最近因为某些需求需要对设备进行抓包,分析设备与服务器的信息交互。
1.在设备端使用的抓包指令
adb root
adb shell
tcpdump -i wlan0 -v -s 0 -C 10000 -U -w /data/tcpdump.pcap &
exit
adb pull /data/tcpdump.pcap
在设备端使用tcpdump抓包之后,将抓到的包从设备中拉出来,使用wireshark解包。
2.使用的解包文件
wireshark
3.对抓到的包进行解包和分析
在wireshark中筛选出http协议相关的包,然后查看wireshark解包结果。
例如:
图1. http协议解包结果
找到需要的包之后,可以看到整个协议的五层结构数据:
图中从上至下依次为五个层次的概览信息:
- 物理层封包信息概况
- 数据链路层以太网帧头部信息
- 网络层包的头部信息
- 传输层数据包头部信息
- 应用层协议包头部信息
将这五层数据结构站看来看看
3.1 物理层
// 帧号:50,线路219字节,捕获219字节
> Frame 50: 219 bytes on wire (1752 bits), 219 bytes captured (1752 bits)
// 封装类型,和wireshark有关
Encapsulation type: Ethernet (1)
// 捕获数据时的时间相关信息
Arrival Time: Apr 22, 2022 15:30:45.674217000 CST
Time shift for this packet: 0.000000000 seconds
Epoch Time: 1650612645.674217000 seconds
// 这个帧和前一个捕获的帧的时间间隔
Time delta from previous captured frame: 0.007596000 seconds
// 本帧和上一个显示帧的时间间隔
Time delta from previous displayed frame: 0.305328000 seconds
// 本帧和第一帧的时间间隔
Time since reference or first frame: 388308444.503361000 seconds
// 帧号:50
Frame Number: 50
// 帧长度 1752 bits
Frame Length: 219 bytes (1752 bits)
// 捕获的帧长
Capture Length: 219 bytes (1752 bits)
// 帧是否被标记
Frame is marked: False
// 帧是否被忽略
Frame is ignored: False
// 帧中封装的协议的层次结构:ETH(物理层:以太网协议?):EtherType(链路层:?):IP(网络层:IP协议):TCP(运输层:TCP协议):HTTP(应用层:http协议)
Protocols in frame: eth:ethertype:ip:tcp:http
// 着色标记的协议名称:http协议
Coloring Rule Name: HTTP
// 着色规则显示的字符串:http协议||tcp的端口==80||http2
Coloring Rule String: http || tcp.port == 80 || http2
在物理层一般是封装元器件的电气、规程等特性,但是抓到的数据却是封装成帧的形式,这很奇怪。
3.2 数据链路层
// 数据链路层封装的以太网信息
>Ethernet II, Src:xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: XIAOMIEl_20:87:41 (yy:yy:yy:yy:yy:yy)
// 目标mac地址
>Destination: XIAOMIEl_20:87:41 (yy:yy:yy:yy:yy:yy)
Address: XIAOMIEl_20:87:41 (yy:yy:yy:yy:yy:yy)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>Source: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx)
// 源mac地址
Address: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
// 协议版本 IPV4
Type: IPv4 (0x0800)
数据链路层将数据封装成帧。在抓到的包中可以看到,数据链路记录了源mac和目标mac信息。
3.3 网络层
常见的网络层协议:Internet Protocol(IP)协议、Internet Control Message Protocol(ICMP)协议、Address Resolution Protocol(ARP)协议。这里看一下抓到的IP协议的数据:
// 网络层IP包头部信息,记录始发地址:aaa.aaa.aa.aaa,目标地址:bbb.bbb.bb.bb,IP协议版本:4等信息
>Internet Protocol Version 4, Src: aaa.aaa.aa.aaa, Dst: bbb.bbb.bb.bb Internet Protocol Version 4, Src: aaa.aaa.aa.aaa, Dst:bbb.bbb.bb.bb
// 网络层协议版本IPV4
0100 .... = Version: 4
// 网络层协议头部长度:20 bytes
.... 0101 = Header Length: 20 bytes
// 差分服务字段
>Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
// 总长度:205
Total Length: 205
// 标志字段
Identification: 0x8c9f (35999)
// 标记字段
>Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
// 偏移量:0
Fragment offset: 0
// 生存周期:64
Time to live: 64
// 此包封装的上层协议:TCP
Protocol: TCP (6)
// 头部数据校验和
>Header checksum: 0xbc4c [validation disabled]
Good: False
Bad: False
// 源IP地址:aaa.aaa.aa.aaa
Source: aaa.aaa.aa.aaa
// 目标IP地址:bbb.bbb.bb.bb
Destination: bbb.bbb.bb.bb
// 源GeoIP
Source GeoIP: Unknown
// 目标GeoIP
Destination GeoIP: Unknown
3.4 运输层
运输层常见的为两种协议:Transmission Control Ptotocol(TCP)和User DataGram Protocol(UDP)
HTTP使用的是TCP协议,这里一并看一下UDP的包
TCP:
// 运输层协议包的头部信息,这里是TCP协议,源端口:46524,目标端口:80,序列号:1,ack:1,长度:165
>Transmission Control Protocol, Src Port: 46524 (46524), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 165
// 源端口:46524
Source Port: 46524
// 目标端口:80
Destination Port: 80
// 流索引:1
[Stream index: 1]
// TCP片段长度:165
[TCP Segment Len: 165]
// 序列号
Sequence number: 1 (relative sequence number)
// 下一个序列号
[Next sequence number: 166 (relative sequence number)]
// 确认序号
Acknowledgment number: 1 (relative ack number)
// 头部长度
Header Length: 20 bytes
// TCP标记字段
>Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
// 流量窗口大小
Window size value: 1369
// 计算窗口大小?
[Calculated window size: 87616]
// 窗口大小比例系数
[Window size scaling factor: 64]
// TCP数据段校验和
>Checksum: 0xf1fe [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
// 序列号分析
>SEQ/ACK analysis
[iRTT: 0.046096000 seconds]
[Bytes in flight: 165]
UDP:
// 运输层协议包头部信息,源端口:53,目标端口:46658
>User Datagram Protocol, Src Port: 53 (53), Dst Port: 46658 (46658)
// 源端口
Source Port: 53
// 目标端口
Destination Port: 46658
// 长度
Length: 74
// 数据部分校验和
>Checksum: 0xaf61 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
// 流索引
[Stream index: 11]
3.5 应用层
应用层使用的常见的协议是:Hypertext Transfer Protocol(HTTP)、Domain Name System(DNS)、File Transfer Protocol(FTP)、Telnet、Simple Mail Transfer Protocol(SMTP)、(POP3)、simple Network Management Protocol(SNMP)。
其中最常见的就HTTP和DNS
HTTP:
// 应用层协议字段,这里是HTTP协议
>Hypertext Transfer Protocol
// HTTP协议GET概览
>GET /px/tx?requestId=Gd0Foip9u3lLr8lFiafs HTTP/1.1\r\n
>[Expert Info (Chat/Sequence): GET /px/tx?requestId=Gd0Foip9u3lLr8lFiafs HTTP/1.1\r\n]
[GET /px/tx?requestId=Gd0Foip9u3lLr8lFiafs HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
// 请求方式为:get
Request Method: GET
// 请求URI:
Request URI: /px/tx?requestId=Gd0Foip9u3lLr8lFiafs
// HTTP协议版本
Request Version: HTTP/1.1
// 发送请求的设备信息
User-Agent: MIXX/X10A/stable/2.3.9\r\n
// 请求的主机名称
Host: api2.xxxx.xx.com\r\n
// 客户端与服务端指定的请求,响应有关选项(保持连接)
Connection: Keep-Alive\r\n
// 客户端可识别的数据编码
Accept-Encoding: gzip\r\n
\r\n
// 请求的完整URI:
[Full request URI: http://api2.xxxx.xx.com/px/tx?requestId=Gd0Foip9u3lLr8lFiafs]
// http 请求
[HTTP request 1/1]
// 响应的帧号
[Response in frame: 52]
DNS:
// DNS协议
>Domain Name System (query)
// 响应17
[Response In: 17]
// 交互编号
Transaction ID: 0xd300
// 标识
>Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
// 请求
Questions: 1
// 回复RRs:0
Answer RRs: 0
// 授权RRs:0
Authority RRs: 0
// ?
Additional RRs: 0
// ?
>Queries
>captive.apple.com: type A, class IN
Name: captive.apple.com
Name Length: 17
Label Count: 3
Type: A (Host Address) (1)
Class: IN (0x0001)
