Directory
【TFTP】
1 Overview
2. The communication process of TFTP
3. TFTP protocol data frame analysis
3.1 Read and write request data frame
3.2 Packets
3.3 Response signal
3.4 Error message
4. TFTP protocol message with options
[Packet capture tool wireshark]
1.wireshark filtering rules
1.1 IP filtering
1.2 Protocol filtering
1.3 Port filtering
1.4mac address filtering
1.5 Logical relationship
2. Packet capture data analysis
2.1 Transport layer analysis
2.2 Network layer analysis
2.3 Link layer analysis
2.4 Application layer analysis
【TFTP】
1. Overview
TFTP is a simple file transfer protocol based on UDP. The full name of TFTP is Trivial File Transfer Protocol. There are two data transfer modes, one is octer binary transfer mode, and the other is netascii text mode. The distinction between these two modes will be used when assembling data packets
2. TFTP communication process
When the client uses the TFTP protocol to send a request to the server, it first needs to assemble the request to read and write the message (you can use the packet function), and then accept the data packet from the server (because the server creates a new thread to send data, so the port is randomly assigned, you need to obtain a new random port through the accept function), obtain the data and the number of data packet blocks through the data packet, modify the first byte opcode of the data, and then send the response message, and so on until the data is sent and received.
Summary of TFTP communication process:
1. The server waits for the client’s request to read and write signals on port 69 (not necessarily)
2. If the server approves the read and write request, create a thread to use the temporary port for sending and receiving
3. The block number of each data packet will be increased by one compared with the previous block
4. If each data packet waits for the ack to time out, it will be resent. If it is still timed out after multiple resends, the communication will be disconnected
5. The length of the data is 512 bytes, the total is 516 bytes, the first two bytes are the operation code, the three or four bytes are the block number, and the rest are data
6. If the received data is less than 512 bytes, it means the end of data reception
3. TFTP protocol data frame analysis
3.1 Read and write request data frame
If the client wants to read or write data from the server, it needs to construct the above data frame. The first two bytes are the opcode, 1 means the read operation, and 2 means the write operation (it should be noted that the network byte order is a big-endian storage format, if the read operation code needs to be 0000 0001), the write operation is followed by the file name, and the last byte is 0, which is to distinguish the file name and mode, because they are all packaged in the form of a string, and the last byte is byte 0.
sprintf(data,"%c%c%s%c%s%c",0,1,"a.txt",0,"octet",0);
3.2 data package
The data packet received from the server is as shown above, a total of 516 bytes (can be modified), the first two bytes are the operation code, the third and fourth bytes are the block number, which is used to distinguish the first block of data, and the last 512 bytes are file data
3.3 Response signal
The response signal is the data that the client needs to send to the server after receiving the server data. Compared with the received data packets, in fact, only the operation code is different. You can directly modify the received data packet, truncate the subsequent data, modify the operation code, and send it as the signal to be sent.
3.4 Error message
If there are too many resends or the file does not exist, etc., you can use the error message to resolve the error
The number in front is the error code
0 undefined, see error message
1 File not found.
2 Access violation.
3 Disk full or allocation exceeded.
4 illegal TFTP operation.
5 Unknown transfer lD.
6 File already exists.
7 No such user
8 Unsupported option(s) requested.
4. TFTP protocol message with options
If the sent read and write request has options attached, the server will send an oack data to ask the client whether to confirm the attached options, the client can confirm by sending ack, and then send and receive normally
The available options are as follows:
tsize option: When performing a read operation, the parameter of the tsize option must be “0”, and the server will return the size of the file to be read. When writing, the tsize option parameter should be the size of the file to be written, and the server will echo this option
blksize option: modify the size of the data block used when transferring files (range: 8~~65464)
timeout option: modify the default data transmission timeout (unit: second)
[Packet capture tool wireshark]
Wireshark is a very useful network packet capture tool, and the specific rules used are also very simple. Through the captured network data packets, you can clearly know what data is contained in the data packets.
1.wireshark filter rules
1.1IP filtering
ip.src == 1.2.3.4 , only display the data packets sent with IP 1.2.3.4
ip.dst == 1.2.3.4 , only display the data packets whose destination IP is 1.2.3.4
ip.addr == 1.2.3.4, only display data packets whose sending IP or destination IP is 1.2.3.4
1.2 Protocol filtering
Just enter the agreement directly
such as udp tcp
1.3 Port Filtering
udp.srcport==8000, only display udp packets whose sending port is 8000
udp.dstport==8000, only display udp packets whose destination port is 8000
udp.port==8000, only display udp packets whose destination or sending port is 8000
tcp.srcport==8000, only display udp packets whose sending port is 8000
tcp.dstport==8000, only display udp packets whose destination port is 8000
tcp.port==8000, only display the udp packets whose destination or sending port is 8000
1.4mac address filtering
eth.src==aa:bb:cc:dd:ee:ff only displays data packets whose mac is aa:bb:cc:dd:ee:ff eth.dst==aa:bb:cc:dd:ee:ff only displays data packets whose destination mac is aa:bb:cc:dd:ee:ff
eth.addr==aa:bb:cc:dd:ee:ff only displays data packets whose sending mac or destination mac is aa:bb:cc:dd:ee:ff
1.5 Logical Relationship
and is equivalent to & amp; & amp;, while satisfying
or is equivalent to ||, only need to satisfy one
2. Packet capture data analysis
Our packet capture here is based on sending data to another network port as an example
Here we first limit the packet capture tool to capture packets, udp and ip.src == 192.168.x.xxx (sending IP) and ip.dst == 192.168.0.100 and udp.srcport == 1145