http://blog.chinaunix.net/uid-29056899-id-4206568.html
http://blog.csdn.net/gatieme/article/details/50827776
http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html
1生棍、TCP中的Flag標(biāo)志
* F : FIN - 結(jié)束; 結(jié)束會(huì)話
* S : SYN - 同步; 表示開始會(huì)話請(qǐng)求
* R : RST - 復(fù)位;中斷一個(gè)連接
* P : PUSH - 推送; 數(shù)據(jù)包立即發(fā)送
* A : ACK - 應(yīng)答
* U : URG - 緊急
* E : ECE - 顯式擁塞提醒回應(yīng)
* W : CWR - 擁塞窗口減少
2、TCP三次握手建立鏈接
2.1 客戶端發(fā)送Sync同步包給服務(wù)端网沾;2.1服務(wù)端發(fā)送確認(rèn)包同時(shí)發(fā)送同步信息給客戶端癞谒;2.2客戶端發(fā)送確認(rèn)
3也祠、TCP四次揮手?jǐn)嚅_鏈接
3.1 客戶端發(fā)送關(guān)閉連接請(qǐng)求 3.2服務(wù)端發(fā)送Ack ?3.3 服務(wù)端發(fā)送關(guān)閉連接請(qǐng)求 3.4 客戶端發(fā)送Ack停蕉。
建立連接的時(shí)候本質(zhì)上也是四個(gè)回合鹉胖,只是服務(wù)端發(fā)送同步和Ack任何情況下都可以整合成一次包發(fā)送芬膝。
斷開連接普遍情況是四個(gè)回合,因?yàn)門CP是雙向連接的篮迎,一端主動(dòng)關(guān)閉只是關(guān)閉單向的男图。特殊情況下示姿,斷開連接也可能只要三個(gè)回合,
主要取決于上層應(yīng)用逊笆。如果服務(wù)端收到對(duì)端關(guān)閉后栈戳,也馬上關(guān)閉本端連接的話,這種情況只需要三次回合难裆。
4子檀、linux系統(tǒng)中分析TCP包
用命令字 tcpdump -i any tcp and port 9200 (-xlnnps0 打印詳細(xì)的報(bào)文信息)
每天信息都會(huì)有 sorhost.port > dsthost.port Flags[S].?
sorHost.port: 數(shù)據(jù)源
dstHost.port:數(shù)據(jù)目的
Flags[s]: flag表示類別和TCP協(xié)議包的Flag差不多[看本文的開始部分]。但是還有一點(diǎn)點(diǎn)區(qū)別乃戈,如果是Ack報(bào)文褂痰,F(xiàn)lag并沒(méi)有用A表示,而是在隨后內(nèi)容中添加ack症虑。
seq:報(bào)文的序列號(hào)缩歪。同步報(bào)文用掉一個(gè)序列號(hào)。數(shù)據(jù)報(bào)文是個(gè)區(qū)間 [start谍憔,end)匪蝙,包括起始序列號(hào),但是不包括結(jié)束序列號(hào)习贫。
win(接收緩沖端口): 和接收端的處理能力有關(guān)
mss(Max Segment Size):和網(wǎng)絡(luò)的最大發(fā)包長(zhǎng)度有關(guān)骗污。以太網(wǎng)的MTU是1500,減去IP和TCP頭部沈条,最大報(bào)文長(zhǎng)度MSS1460
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:24:51.342231 IP 10.100.64.26.49505 > 10.50.114.116.wap-wsp: Flags [S], seq 3647486953, win 14280, options [mss 1428,sackOK,TS val 1240102593 ecr 0,nop,wscale 8], length 0
20:24:51.373773 IP 10.50.114.116.wap-wsp > 10.100.64.26.49505: Flags [S.], seq 77175520, ack 3647486954, win 14480, options [mss 1460,sackOK,TS val 133441597 ecr 1240102593,nop,wscale 8], length 0
20:24:51.373790 IP 10.100.64.26.49505 > 10.50.114.116.wap-wsp: Flags [.], ack 1, win 56, options [nop,nop,TS val 1240102601 ecr 133441597], length 0
20:24:51.373811 IP 10.100.64.26.49505 > 10.50.114.116.wap-wsp: Flags [P.], seq 1:166, ack 1, win 56, options [nop,nop,TS val 1240102601 ecr 133441597], length 165
20:24:51.405313 IP 10.50.114.116.wap-wsp > 10.100.64.26.49505: Flags [.], ack 166, win 61, options [nop,nop,TS val 133441605 ecr 1240102601], length 0
20:24:51.405906 IP 10.50.114.116.wap-wsp > 10.100.64.26.49505: Flags [P.], seq 1:147, ack 166, win 61, options [nop,nop,TS val 133441605 ecr 1240102601], length 146
20:24:51.405923 IP 10.100.64.26.49505 > 10.50.114.116.wap-wsp: Flags [.], ack 147, win 60, options [nop,nop,TS val 1240102609 ecr 133441605], length 0
20:29:00.209639 IP 10.100.64.26.49505 > 10.50.114.116.wap-wsp: Flags [F.], seq 3647487119, ack 77175667, win 60, options [nop,nop,TS val 1240164810 ecr 133441605], length 0
20:29:00.241201 IP 10.50.114.116.wap-wsp > 10.100.64.26.49505: Flags [F.], seq 1, ack 1, win 61, options [nop,nop,TS val 133503812 ecr 1240164810], length 0
20:29:00.241212 IP 10.100.64.26.49505 > 10.50.114.116.wap-wsp: Flags [.], ack 2, win 60, options [nop,nop,TS val 1240164817 ecr 133503812], length 0
20:30:13.882430 IP 10.100.64.26.49695 > 10.50.114.116.wap-wsp: Flags [S], seq 3314501555, win 14280, options [mss 1428,sackOK,TS val 1240183228 ecr 0,nop,wscale 8], length 0
20:30:13.914539 IP 10.50.114.116.wap-wsp > 10.100.64.26.49695: Flags [S.], seq 3151585407, ack 3314501556, win 14480, options [mss 1460,sackOK,TS val 133522230 ecr 1240183228,nop,wscale 8], length 0