网路封包流量解析与监控
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
– DHCP Server
DHCP ACK
• Broadcast or Unicast( )
DHCP Server
ODRAfifeseCqcrKouveesrt
DHCP Client Server IP
DHCP
(3/3)
4
Telnet
(
)
Telnet
(1/2)
Cisco Router 192.168.1.254
Port Port
•
–
(
)
–
•
–
•
–
•
•
•
3 Network Monitor
(1/5)
(2/5)
(3/5)
(4/5)
(5/5)
(1/7)
(2/7)
(3/7)
(4/7)
(5/7)
(6/7)
• • •
(7/7)
• •
P DA SA T/l
Data
FCS
8B 6B 6B 2B
46 – 1500
– Microsoft
– SMS
• Snort
– Unix Microsoft
IDS
– Shareware
• Ethereal
– Unix Microsoft
– Shareware
• SnifferPro
–
• MRTG
– SNMP –
• NetFlow
– Cisco
– session
–
(IOS
)
Juniper Enterasys Extreme …
(2/3)
• TCP/IP
– IP – ICMP
• Echo Reply & Request (Type 0 & 8) • Destination Unreachable (Type 3) • Source Quench (Type 4) • Redirect (Type 5)
– IGMP – ARP
(Broadcast Domain)
•
–
Port Address
–
IP Address
–
MAC Address
—
•
– –
(Collision Domain)
Layer 1
or Layer2
Printer
HUB
Port File Server
PC Workstation
PC Workstations
• ARP cache IP MAC
Ping
– Host 2 ARP request
– Host 1 Host 2 IP MAC
ARP cache
– Host 1 Host2
ARP reply
– Host 2 Host 1 IP MAC
ARP cache
– Host 2 ICMP echo
•
– Host 1
192.168.0.104
HTTPS or IP Sec
Telnet
ARP
TCP
()
Telnet
192.168.1.1
Telnet
(2/2)
4 TFTP
(UDP
)
TFTP
(1/2)
TFTP
Cisco Router 192.168.1.254 MAC:00-00-0c-42-42-73
ARP ( ) TFTP
(running-config)
TFTP 192.168.1.1 MAC:00-11-2f-df-ab-18
–
—
–
— TCP/IP
–
—
• (Encapsulation)
–
•
•
•
MAC address IP address
Port address
(1/3)
• TCP/IP
– TCP 3389…
• • • •
– UDP
• • • •
Port: 20+21, 23, 25, 80, 110, 119, 389, 443, Port: 53, 69, 161, 162…
•
–
–
•
– –
• HUB vs. Switch VLAN
–
• Proxy Server HSRP (Hot Standby Routing Protocol) MHSRP
(1/2)
•
–
•
–
•
•
–
• •
–
• •
(2/2)
(ICMP, Broadcast Storm)
• • • •
1
•— • OSI 7 Layers
TFTP
(2/2)
4 Web Mail
(HTTP
)
Web Mail
(1/3)
Web Mail
(2/3)
HTTPS
Web Mail
(3/3)
Default Gateway 192.168.2.254
PC home 210.59.230.60
DNS HTTP Post Request
uid: loneliness pass: 524779
Laptop
—
•
– – –
Printer
(Broadcast Domain)
(
)
Layer 2 or Layer3
VLANs Span Port
File Server
Switch
PC Workstation
PC Workstations
Laptop
•
– –
•
–
•
•
–
•
– –
•
ARP, ICMP(
C01-201
1
•
– 1970 TCP/IP
– 1980
•
(
)
•
•
– 1988 Novell 286
— SAP
• ARC Net Ethernet
(10Mbps)
– 1996 Doom —
•
TCP/IP
• TCP/IP
– –
• TCP/IP
–
• •
–
• • •
(IPv4)
(
— Port)
HTTP
4B
3 Network Monitor
(1/2)
•
– Client to Server
•
•
(
,
Proxy, Firewall) …
DHCP, DNS, DC…
)
,
(
– Server to Server
•
•
–
•
(MAC) ( IP )
•
•
(
)
(2/2)
•
–
()
–
(Broadcast Storm)
–
Host 2
MAC: 00-11-2F-DF-A9-C2
IP : 192.168.1.2 / 24
• Ping
–
(
– Host 2
Ping 192.168.1.1
–
Host 2
)
Host 1
Ping
(2/3)
• ICMP
– Host 2
Ping 192.168.1.1
– Host 2
ARP cache
– Bits Frame Packet Segment
APANET commissioned
by DOD 1969
FTP 1973
Telnet 1972
TCP 1974
1965
1970
1975
TCP/IP Protocol Suite
1982
IP 1981
DNS 1984
1980
1985
•
•
•
(Addressing)
•
(3/3)
• (Payload)
•
– Message =
– Segment =
– Packet =
– Frame =
– Bits =
01
(Head)
P DA SA T/l IP TCP Data FCS
1
•
(Win. vs. Unix like)
•
(
)
–
(Collision Domain)
–
), DNS, HTTP, RIP…
2
•
– –
•
•
–
•
–
•
–
•
(Router Switch)
•
– Network Monitor – SnifferPro – Snort – Ethereal – MRTG – NetFlow
•
– MRTG – NetFlow
• Network Monitor
NLB, Backup Cable) vs.
百度文库
–
•
ICMP
•
•
–
•
•
(NIC) vs. (Looping,
Network Monitor
Network Monitor
4 Ping
(ARP & ICMP)
Ping
(1/3)
•
• Ping
–
Host 1
MAC: 00-11-2F-DF-A7-F6
IP : 192.168.1.1 / 24
ICMP reply
•
Ping
(3/3)
4 DHCP
(Broadcast)
DHCP
(1/3)
Non-DHCP Client
IP Address 1
DHCP Client Server IP
IP Address 2
DHCP Client Server IP
DDHHCCPPDDaattaabbaassee IIPPAAddddrreessss11 IIPPAAddddrreessss22 IIPPAAddddrreessss33 DHCP Server
DHCP
(2/3)
• DHCP Client Server IP
– DHCP Client
DHCP Discover
• Broadcast
– DHCP Server
DHCP Offer
• Broadcast
– DHCP Client
DHCP Request
• Broadcast or Unicast( )