Exploration of DNS, HTTP, ICMP and shifen

Hello friends, in this section I will share the ICMP protocol and the protocols involved when curl accesses http websites.

ARP protocol supplement

Let me first add some information about the ARP protocol mentioned above.

 80 35.374000 VMware_c0:00:08 VMware_5b:db:1a ARP 42 Who has 192.168.200.128? Tell 192.168.200.1 81 35.374560 VMware_5b:db:1a VMware_c0:00:08 ARP 42 192.168.200.128 is at 00:0c:29:5b:db:1a

picture

The MAC address is 6 bytes, the first three are the manufacturer, and the last three are the serial number.

ICMP Protocol

Internet Control Message Protocol. Triggered when pinging.

Here, ping 192.168.2.187 (host address) directly on the virtual machine

picture

 14 8.900476 192.168.200.128 192.168.2.187 ICMP 98 Echo (ping) request id=0x0904, seq=1/256, ttl=64 (reply in 15) 15 8.900943 192.168.2.187 192.168.200.128 ICMP 98 Echo (ping) reply id=0x0904, seq=1/256, ttl=128 (request in 14)

It can be seen that when a ping request is made, the type of the message is 8, which means Echo (ping) request.

picture

When replying, this type is 0, indicating (Echo (ping) reply).

picture

DNS protocol

Domain Name System, Domain Name System.

 curl www.baidu.com

When visiting Baidu, the first step is the domain name resolution.

picture

The captured packages are as follows 👇

picture

picture

The picture corresponds to request 21, and we can see that DNS is based on UDP (User Datagram Protocol).

There is also a type called A, which is for requesting an ipv4 address.

22 is type: AAAA, which is the IPv6 address.

 21 14.648767 192.168.200.128 192.168.200.2 DNS 73 Standard query 0x7abe A www.baidu.com 22 14.648817 192.168.200.128 192.168.200.2 DNS 73 Standard query 0xffc7 AAAA www.baidu.com

When I built a blog before, there was a domain name resolution link, and I also had to configure the resolution of this A (I realized it later~)

Let’s take a look at the response data 👇

 24 14.683310 192.168.200.2 192.168.200.128 DNS 132 Standard query response 0x7abe A www.baidu.com CNAME www.a.shifen.com A (ipv4地址) A (ipv4地址) 25 14.688004 192.168.200.2 192.168.200.128 DNS 156 Standard query response 0xffc7 AAAA www.baidu.com CNAME www.a.shifen.com AAAA (ipv6地址) AAAA (ipv6地址)

CNAME is a CNAME record

Learn something new: Baidu's alias is www.a.shifen.com

Here we also successfully obtained the ipv4 address

picture

Eat melon

Oh wow, I accidentally discovered another meaning of the name of a big company👇

We are all shifen 👍

picture

picture

HTTP Protocol

picture

After the DNS resolution is successful, the IP address is obtained. The IPv4 address used here is used to establish a TCP connection.

After the three-way handshake, the HTTP request is sent.

 29 14.714278 192.168.200.128 xxx.42 HTTP 131 GET / HTTP/1.1

The Get request is as follows. The User-Agent is curl (usually seen are browser logos)

picture

The TCP segment size is 77, and [Next Sequence Number: 78 (relative sequence number)]

picture

Response 👇

Starting from line 30, ACK = 78 is just right.

 30 14.714429 ipv4 192.168.200.128 TCP 54 80 → 44626 [ACK] Seq=1 Ack=78 Win=64240 Len=0 31 14.733343 ipv4 192.168.200.128 TCP 1494 80 → 44626 [PSH, ACK] Seq=1 Ack=78 Win=64240 Len=1440 [TCP segment of a reassembled PDU] 32 14.733714 192.168.200.128 ipv4 TCP 54 44626 → 80 [ACK] Seq=78 Ack=1441 Win=31680 Len=0 33 14.733782 ipv4 192.168.200.128 HTTP 1395 HTTP/1.1 200 OK (text/html)

Mainly look at the two items 31 and 33,

PSH + ACK: used to transmit data and requires the receiving end to immediately hand it over to the application layer for processing.

The data length here exceeds the MTU (Maximum Transmission Unit) of 1500 bytes and needs to be fragmented.

Therefore, the appearance of [TCP segment of a reassembled PDU] in 31 means that it is not complete, but only a part of the PDU (Protocol Data Unit).

You can see the record of this reassembled TCP in 33 👇

[2 Reassembled TCP Segments (2781 bytes): #31(1440), #33(1341)]

picture

Next is the HTTP content, which is similar to what you see on the browser, that is, the response line, header, and body. I won't go into details.

picture

The following is the content of TCP's four waves.

picture

After curl is finished, check this immediately   Semi-connected queue   , and found that it is still waiting to be closed.

picture

After waiting for 2MSL (2MSL = 60s on Linux), it is closed.

 sysctl net.ipv4.tcp_fin_timeout

picture

Finally, let’s supplement this model and see which layer the previously introduced protocols are at 👇

OSI seven-layer model

 +-------------------------+ 7 | Application Layer | DNS，HTTP，SSH，Telnet，FTP 等+-------------------------+ 6 | Presentation Layer | +-------------------------+ 5 | Session Layer | +-------------------------+ 4 | Transport Layer | （段segement）TCP，UDP +-------------------------+ 3 | Network Layer | （包packet）ICMP，IP +-------------------------+ 2 | Data Link Layer | （帧frame）ARP +-------------------------+ 1 | Physical Layer | +-------------------------+

TCP/IP Layer 4

Compared with the OSI seven-layer model, the TCP/IP four-layer model merges the presentation layer and session layer into the application layer, and merges the data link layer and physical layer into the link layer.

 +-------------------------+ 4 | Application Layer | +-------------------------+ 3 | Transport Layer | +-------------------------+ 2 | Internet Layer | +-------------------------+ 1 | Link Layer | 链路层+-------------------------+