我正在尝试调查 RIP 数据包。它清楚地表明数据包是 RIP v1。但它的格式与 RIP v1 或 v2 都不匹配。任何想法这个数据包实际上是什么?
RIP 数据包格式
网络工程
路由
包分析
撕裂
2021-07-08 19:26:38
3个回答
这是一个 RIPv1 数据包。您正在查看完整的 IP 数据包。RIP 从 0x001c 开始。
鉴于 RIP v1 是多么简单,从RFC 1058中的图 1 中通过肉眼可以很容易地做到这一点:
- 5 longs from
45c0是IP头 - 来自
0208(斜体部分)的4 个shorts是UDP 标头 0201(粗体部分)的其余部分是 RIP 正文
01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route:RIPv1,响应,长度:44
0x0000: 45c0 0048 0000 0000 0211 f8f5 80ee 3e02 E..H.........>.
0x0010: ffff ffff 0208 0208 0034 b9a0 0201 0000 .........4......
0x0020: 0002 0000 80ee 3f00 0000 0000 0000 0000 ......?........
0x0030: 0000 0001 0002 0000 80ee 4000 0000 0000 ....@.....
0x0040: 0000 0000 0000 0002 ........
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| address family identifier (2) | must be zero (2) |
+-------------------------------+-------------------------------+
| IP address (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| must be zero (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
The portion of the datagram from address family identifier through
metric may appear up to 25 times.
我们有:
command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002
但是如果你有更复杂的数据包......
解决此类问题的一种方法是将数据制作成 PCAP 文件(使用工具或仅使用 Python 等编程语言),然后使用标准工具对其进行检查。
你用 tshark 分析的数据包是:
Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 72
Identification: 0x0000 (0)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 2
[Expert Info (Note/Sequence): "Time To Live" only 2]
["Time To Live" only 2]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xf8f5 [validation disabled]
[Header checksum status: Unverified]
Source: 128.238.62.2
Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
Source Port: 520
Destination Port: 520
Length: 52
Checksum: 0xb9a0 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 128.238.63.0, Metric: 1
Address Family: IP (2)
IP Address: 128.238.63.0
Metric: 1
IP Address: 128.238.64.0, Metric: 2
Address Family: IP (2)
IP Address: 128.238.64.0
Metric: 2
这是一个响应头。响应意味着'包含全部或部分发送者路由表的消息。该消息可以响应请求或轮询而发送,或者它可以是发送者生成的更新消息。
除此之外,您还可以看到发件人 IP 地址。
如果您想查看更多详细信息,可以使用 -vv
其它你可能感兴趣的问题