1、IP及IPSEC協(xié)議數(shù)據(jù)包的捕獲與分析為了掌握掌握IP和IPSEC協(xié)議的工作原理及數(shù)據(jù)傳輸格式，熟悉網(wǎng)絡(luò)層的協(xié)議。我進(jìn)行了以下實(shí)驗(yàn)：首先用兩臺(tái)PC互ping并查看其IP報(bào)文，之后在兩臺(tái)PC上設(shè)置IPSEC互ping并查看其報(bào)文。最終分析兩者的報(bào)文了解協(xié)議及工作原理。一、用兩臺(tái)PC組建對(duì)等網(wǎng)：將PC1與PC2連接并分別配置10.176.5.119和10.176.5.120的地址。如圖1-1所示。10.176.5.11910.176.5.120PCIPC2圖1-1二、兩PC互ping：IP數(shù)據(jù)報(bào)結(jié)構(gòu)如圖1-2所示。比特01234567比特Q4816192431優(yōu)先級(jí)DTRC未用首部數(shù)搖部分IP數(shù)據(jù)

2、報(bào)圖1-2我所抓獲的報(bào)文如圖1-3，圖1-4所示：Id-fl致伯曲：編號(hào):護(hù)數(shù)據(jù)包長(zhǎng)度：卜車捕義長(zhǎng)度：Lg時(shí)同戳：包帶以太網(wǎng)-:【EthernetTypeII:卜母？目標(biāo)地址DestinationAddress:源地址SourceAddress:；伸協(xié)議類型Protocol:EJ-T3IP一因特兩協(xié)議IP一InternetProtocol:版本Version:；“回頭部長(zhǎng)HeaderLength:區(qū)分服務(wù)宇段DifferentiatedServicesField:$.0不同的服務(wù)代碼DifferentiatedServicesCodepoint:：Q傳箍協(xié)議忽珞CEfeTransportPro

3、tocolwillignoretheCEbit:i；QCongestion:孝總長(zhǎng)宜TotalLength:掙1標(biāo)識(shí)Identification:(j-分段標(biāo)志FragmentFlagg:?O保Reserved:分Fragment:：“O更多分段MoreFragment:護(hù)分段倫移FragmentOffset:|生存時(shí)(ajTimeToLive:?.上層Protocol:卜車校驗(yàn)和6ecksum:包源店地址SourceIP:L.目標(biāo)IF地址DestinationIP:自年TCMP因特網(wǎng)擔(dān)制消息協(xié)議ICMP一InternetControlMessagesProtocol:j“類型Type:“代碼

4、Code:L掙校驗(yàn)和6ecksum:掙標(biāo)識(shí)Identifier:討存字列號(hào)Sequence:L圍回顯.數(shù)據(jù)EchoData:fi-T3FCS:】圍FCS:2378742016/04/1113:41:49.1103430/14FO:DE:F1:E3:93:CFD8:CB:8A:0E:33:2FOxOSOO(WistronInfoComm(Kunshan)Co)C/6(InternetIP(IPv4)12/2414/10 xF05(20宇節(jié))14/10 x0F0000000015/1OxFF000000.,.15/1OxFC(忽珞)15/10 x02(不擁塞)15/10 x0160(60宇節(jié))16

5、/20 x0953(2387)18/200020/10 xE020/10 x30（可能分段）20/10 x40（最后一個(gè)段）20/10 x20020/20X1FFF6422/1123/10 x0000（錯(cuò)誤，應(yīng)該是0 x5120）24/210.176.5.11926/410.176.5.12030/434/4014/2000 x4D3A0 x00010 x0021（回顯）34/135/1（正鈿36/238/240/242/3232宇節(jié)（計(jì)算出的）0 x65379CC9圖1-3請(qǐng)求包NH縮號(hào)：卜等數(shù)據(jù)包長(zhǎng)度：卜掙捕義長(zhǎng)宜：圉時(shí)間戳：3-T3以太網(wǎng)-IIEthemetTypeII：i觀目標(biāo)地址De

6、stinationAddress:IMP源地址SourceAddress:L護(hù)協(xié)議類型Protocol:丁育IP-因特網(wǎng)協(xié)議IP-InternetProtocol:“Version:i頭部長(zhǎng)宜HeaderLength:申.區(qū)分服務(wù)宇段DifferentiatedServicesField:不同的服務(wù)代碼DifferentiatedServicesCodepoint:“O傳輸協(xié)議忽珞CE&TransportProtocolwillignoretheCEbit:Q擁SCongestion:淨(jìng)總長(zhǎng)TotalLength:存Identification:分段標(biāo)FragmentFlags:iQ保WRes

7、erved:Q分段Fragment:Q更多分段MoreFragment:分段佝移FragmentOffset:|o生存時(shí)間TimeToLive:上層曲玫Protocol:亭狡驗(yàn)和6ecksum:9源IP迪址SourceIP:；目標(biāo)IP地址DestinationIP:耳祈ICMP一因特網(wǎng)揑制消息協(xié)議TCMP一InternetControlMessagesProtocol:|類型Type:|代碼Code:討洋狡驗(yàn)和Checksum:存標(biāo)識(shí)Identifier:j淨(jìng)序列號(hào)Sequence:L園回顯數(shù)據(jù)EchoData:3-FCS:L渝FCS:24742016/04/1113:41:49.111239

8、0/14De：CB:8A:0E:33:2FFO：DE：F1：E3：93：CF0 x080014/2040/60/6(WistronInfoComm(Kunshan)Co)(InternetIP(IPv4)12/214/10 xF0(20宇節(jié))14/10 x0F000015/1OxFF0015/1OxFC.0.（思珞）15/10（不擁塞）15/000000000 x0260(60寶節(jié))16.0 x0557(1367)18/200020/10 xE020/10 x80（可能分段）2（最后一個(gè)段）020/20 x1FFF6422/1123/10X551C（正確）24/210.176.5.12026/

9、410.176.5.11930/434/40034/1020/10 x200 x553A0 x00010 x002132宇節(jié)(回顯應(yīng)答)35/1(正確)36/238/240/242/320X0218CCED(計(jì)聳出的)6/60 x010 x40圖1-4回應(yīng)包分析抓獲的IP報(bào)文：版本：IPV4（2）首部長(zhǎng)度：20字節(jié)（3）服務(wù)：當(dāng)前無不同服務(wù)代碼，傳輸忽略CE位，當(dāng)前網(wǎng)絡(luò)不擁塞報(bào)文總長(zhǎng)度：60字節(jié)標(biāo)識(shí)該字段標(biāo)記當(dāng)前分片為第1367分片三段標(biāo)志分別指明該報(bào)文無保留、可以分段，當(dāng)前報(bào)文為最后一段片偏移：指當(dāng)前分片在原數(shù)據(jù)報(bào)(分片前的數(shù)據(jù)報(bào))中相對(duì)于用戶數(shù)據(jù)字段的偏移量，即在原數(shù)據(jù)報(bào)中的相對(duì)位置。生存

10、時(shí)間：表明當(dāng)前報(bào)文還能生存64上層協(xié)議：1代表ICMP首部校驗(yàn)和：用于檢驗(yàn)IP報(bào)文頭部在傳播的過程中是否出錯(cuò)報(bào)文發(fā)送方IP：10.176.5.120報(bào)文接收方IP：10.176.5.119之后為所攜帶的ICMP協(xié)議的信息：類型0指本報(bào)文為回復(fù)應(yīng)答，數(shù)據(jù)部分則指出該報(bào)文攜帶了32字節(jié)的數(shù)據(jù)信息，通過抓獲可看到內(nèi)容為：abcdefghijklmnopqrstuvwabcdefghi三、IPSec協(xié)議配置：1、新建一個(gè)本地安全策略。如圖1-5。圖1-52、添加IP安全規(guī)則。如圖1-6.圖1-63、添加IP篩選器。如圖1-7，圖1-8，圖1-91F需礙劃丸步JU1日左全證看9tti戶羞晤4Titgff

11、iW醫(yī)迦左全window,站陽網(wǎng)翹尿理瞬距，.二公鑰樂晤.Ki3.VlSK應(yīng)用屁曲削勰見JP古全隹略在不把計(jì)貫.JiESiswats養(yǎng)或F可叟All.：;下F.圖1-7圖1-14圖1-8圖1-94、設(shè)置篩選器操作，如圖1-10，圖1-11所示圖1-10圖1-115、設(shè)置身份驗(yàn)證方法，預(yù)共享密鑰：123456789，如圖1-12所示亙新ip去錄聒可性窯全覘則向與1?擊全阪：測(cè)覽血IK4S6789wrn畫f上七怎)T-oi身旳笙吐方法辭加多身悄鯊證方這、済在芫磁If專全躱口向?qū)В簍后s編疇全規(guī)為此圭全規(guī)則設(shè)舌初身忖雉證方法：ActinDirctorySt認(rèn)値OCrbarsVS協(xié)迫）如使用由碗書額發(fā)

12、機(jī)枸町顯的證申KJ:U證書請(qǐng)求中翳供冊(cè)Q啟用證書郢味怖映射期&使用上碌串I活屜葫立挨（菽址宜靜月JCS）IF口施圖1-126、將設(shè)置好的本地安全策略分配，如圖1-13所示爲(wèi)10勢(shì)屋J?X!國(guó)新IP除全策電否2016PFSStK)遐世E1日卄圖1-13四、兩PC配置IPSEC互ping，并抓獲報(bào)文分析:所抓取報(bào)文如下圖1-14所示編號(hào)絕對(duì)時(shí)間源目標(biāo)協(xié)議大小解碼學(xué)段概要815:31:45.28038010.176.5.11910.176.5.120ICMPEchoReq78回顯請(qǐng)求10.176.5.120915:31:45.28135710.176.5.119:50010.176.5.120:50

13、0ISAKMP274源55口=500;目標(biāo)86口=500：長(zhǎng)S=236;檢驗(yàn)?Q=0 x214C錯(cuò)1015:31:45.28486610.176.5.120:50010.176.5.119:500ISAKMP254源第口=500;目標(biāo)洪口=500;長(zhǎng)度=216;檢驗(yàn)和=0乂77卩1正確1115:31:45.28709110.176.5.119:50010.176.5.120:500ISAKMP306源離口=500;目標(biāo)鋳口=500;長(zhǎng)=268;檢驗(yàn)和=0 x216C錯(cuò)1215:31:45.32585710.176.5.120:50010.176.5.119:500ISAKMP306源55口=5

14、00;目標(biāo)86口=500：長(zhǎng)度=268：檢驗(yàn)和=0 x086E正確1315:31:45.32696510.176.5.119:50010.176.5.120:500ISAKMP114源第口=500;目標(biāo)洪口=500;長(zhǎng)度=76;檢驗(yàn)和=0 x20AC錯(cuò)誤1415:31:45.32300110.176.5.120:50010.176.5.119:500ISAKMP114源離口=500;目標(biāo)演口=500;長(zhǎng)度=76;檢驗(yàn)和=0 x6051正確1515:31:45.32919510.176.5.119:50010.176.5.120:500ISAKMP24255口=500;目186口=5OO：KS=

15、2O4;檢?Q=Ox212C1615:31:45.33369610.176.5.120:50010.176.5.119:500ISAKMP242源第口=500;目標(biāo)洪口=500;長(zhǎng)度=204;檢驗(yàn)和=0 x0BFl正1715:31:45.33412610.176.5.119:50010.176.5.120:500ISAKMP106=500;1口=500;feS=68;檢ffl=0 x20A41815:31:45.33586910.176.5.120:50010.176.5.119:500ISAKMP122癡5口=500;目?jī)?口=500：長(zhǎng)S=84：檢尉0=0 x5466正確1915:31:4

16、5.33619210.176.5.11910.176.5.120ESP114SPI:1051598720,SN:12015:31:45.33745410.176.5.12010.176.5.119ESP114SPI:3233094376,SN:12215:31:46.28209510.176.5.11910.176.5.120ESP114SPI:1051598720,SN:22315:31:46.28391110.176.5.12010.176.5.119ESP114SPI:3233094376,SN:22515:31:47.28415110.176.5.11910.176.5.120ESP1

17、14SPI:1051598720,SN:32615:31:47.28571810.176.5.12010.176.5.119ESP114SPI:3233094376.SN:32815:31:48.28715710.176.5.11910.176.5.120ESP114SPI:1051598720,SN:42915:31:48.28802310.176.5.12010.176.5.119ESP114SPI:3233094376,SN:4下圖1-15為協(xié)議協(xié)商部分報(bào)文：丿InternetSecurityAssociationandKeyManagementProtocolInitiatorSPI:

18、Icfela3b68487806ResponderSPI:0000000000000000Nextpayload:SecurityAssociation(1)lVersion:1.0Exchangetype:IdentityProtection(MainMode)(2)lFlags:0 x00MessageID:0 x00000000Length:228TypePayload:SecurityAssociation(1)Nextpayload:VendorID(13)Payloadlength:56Domainofinterpretation:IPSIEC(1)Situation:000000

19、01JTypePayload:Proposal(2)#1Nextpayload:NONE/NoNextPayload(0)Payloadlength:44Proposalnumber:1ProtocolID:ISAKMP(1)SPISize:0Proposaltiransforms:1鼻TypePayload:Transf(3)#1Nextpayload:NONE/NoNextPayload(0)Payloadlength:36Transformnumber:1TransformID:KIEY_IKIE(1)TransformIKIEibutEType(t=ljl=2)Encryption-A

20、lgorithm:3DES-CBCTransformIKEAttributeType(1=21=2)Hash-Algorithm:SHAlTransformIKIEAttributeType(t=4l=2)Group-Description:Alternate1024-bitMODPgroup0TransformIKIEAttributeType(t=3jl=2)Authentication-Method:PSK0TransformIKIEibutmType(t=llJl=2)Life-Type:SecondsTransformIKIEibutE分析：發(fā)起方的SPI為：lcfela3b6848

21、7806響應(yīng)方的SPI為：未知本報(bào)文作用為協(xié)商IKE策略交換模式為主模式有效載荷類型：策略協(xié)商載荷長(zhǎng)度：56解釋域?yàn)镮PSEC協(xié)議第二段有效載荷類型為建議部分第二段有效載荷類型為傳輸，內(nèi)容是IKE策略下圖1-16為KEY交換部分報(bào)文:JInternetSecurityAssociationmndKeyManagementProtocolInitiatorSPI:Icfela3b68487806ResponderSPI:6d37a230952c50eaNextpayload:KeyExchange(4)Version:1.0Exchangetype:IdentityProtection(Main

22、Mode)(2)Flags:0 x00MessageID:0 x00000000Length:260“TypePayload:KeyExchange(4)Nextpayload:Nonce(10)Payloadlength:132KeyExchangeData:C9361d05e59a6a62c75f77683f31f2a09cl8ca56c074f88f.TypePayload:Nonce(10)Nextpayload:NAT-D(RFC3947)(20)Payloadlength:52NonceDATA:fed265f33e2a232bfl858863953878aea99fcbea824

23、el319.TypePayload:NAT-D(RFC3947)(20)Nextpayload:NAT-D(RFC3947)(20)Payloadlength:24HASHofth己addressandport:2433b7565d26012d29fa024fffdad603G136fc68TypePayload:NAT-D(RFC3947)(20)Nextpayload:NONE/NoNextPayload(0)Payloadlength:24HASHofth己addressandport:e82dd9f49c008f828de54f6901aee4e363f93e92圖1-16分析：作用為

24、通過協(xié)商DH產(chǎn)生第一階段的密碼。本報(bào)文作用為密鑰交換交換模式為主模式說明了所用到的RFC及加密后的數(shù)據(jù)下圖1-17為認(rèn)證部分報(bào)文：tFrame24:110bytesonwire(880bits)f110bytescaptured(880bits)oninterface0tEthernetIIjSrc:Micro-St_0e:33:2f(d8:cb:8a:0e:33:2f)fDst:V/istronI_e3:93:cf(fB1:de:fl:e3:93:cf)0InternetProtocolVersion4,Src:10.176.5.119jDst:10.176.5.120tUserDatagr

25、amProtocolSrcPort:500(500)DstPort:500(500)，IntenmtSecuityAssociationandKeyManagementotocolInitiatorSPI:Icfela3b68487806ResponderSPI:6d37a230952c50eaNextpayload:Identification(5)0Version:1.0Exchangetype:IdentityProtection(MainMode)(2)Flags:0 x011=Encryption:Encrypted0.=Commit:Nocommit0=Authentication

26、:NoauthenticationMessageID:0 x00000000Length:68EncryptedData(40bytes)圖1-17分析：本報(bào)文作用為認(rèn)證交換模式為主模式標(biāo)志位說明：1當(dāng)前加密，0未提交狀態(tài)，0未完成認(rèn)證三部進(jìn)行完后發(fā)送方會(huì)把IPSEC策略發(fā)給對(duì)方，有對(duì)方選擇合適的策略，報(bào)文如下圖1-18所示：lFrame26:238bytesonwire(1904bits),238bytescaptured(1904bits)oninterface0EthernetIIjSrc:Micro-St_0e:33:2f(d8:cb:8a:0e:33:2f)3Dst:Wistronl

27、_e3:93:cf(fB:de:fl:e3:93:cf)tInternetProtocolVersion4,Src:10.176.5.119Dst:10.176.5.120tUserDatagramProtocoljSrcPort:500(500)DstPort:500(500)InternetSecurityAssociationandKeyManagementProtocolInitiato5PI:Icfela3b68487806ResponderSPI:6d37a230952c50eaNextpayload:Hash(8)Version:1.0Exchangetype:QuickMode

28、(32)丿Flags:0 x011=Encryption:Encrypted0=Commit:Nocommit0.=Authentication:NoauthenticationMessageID:0 x00000001Length:196EricyptEdData(168bytes)圖1-18分析：有效載荷類型為HASH載荷交換模式為快速模式表示當(dāng)前已經(jīng)是安全環(huán)境了完成IPSEC的交互后，后面的報(bào)文變?yōu)榱薊SP報(bào)文：如圖1-19所示Enchilada據(jù)段已驗(yàn)證已擁空新IP頭ESP頭原IP頭原IP數(shù)據(jù)報(bào)文ESP尾ESPMACSPISeq#値呑填充Next唄允長(zhǎng)度HeaderFrame30:11

29、0byteson(880bits)j110bytescaptured(880bits)oninterface0鼻EthernetIISrc:Micro-St_0e:33:2f(d8:cb:8a:Be:33:2f)fDst:Wistronl_e3:93:cf(f0:de:f1:e3:93:cf)0Destination:WistnonI_e3:93:cf(f0:de:fl:e3:93:cf)0Source:Micro-St_0e:33:2f(d8:cb:8a:0e:33:2f)Type:IPv4(0 x0800)JInternetProtocolVersion鐵Src:10.176.5.119D

30、st:10.176.5.1200100.=Version:4.0101=HeaderLength:20bytes-DifferentiatedServicesField:0 x00(DSCP:CS0,IECN:Not-IECT)000000=DifferentiaServicesCodepoint:Default(0)00=ExplicitCongestionNotification:NotECN-CapableTransport(0)TotalLength:96Identification:0 x775b(30555)Flags:0 x000=Reservedbit:Not.0=Dont-F

31、ragment:Not虧Et0=恂fragments:NotFragmentoffset:0Timetolive:64Protocol:EncapSecuityPayload(50)，Headerchecksum:0 xe2c2validationdisabledGood:FalseBad:FalseSource:10.176.5.119Destination:10.176.5.120SourceGeoIP:UnknownDestinationGeoIP:UnknownEncapsulatingSecurityPayloadESPSPI:0 x6ae74dca(1793543626)ESPSequence:1圖1-19分析：(1)所加ESP頭中的SPI和Sequence分別為1793543626和1(2)上層協(xié)議為ESP(50)說明其為一個(gè)IPSEC報(bào)文五、實(shí)驗(yàn)中的問題抓獲ISAKMP包時(shí)用科來網(wǎng)絡(luò)分析系統(tǒng)所抓獲的報(bào)文如下圖1-20所示。可以看出少了一段InternetSecurityAssociationandKeyManagementProtocol的解析，導(dǎo)致無法看到IPSEC的協(xié)商過程。最終改用wireshark抓包，順利的解決了這個(gè)問題，找到了該過程。曰“沖収誹也伯盡；卜護(hù)數(shù)據(jù)包長(zhǎng)度：卜岸捕獲長(zhǎng)度:；圉時(shí)冋戳：申T*以太兩-IIEthemetTypeII