win=130368 Len=0 TSval=2785254400 TSecr=3642360779 |
| 57 | fe80::1c7a:24fd:c837:3017 | fe80::1 | DNS | Standard query 0xb016 PTR 13.12.96.202.in-addr.arpa |
| 58 | fe80::1 | fe80::1c7a:24fd:c837:3017 | DNS | Standard query response 0xb016 No such name PTR 13.12.96.202.in-addr.arpa SOA beijing.cn.net |
| 59 | 10.39.101.141 | 8.8.8.8 | UDP | 36904 → 33441 Len=24 |
| 60 | 219.158.112.46 | 10.39.101.141 | ICMP | Time-to-live exceeded (Time to live exceeded in transit) |
