wireshark抓包分析TCP和UDP_ipv4数据包分析

大家好，又见面了，我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。

Jetbrains全家桶1年46，售后保障稳定

在命令行输入ifconfig，查看本机网络接口。

$ ifconfig enp4s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500        ether c8:5b:76:f6:44:d2  txqueuelen 1000  (Ethernet)        RX packets 0  bytes 0 (0.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 0  bytes 0 (0.0 B)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1000  (Local Loopback)        RX packets 391  bytes 61933 (60.4 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 391  bytes 61933 (60.4 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255        ether 52:54:00:a7:e6:9c  txqueuelen 1000  (Ethernet)        RX packets 31  bytes 3291 (3.2 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 18  bytes 2571 (2.5 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::fc54:ff:fe15:2983  prefixlen 64  scopeid 0x20<link>        ether fe:54:00:15:29:83  txqueuelen 1000  (Ethernet)        RX packets 31  bytes 3725 (3.6 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 39  bytes 4941 (4.8 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
wlp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 10.1.1.64  netmask 255.255.255.0  broadcast 10.1.1.255        inet6 fe80::40df:807c:eb38:8b78  prefixlen 64  scopeid 0x20<link>        ether a8:6b:ad:54:d5:3d  txqueuelen 1000  (Ethernet)        RX packets 10965  bytes 11639278 (11.1 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 3369  bytes 513997 (501.9 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Jetbrains全家桶1年46，售后保障稳定

运行一段Java代码，往内网ip192.168.122.217发送UDP数据

package UDPtest;
import java.io.IOException;import java.net.*;
public class UDPTestClient {
  
      private static final int PORT = 8800;    private static final String HOSTNAME = "192.168.122.217";
    public static void main(String[] args){
  
          try (DatagramSocket ds = new DatagramSocket(8801)){
  
              /**             * 这里是发送数据到服务端             */            //这里定义地址信息             InetAddress id = InetAddress.getByName(HOSTNAME);            //要发送的数据            byte[] buffer = "这里是客户端发送的数据".getBytes();            //将数据打包成udp数据包            DatagramPacket dp = new DatagramPacket(buffer, buffer.length,id,PORT);            //发送数据包            ds.send(dp);
            /**             * 这里是从服务端接收数据             */            byte[] data2 = new byte[1024];            DatagramPacket packet2 = new DatagramPacket(data2,data2.length);            ds.receive(packet2);            String info = new String(data2,0,packet2.getLength());            System.out.println("我是客户端 从服务端收到的数据 info = " + info);        } catch (IOException e) {
  
              e.printStackTrace();        }    }}

 在所有列出的网卡中找到正在运行的网卡，即flags=4163<UP,BROADCAST,RUNNING,MULTICAST>有RUNNING字段的网卡。这里有lo，wlp5s0，vnet0，显然lo是本地回环接口，vnet0才是我们要找到的网卡。

    回到wireshark，双击vnet0，开始监听。执行UDPTestClient类，找到发送的数据包。

    其中Source 10.1.1.64->Destination 192.168.122.217就是我们发送的数据包。双击查看数据包详细信息。

第一个目录下的Interface看到是无线网卡接口

Interface id: 0 (vnet0)
  Interface name: vnet0

第二个目录，以太网口

Ethernet II, Src: HonHaiPr_54:d5:3d (a8:6b:ad:54:d5:3d), Dst: Tp-LinkT_06:67:7d (74:05:a5:06:67:7d)
  Destination: Tp-LinkT_06:67:7d (74:05:a5:06:67:7d)
      Address: Tp-LinkT_06:67:7d (74:05:a5:06:67:7d)
      .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
      .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Source: HonHaiPr_54:d5:3d (a8:6b:ad:54:d5:3d)
      Address: HonHaiPr_54:d5:3d (a8:6b:ad:54:d5:3d)
      .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
      .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Type: IPv4 (0x0800)

Src代表源设备，Dst指目的设备，这里是从 HonHaiPr_54:d5:3d的MAC地址发送到Tp-LinkT_06:67:7d 路由器的MAC地址。

第三个目录Internet Protocol Version 4, Src: 10.1.1.64, Dst: 192.168.122.217下的目录Destination GeoIP: CN

[Destination GeoIP: CN]
  [Destination GeoIP Country: China]
  [Source or Destination GeoIP Country: China]
  [Destination GeoIP ISO Two Letter Country Code: CN]
  [Source or Destination GeoIP ISO Two Letter Country Code: CN]
  [Destination GeoIP Latitude: 34.7725]
  [Source or Destination GeoIP Latitude: 34.7725]
  [Destination GeoIP Longitude: 113.7266]
  [Source or Destination GeoIP Longitude: 113.7266]

GeoIP是基于IP查询地理位置。

找到UDP首部目录User Datagram Protocol, Src Port: 8801, Dst Port: 8800

User Datagram Protocol, Src Port: 8801, Dst Port: 8800
  Source Port: 8801
  Destination Port: 8800
  Length: 41
  Checksum: 0x16bc incorrect, should be 0x7c26 (maybe caused by "UDP checksum offload"?)
      [Expert Info (Error/Checksum): Bad checksum [should be 0x7c26]]
          [Bad checksum [should be 0x7c26]]
          [Severity level: Error]
          [Group: Checksum]
      [Calculated Checksum: 0x7c26]
  [Checksum Status: Bad]
  [Stream index: 0]

依次看到RFC 768定义的UDP首部，Source Port、Destination Port、Length、Checksum的信息。可以看到checksum错误，获取的包的checksum与计算出来的checksum不一致。这是因为有些路由器会参与checksum的计算，但上层协议栈并不知情，所以二者算出的checksum值不一样。

检验和计算可能由网络网络驱动，协议驱动，甚至是硬件完成。高层校验通常是由协议执行，并将完成后的包转交给硬件。比较新的网络硬件可以执行一些高级功能，如IP检验和计算，这被称为checksum offloading。网络驱动不会计算校验和，只是简单将校验和字段留空或填入无效信息，交给硬件计算。

注：本文为小yip原创，未经许可不得在任何平台转载。如需转载，与作者联系~

欢迎加入linux交流群：734638086，分享工作经验。

关注微信公众号：技术训练营（微信ID：TechBootcamp），获取更多资讯～

微信扫一扫，发现更精彩。