Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1793468
  • 博文数量: 438
  • 博客积分: 9799
  • 博客等级: 中将
  • 技术积分: 6092
  • 用 户 组: 普通用户
  • 注册时间: 2012-03-25 17:25
文章分类

全部博文(438)

文章存档

2019年(1)

2013年(8)

2012年(429)

分类: 系统运维

2012-05-07 12:00:18

Tool tcpdump

This text describes the TCP/IP protocol suite. In addition to describing the protocols and what they to, we'll also use tcpdump to watch the protocols in action, which is considered as a tool to be used for diagnosing network problems, and also a tool for understanding how the network protocols operate.

To run tcpdump, you need super user's privacy (on Ubuntu). Run "sudo tcpdump" to listen to a network interface card. It listens to the first one by default, but you can use -i option to specify a particular interface, like "sudo tcpdump -i wanl0".

tcpdump operates by putting the network interface card into promiscuous mode so that every packet going across the wire is captured.


Layering

Networking protocols are normally developed in layers, with each layer responsible for a different facet of the communications. A protocol suite, such as TCP/IP, is the combination of different protocols at various layers. TCP/IP is normally considered to be a 4-layer system, as shown in the following figure.

The four layers of TCP/IP protocol suite
ApplicationTelnet, FTP, e-mail, etc.
TransportTCP, UDP
NetworkIP, ICMP, IGMP
Linkdevice driver and interface card

Each layer has a different responsibility.

1. The link layer, sometimes called the data-link layer or network interface layer, normally includes the device driver in the operating system and the corresponding network interface card in the computer. Together they handle the hardware details of physically interfacing with the cable (or whatever type of media is being used).

2. The network layer (sometimes called the internet layer) handles the movement of packets around the network. Routing of packets, for example, takes place here. IP (Internet Protocol), ICMP (Internet Control Message Protocol), and IGMP (Internet Group Management Protocol) provide the network layer in the TCP/IP protocol suite.

3. The transport layer provides a flow of data between two hosts, for the application layer above. In the TCP/IP protocol suite there are two vastly different transport protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP provides a reliable flow of data between hosts, while UDP just sends packets of data called datagrams from one host to the other.

4. The application layer handles the details of the particular application. There are many common TCP/IP applications that almost every implementation provides: Telnet for remote login, FTP (the File Transfer Protocol), SMTP (the Simple Mail Transfer Protocol) for electronic mail, SNMP (the Simple Network Management Protocol), and many more.

Each layer has one or more protocols for communicating with its peer at the same layer.

Normally the application layer is a user process while the lower three layers are usually implemented in the kernel (the operating system). Although this isn't a requirement, it's typical and this is the way it's done under Unix.

The application layer is concerned with the details of the application and not with the movement of data across the network. The lower three layers know nothing about the application but handle all the communication details.

TCP/IP protocol suite is a combination of many protocols, and TCP and IP are only two of the protocols. (An alternative name is the Internet Protocol Suite.)

A few stand-alone systems are collected together into a network, and multiple networks are combined together into an internetwork, or an internet.

The easiest way to build an internet is to connect two or more networks with a router. This is often a special-purpose hardware box for connecting networks, which provide connections to many different types of physical networks: Ethernet, token ring, point-to-point links, FDDI (Fiber Distributed Data Interface), and so on. Historically these boxes were called gateways. Today the term gateway is used for an application gateway: a process that connects two different protocol suites (say, TCP/IP and IBM's SNA) for one particular application (often electronic mail or file transfer).

The application layer and the transport layer use end-to-end protocols. These two layers are needed only on the end systems (the two hosts on either side). The network, however, provides a hop-by-hop protocol and is used on the two end systems and every intermediate system(the router in the middle).

In the TCP/IP protocol suite the network layer, IP, provides an unreliable service. That is, it does its best job of moving a packet from its source to its final destination, but there are no guarantees. TCP, on the other hand, provides a reliable transport layer using the unreliable service of IP to provide this serivce, TCP performs timeout and retransmission, sends and receives end-to-end acknowledgments, and so on. The transport layer and the network layer have distinct responsibilities.

A router, by definition, has two or more network interface layers (since it connects two or more networks). Any system with multiple interfaces is called multihomed. A host can also be multihomed but unless it specifically forwards packets from on interface to another, it is not called a router. Also, routers need not be special hardware boxes that only move packets around an internet. Most TCP/IP implementations allow a multihomed host to act as a router also, but the host needs to be specifically configured for this to happen. In this case we can call the system either a host (when an application such as FTP or Telnet is being used) or a router (when it's forwarding packets from one network to another).

Another way to connect network is with a bridge. These connect networks at the link layer, while routers connect networks at the network layer. bridges makes multiple LANs appear to the upper layers as a single LAN. TCP/IP internets tend to be built using routers instead of bridges.


TCP/IP Layering

TCP and UDP are the two predominant transport layer protocols. Both use IP as the network layer.

IP is the main protocol at the network layer. It is used by both TCP and UDP. An application accessing IP directly is rare, but possible.

ICMP is an adjunct to IP. It is used by IP layer to exchange error messages and other vital information with the IP layer in another host or router. Although ICMP is used primarily by IP, it is possible for an application to also access it.

IGMP is the Internet Group Management Protocol. It is used with multicasting: sending a UDP datagram to multiple hosts. Broadcasting is sending a UDP datagram to every host on a specified network.

ARP (Address Resolution Protocol) and RARP (Reverse Address Resolution Protocol) are specialized protocols used only with certain types of network interfaces (such as Ethernet and token ring) to convert between the addresses used by the IP layer and the addresses used by the network interface.


Internet Addresses

Every interface on an internet must have a unique Internet address (also called an IP address). These addresses are 32-bit numbers. These 32-bit addresses are normally written as four decimal numbers, one for each byte of the address. This is called dotted-decimal notation.

There are five different classes of Internet addresses:
A 0.0.0.0 to 127.255.255.255
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 247.255.255.255

It is worth reiterating that a multihomed host will have multiple IP addresses: one per interface.

One central authority for allocating these addresses for networks connected to the worldwide Internet is the Internet Network Information Center, called the InterNIC.

There are three types of IP addresses: unicast (destined for a single host), broadcast (destined for all hosts on a given network), and multicast (destined for a set of hosts that belong to a multicast group).


The Domain Name System

Although the network interfaces on a host, and therefor the host itself, are known by IP addresses, humans work best using the name of a host. In the TCP/IP world the Domain Name System (DNS) is a distributed database that provides the mapping between IP addresses and hostnames.

For now we must be aware that any application can call a standard library function to look up th IP address (or addresses) corresponding to a given hostname. Similarly a function is provided to do the reverse lookup -- given an IP address, look up the corresponding hostname.


Encapsulation

When an application sends data using TCP, the data is sent down the protocol stack, through each layer, until it is sent as a tream of bits across the network. Each layer adds information to the data by prepending headers (and sometimes adding trailer information) to the data that it receives. The unit of data that TCP sends to IP is called a TCP segment. The unit of data that IP sends to the network interface is called an IP datagram. The stream of bits that flows across the Ethernet is called a frame.

A physical property of an Ethernet frame is that the size of its data must be between 46 and 1500 bytes.

UDP is almost the same. The only changes are that the unit of information that UDP passes to IP is called a UDP datagram, and the size of the UDP header is 8 bytes.

TCP, UDP, ICMP, and IGMP all send data to IP. IP must add some type of identifier to the IP header that it generates, to indicate the layer to which the data belongs. IP handles this by storing an 8-bit value in its header called the protocol filed. A value of 1 is for ICMP, 2 is for IGMP, 6 indicates TCP, and 17 is for UDP.

Similarly, many different applications can be using TCP or UDP at any one time. The transport layer protocols store an identifier in the headers they generate to identify the application. Both TCP and UDP use 16-bit port numbers to identify applications. TCP and UDP store the source port number and the destination port number in their respective headers.

The network interface sends and receives frames on behalf of IP, ARP, and RARP. There must be some form of identification in the Ethernet header indicating which network layer protocol generated the data. To handle this there is a 16-bit frame type filed in the Ethernet header.


Demultiplexing

When an Ethernet frame is received at the destination host it starts its way up the protocol stack and all the headers are removed by the appropriate protocol box. Each protocol box looks at certain identifiers in its header to determine which box in the next upper layer receives the data. This is called demultiplexing.

"ICMP" and "IGMP" are at the same layer as IP, because they really are adjuncts to IP. However, they are encapsulated in IP datagrams.

"ARP" and "RARP" are above Ethenet device driver because they both have their own Ethernet frame types, like IP datagrams. But ARP logically is a part of Ethernet device driver, beneath IP.


Client-Server Model

Most networking applications are written assuming one side is the client and the other the server. The server provides some defined service for clients. We can categorize servers into two classes: iterative and concurrent.

An iterative server iterates through the following steps:

I1. Wait for a client request to arrive.

I2. Process the client request.

I3. Send the response back to the client that sent the request.

I4. Go back to step I1.


A concurrent server, on the other hand, performs the following steps.

C1. Wait for a client request to arrive.

C2. Start a new server to handle this client's request. This may involve creating a new process, task or thread, depending on what the underlying operating system supports. How this step is performed depends on the operating system.

C3. Go back to step C1.


As a general rule, TCP servers are concurrent, and UDP servers are iterative, but there are a few exceptions.


Port Numbers

Servers are normally known by their well-known port number. For example, every TCP/IP implementation that provides an FTP server provides that service on TCP port 21. Every Telnet server is on TCP port 23. Every implementation of TFTP (the Trivial File Transfer Protocol) is on UDP port 69. Those services that can be provided by any implementation of TCP/IP have well-known port numbers between 1 and 1023. The well-known ports are managed by the Internet Assigned Numbers Authority (IANA).

A client usually doesn't care what port number it uses on its end. All it needs to be certain of is that whatever port number it uses be unique on its host. Client port numbers are called ephemeral ports (i.e., short lived).

Most TCP/IP implementations allocate ephemeral port numbers between 1024 and 5000. The port numbers above 5000 are intended for other servers (those that aren't well known across the Internet).

The well-known port numbers are contained in the file /etc/services on most Unix systems.

Unix systems have the concept of reserved ports. Only a process with superuser privileges can assign itself a reserved port. These port numbers are in the range of 1 to 1023, and are used by some applications, as part of the authentication between the client and server.


Standardization Process

Four groups control the TCP/IP protocol suite, approves new standards, and the like: Internet Society (ISOC), Internet Architecture Board (IAB), Internet Engineering Task Force (IETF), and Internet Research Task Force (IRTF).


RFCs

All the official standards in the internet community are published as a Request for Comment, or RFC.

There are a few important RFCs.

1. The Assigned Numbers RFC specifies all the magic numbers and constants that are used in the Internet
protocols. 

2. The Internet Official Protocol Standards, specifies the state of standardization of the various Internet protocols.

3. The Host Requirements RFCs, 1122 and 1123. RFC 1122 handles the link layer, network layer, and transport layer, while RFC 1123 handles the application layer.

4. The Router Requirements RFC, is similar to the host requirements RFCs, but specifies the unique requirements of routers.


Standard, Simple Services

There are a few standard, simple services that almost every implementation provides. 

NameTCP portUDP portRFCDescription
echo77862Server returns whatever the client sends.
discard99863Server discards whatever the client sends.
daytime1313867Server returns the time and date in a human-readable format.
chargen1919864TCP server sends a continual stream of characters, until the connection is terminated by the client. UDP server sends a datagram containing a random number of characters each time the client sends a datagram.
time3737868Server returns the time as a 32-bit binary number. This number represents the number of seconds since midnight January 1, 1900, UTC.

The Internet

The word internet means different things depending on whether it's capitalized or not. The lowercase internet means multiple networks connected together, using a common protocol suite. The uppercase Internet refers to the collection of hosts (over one million) around the world that can communicate with each other using TCP/IP. While the Internet is an internet, the reverse is not true.

Implementations

The de facto standard for TCP/IP implementations is the one from the Computer Systems Research Group at the University of California at Berkeley. Historically this has been distributed with the 4.x BSD system (Berkeley Software Distribution), and with the "BSD Networking Releases." This source code has been the starting point for many other implementations.

Application Programming Interfaces

Two popular application programming interfaces (APIs) for applications using the TCP/IP protocols are called sockets and TLI (Transport Layer Interface). The former is sometimes called "Berkeley sockets," indicating where it was originally developed. The latter, originally developed by AT&T, is sometimes called XTI (X/Open Transport Interface), recognizing the work done by X/Open, an international group of computer vendors that produce their own set of standards. XTI is effectively a superset of TLI.

阅读(1084) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~