TCP/IP数据包格式样例及解析
原创
1. TCP/IP协议栈
TCP/IP协议栈
+------+ +-----+ +-----+ +-----+
|Telnet| | FTP | | TFTP| ... | ... |
+------+ +-----+ +-----+ +-----+
| | | |
+-----+ +-----+ +-----+
| TCP | | UDP | ... | ... |
+-----+ +-----+ +-----+
| | |
+--------------------------+----+
| Internet Protocol & ICMP |
+--------------------------+----+
|
+---------------------------+
| Local Network Protocol |
+---------------------------+
Protocol Relationships
Figure 1. from https://tools.ietf.org/html/rfc7912. IP报头
标准草案: RFC 791, https://tools.ietf.org/html/rfc791
长度:标准(20 字节)+选项扩展
报文header格式:
A summary of the contents of the internet header follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Example Internet Datagram Header
From https://tools.ietf.org/html/rfc791报文header样例(from tcpdump):
0x0000: 4500 0034 ce1e 4000 4006 7300 ac14 50f0 E..4..@.@.s...P.
0x0010: ac14 508c ..P.基本都是0x4500开头,表示IPv4, IP header长度为20字节,普通服务类型。
以下对各个字段进行说明。
-1. Version版本:4 bits,0100,4,表示IPv4。0x4
-2. IHL: 4 bits,标识Internet Header Length, 单位为32 bits。最小值为5. 表示5x32bits, 即20x8bits,20字节。最大值为15,表示ip header为15x32bits,即60字节。 0x5.
-3. Type of Service: 8 bits,标识服务类型,也就是Qos,不同值表示的服务类型可参考rfc,一般为0. 0x00. 在融发NTP服务器上,NTP报文(UDP),0xc0和0x00两种。
Bits 0-2: Precedence.
Bit 3: 0 = Normal Delay, 1 = Low Delay.
Bits 4: 0 = Normal Throughput, 1 = High Throughput.
Bits 5: 0 = Normal Relibility, 1 = High Relibility.
Bit 6-7: Reserved for Future Use.
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| | | | | | |
| PRECEDENCE | D | T | R | 0 | 0 |
| | | | | | |
+-----+-----+-----+-----+-----+-----+-----+-----+
Precedence
111 - Network Control
110 - Internetwork Control
101 - CRITIC/ECP
100 - Flash Override
011 - Flash
010 - Immediate
001 - Priority
000 - Routine
-4. Total Length: 2字节,标识IP报文长度,单位为字节,包括header和data。最大65535, 64KB。所有实现IP协议的主机,必须实现支持576字节以下的IP报文。Internet报文的header最大可以是64字节,留给数据的空间为512字节。 0x0034.
-5. Identification: 16 bits, 发送方填写,辅助标识报文gragment。0xce1e.
-6. Flags: 3 bits, 标识是否分片。一般为010, 与下面Fragment Offset组成分片标识。加上Offset字段,一共占16 bits,2字节。一般为0x4000.
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.-7. Fragment Offset: 13 bits, 标识分片偏移量, 单位为64 bits,也就是如果值为1,那么offset为64 bits。一般为0000000000000.
The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero.
-8. Time to Live: 8 bits, 标识TTL,一旦TTL值为0,那么这个包就必须丢弃, 初始值由发送方设置,这里为64(十进制), 0x40(十六进制)。
-9. Protocol: 8 bits, 标识传输层协议。每个值对应的传输层协议见:https://tools.ietf.org/html/rfc790。还是很多的,但是和融发相关的也就ICMP, TCP, UDP。ICMP为0x01, TCP为0x06, UDP为0x21。其他的可参考rfc。这里为0x06。
In the Internet Protocol (IP) [33] there is a field, called Protocol,
to identify the the next level protocol. This is an 8 bit field.
Assigned Internet Protocol Numbers
Decimal Octal Protocol Numbers References
------- ----- ---------------- ----------
0 0 Reserved [JBP]
1 1 ICMP [53,JBP]
2 2 Unassigned [JBP]
5 5 ST [20,JWF]
6 6 TCP [34,JBP]
7 7 UCL [PK]
9 11 Secure [VGC]
17 21 User Datagram [42,JBP]-10. Header Checksum: 16 bits,header校验值。这里为0x7300. 校验算法如下:
The checksum algorithm is:
The checksum field is the 16 bit one's complement of the one's
complement sum of all 16 bit words in the header. For purposes of
computing the checksum, the value of the checksum field is zero.-11. Source Address: 32 bits. 源地址 0xac1450f0.
-12. Destination Address: 32 bits. 目标地址 0xac14508c.
3. TCP报头
标准草案: RFC 793, https://tools.ietf.org/html/rfc793
长度:标准(20字节)+扩展选项
报文header格式:
TCP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header Format
Note that one tick mark represents one bit position.
From https://tools.ietf.org/html/rfc793报文header样例(from tcpdump)(关注1,2,7,8就行了,3,4,5,6为序号):
0x0010: 4918 4a38 5186 6431 4017 8e13 ..P.I.J8Q.d1@...
0x0020: 5010 001d 9fb5 0000 P............. -1. Source Port: 16 bits. 标识源端口,0x4918
-2. Destination Port: 16 bits. 标识目的端口,0x4a38, 十进制为19000, codis proxy
-3. Sequence Number: 32 bits. 标识TCP序号,0x51866431
-4. Acknowledgment Number: 32 bits. 标识TCP Ack序列号,0x40178e13
-5. Data Offset: 4 bits. 标识TCP header偏移量,单位为32 bits。也就是如果值为1,那么offset为32 bits。一般为0x5,5x32bits,即20字节。
-6. Reserved: 6 bits,标识保留字段。留0.
-7. Control Bits: 6 bits (from left to right),标识TCP控制比特。和Reserved加一起,可以凑一个字节,用0x十六进制表示,0x10,ACK。
URG: Urgent Pointer field significant, 0x20
ACK: Acknowledgment field significant, 0x10
PSH: Push Function, 0x08
RST: Reset the connection, 0x04
SYN: Synchronize sequence numbers, 0x02
FIN: No more data from sender, 0x01-8. Window: 16 bits, 标识TCP通告窗口大小,单位为字节。0x001d. 29.
-9. Checksum: 16 bits, 标识校验码。校验算法见RFC。0x9fb5.
-10. Urgent Pointer: 16 bits, 标识紧急指针。0x0000.
其他选项很少用到,不再解释说明,见RFC。
4. UDP报头
标准草案: RFC 768, https://tools.ietf.org/html/rfc768 (这个RFC也就2页,协议太简单了)
长度:8字节,没有扩展选项,就是8字节。
报文header格式:
0 7 8 15 16 23 24 31
+--------+--------+--------+--------+
| Source | Destination |
| Port | Port |
+--------+--------+--------+--------+
| | |
| Length | Checksum |
+--------+--------+--------+--------+
|
| data octets ...
+---------------- ...
User Datagram Header Format
From https://tools.ietf.org/html/rfc768报文header样例:
NTP时钟同步使用了udp port 123。完整报文(header和data):
NTPv3, Server, length 48
0x0000: 45c0 004c 0000 4000 4011 e489 ac15 5fc8 E..L..@.@....._.
0x0010: ac16 9d63 007b 04ce 0038 55a1 1c03 04e9 ...c.{...8U.....
0x0020: 0000 47f4 0000 2f4b ca7b 6a66 e0b0 ae5d ..G.../K.{jf...]
0x0030: f6ae be33 e0b0 b168 4287 d2c7 e0b0 b168 ...3...hB......h
0x0040: 4247 adda e0b0 b168 424b 3377 BG.....hBK3wUDP header部分为:
0x0010: 007b 04ce 0038 55a1 .c.{...8-1. Source Port: 16 bits, 最大值65535。 0x007b. 即,123.
-2. Destination Port: 16 bits, 最大值65535。 0x04ce. 即 1230.
-3. Length: 16 bits, 包括header和data, 单位为字节,最大值 65535. 0x0038. 即56字节.
-4. Checksum: 16 bits.
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号