PPP 抓包分析

# PPP帧结构与HDLC类似，做了少量修改
# LCP包有3类：
#　　1.链路配置包，用于建立和配置链路（Configure-Request，Configure-Ack，Configure-Nak，和Configure-Reject）。
#　　2.链路结束包被用于结束一个链路（Terminate-Request 和 Terminate-Ack）
#　　3.链路维修包被用于管理和调试一个链路（Code-Reject,Protocol-Reject, Echo-Request, Echo-Reply, 和 Discard-Request）。
　　
# LCP (link control protocal)
R2#username r2 password 0 r2
R2#interface Serial2/2
R2#ip address 202.100.23.2 255.255.255.0
R2#encapsulation ppp
R2#ppp authentication pap

# 当配置encapsulation ppp 时，发送 Configure-Request
Frame 49: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff                                # 0xFF, standard broadcast address ，表示接受数据包
Control: 0x03
Protocol: Link Control Protocol (0xc021)     # 协议字段，0xC021 for LCP, 0x80xy for various NCPs, 0x0021 for IP
PPP Link Control Protocol
Code: Configuration Request (1)              # LCP 连接建立请求： Configure-Request
Identifier: 1 (0x01)
Length: 10
Options: (6 bytes), Magic Number             # Magic Number用于环路检测，判断是否与自身Magic Numberi相同
Magic Number: 0xbc0f842c
Type: Magic Number (5)               # Magic Number
Length: 6
Magic Number: 0xbc0f842c

R3#interface Serial3/3
R3#ip address 202.100.23.3 255.255.255.0
R3#encapsulation ppp

# 当接收到  Configure-Request ，但是其中参数(未配置pap）不能接受，则回复 Configuration Nak
Frame 50: 13 bytes on wire (104 bits), 13 bytes captured (104 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Link Control Protocol (0xc021)
PPP Link Control Protocol
Code: Configuration Nak (3)
Identifier: 1 (0x01)
Length: 9
Options: (5 bytes), Authentication Protocol
Authentication Protocol: Challenge Handshake Authentication Protocol (0xc223)
Type: Authentication Protocol (3)
Length: 5
Authentication Protocol: Challenge Handshake Authentication Protocol (0xc223)
Algorithm: CHAP with MD5 (5)

R3#interface Serial3/3
R3#ip address 202.100.23.3 255.255.255.0
R3#encapsulation ppp
R3#ppp pap sent-username r2 password r2

# 如果Configure-Request中收到的每一个配置选项和全部的值都是能接受的，那么该必须传送一个Configure-Ack
Frame 51: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Link Control Protocol (0xc021)
PPP Link Control Protocol
Code: Configuration Ack (2)               # LCP 连接建立确认： Configuration Ack
Identifier: 1 (0x01)                      # 最近收到的Configure-Request中所有LCP选项值都可识别和接受时发送该消息。
Length: 10                                # PPP对端发送和收到Configure-Acks时，LCP协商便完成了
Options: (6 bytes), Magic Number
Magic Number: 0xbc0f842c
Type: Magic Number (5)
Length: 6
Magic Number: 0xbc0f842cFrame

R3#interface Serial3/3
R3#ip address 202.100.23.3 255.255.255.0
R3#encapsulation ppp

# 如果Configure-Request中收到的一些配置选项是不可辨认的或者不被商议所接受（由网络管理员配置的），则该执行必须传送一个Configure-Reject
# 具有用户认证功能  -- PAP
Frame 61: 12 bytes on wire (96 bits), 12 bytes captured (96 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Link Control Protocol (0xc021)
PPP Link Control Protocol
Code: Configuration Reject (4)
Identifier: 6 (0x06)
Length: 8
Options: (4 bytes), Authentication Protocol
Authentication Protocol: Password Authentication Protocol (0xc023)
Type: Authentication Protocol (3)
Length: 4
Authentication Protocol: Password Authentication Protocol (0xc023)

# 用户认证失败后（密码错误），结束链路
328 84.473122 N/A N/A PPP PAP 14 Authenticate-Request (Peer-ID='r2', Password='r1')  # 明文传输
329 84.477776 N/A N/A PPP PAP 30 Authenticate-Nak (Message='Authentication failed')
330 84.478314 N/A N/A PPP LCP 8 Termination Request
331 84.479937 N/A N/A PPP LCP 8 Termination Ack

# Echo-Request 和 Echo-Reply包必须仅在LCP的Opened（打开）状态下发送，
# 在其他不是Opened（打开）状态下接收到的Echo-Request 和 Echo-Reply包应该被静静的丢弃。
# 具有keep-alive功能
568 214.489492 N/A N/A PPP LCP 16 Echo Request
569 214.490944 N/A N/A PPP LCP 16 Echo Reply

#IPCP只包括7种报文，但它的报文类型只是LCP数据报文的一个子集
#（只有LCP代码域从1到7这七种报文：Config-Request，Config-Ack，Config-Nak，Config-Reject，Terminate-Request，Terminate-Ack和Code-Reject），
# 而且实际的数据报文交换过程中链路终止报文一般而言是不在网络协议阶段使用的。

# LCP处于OPEN状态后，进行NCP协议协商，分为静态协商和动态协商
25 71.185532 N/A N/A PPP LCP 14 Configuration Ack
26 71.187428 N/A N/A PPP LCP 14 Configuration Ack
27 71.198927 N/A N/A PPP IPCP 14 Configuration Request
29 71.219095 N/A N/A PPP IPCP 14 Configuration Request

# 静态协商，也即是不协商。点对点的通信设备两端在PPP协商之前已配置好了IP地址，
# 所以就无须在网络层协议阶段协商IP地址，而双方唯一要做的就是告诉对方自身的IP地址。
Frame 27: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol                #  ipcp 互推地址，生成路由表，（不在同网段也可以通讯)
Code: Configuration Request (1)    # Configuration Request
Identifier: 1 (0x01)
Length: 10
Options: (6 bytes), IP address
IP address: 202.100.23.2       # 在静态协商时，如果IPCP的Config-Request报文中只含有地址配置参数选项时
Type: IP address (3)       # 无论是发送方还是接收方都同时发送Config-Request报文，其中配置选项中只含有各自的IP地址。
Length: 6
IP Address: 202.100.23.2
Frame 27: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Request (1)
Identifier: 1 (0x01)
Length: 10
Options: (6 bytes), IP address
IP address: 202.100.23.2
Type: IP address (3)
Length: 6
IP Address: 202.100.23.2
Frame 31: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Ack (2)        # 当对端收到该报文后，会发送一个Config-Ack报文，这个目的是告诉对端我已经知道了你的IP地址，
Identifier: 1 (0x01)               # 对路由器而言会增加一条到对端接口的主机路由。
Length: 10
Options: (6 bytes), IP address
IP address: 202.100.23.2
Type: IP address (3)
Length: 6
IP Address: 202.100.23.2
Frame 32: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Ack (2)
Identifier: 1 (0x01)
Length: 10
Options: (6 bytes), IP address
IP address: 202.100.23.3
Type: IP address (3)
Length: 6
IP Address: 202.100.23.3

# 可以获取路由，形成不同网段直连路由
2#sh ip route  202.100.23.3
Routing entry for 202.100.23.3/32
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Serial2/2
Route metric is 0, traffic share count is 1
R2#sh ip route  202.100.33.3
Routing entry for 202.100.33.3/32
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Serial2/2
Route metric is 0, traffic share count is 1
R2#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Serial2/2
Route metric is 0, traffic share count is 1

# 动态协商是一端配置为动态获取IP地址，另一端通过手动方式配置IP地址，且允许给对端分配IP地址。
# 在这种情况下，发送方连续发送了两次Config-Request报文，才能完成发送方的协商过程。
# 而接收方仍然只需要发送一次Config-Request即可完成本端的协商过程。

R3(config-if)#ip address negotiated

470 1059.708060 N/A N/A PPP IPCP 14 Configuration Request    #发送方第一次Config-Request
471 1059.708540 N/A N/A PPP IPCP 14 Configuration Request    #接受方第一次Config-Request
472 1059.712205 N/A N/A PPP IPCP 14 Configuration Reject     #接收方拒绝发送方第一次Config-Request
473 1059.712677 N/A N/A PPP IPCP 14 Configuration Ack        #发送方确认接收方的第一次Config-Request
474 1059.713186 N/A N/A PPP IPCP 8 Configuration Request     #发送方第二次Config-Request
475 1059.718640 N/A N/A PPP IPCP 8 Configuration Ack         #接收方确认第二次Config-Request

#由于发送方没有配置IP地址（而是动态获取IP地址），所以在IPCP的Config-Request报文的IP地址配置参数配置选项中的IP地址填充全0（也即是0.0.0.0），
Frame 470: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Request (1)    # IPCP的Config-Request报文
Identifier: 1 (0x01)
Length: 10
Options: (6 bytes), IP address
IP address: 0.0.0.0            # IP地址填充全0
Type: IP address (3)
Length: 6
IP Address: 0.0.0.0

# 指定IP的正常IPCP报文
Frame 471: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Request (1)
Identifier: 2 (0x02)
Length: 10
Options: (6 bytes), IP address
IP address: 202.100.23.2
Type: IP address (3)
Length: 6
IP Address: 202.100.23.2

# 当接收方收到该配置请求报文后会检测IP地址的内容，如果发送为全0，则认为对端的这个IP地址不是我所希望的值，
# 这样就回应一个Config-Nak报文，并将希望分配给对方的IP地址填充到Config-Nak报文内。
Frame 472: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Reject (4)
Identifier: 1 (0x01)
Length: 10
Options: (6 bytes), IP address
IP address: 0.0.0.0
Type: IP address (3)
Length: 6
IP Address: 0.0.0.0

# 指定IP的正常ACK报文
Frame 473: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Ack (2)
Identifier: 2 (0x02)
Length: 10
Options: (6 bytes), IP address
IP address: 202.100.23.2
Type: IP address (3)
Length: 6
IP Address: 202.100.23.2

# 这时当接收方收到Config-Nak报文后，就会重新发送一个Config-Request报文，这个报文中的IP地址配置选项为对方在Nak报文中所提供的。
Frame 474: 8 bytes on wire (64 bits), 8 bytes captured (64 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Request (1)
Identifier: 2 (0x02)
Length: 4
Frame 475: 8 bytes on wire (64 bits), 8 bytes captured (64 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Internet Protocol Control Protocol (0x8021)
PPP IP Control Protocol
Code: Configuration Ack (2)
Identifier: 2 (0x02)
Length: 4

# 显示协商获取IP地址，存在本网段路由
R3(config-if)#do sh ip int s3/3
Serial3/3 is up, line protocol is up
Internet address will be negotiated using IPCP
Broadcast address is 255.255.255.255

R2(config-if)#do sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Ethernet1/1
L        192.168.1.2/32 is directly connected, Ethernet1/1
202.100.23.0/24 is variably subnetted, 2 subnets, 2 masks
C        202.100.23.0/24 is directly connected, Serial2/2
L        202.100.23.2/32 is directly connected, Serial2/2
R2(config-if)#

# PPP认证，相比于HDLC具有用户认证
# 挑战握手认证协议  Challenge-Handshake Authentication Protocol
# 挑战握手认证协议（CHAP）通过三次握手周期性的认证对端的身份，在初始链路建立时完成，可以在链路建立之后的任何时候重复进行。

R2#interface Serial2/2
R2#ip address 202.100.23.2 255.255.255.0
R2#encapsulation ppp
R2#ppp authentication chap
R2#serial restart-delay 0

# 1、链路建立阶段结束之后，认证者向被认证者发送“挑战”消息
1 0.000000 N/A N/A PPP LCP 14 Configuration Request    # 相互发送Configuration Request和Configuration Ack后，完成LCP链路建立过程
2 0.021263 N/A N/A PPP LCP 19 Configuration Request
3 0.021402 N/A N/A PPP LCP 14 Configuration Ack
4 0.028010 N/A N/A PPP LCP 19 Configuration Ack
5 0.059900 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0xe8affa5379025f888c6d22ff52aff757) # LCP链路建立完成后，R2主动发送Challenge
Frame 3317: 27 bytes on wire (216 bits), 27 bytes captured (216 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Challenge Handshake Authentication Protocol (0xc223)
PPP Challenge Handshake Authentication Protocol
Code: Challenge (1)
Identifier: 1
Length: 23
Data
Value Size: 16
Value: e85aa3c02b52edb78c6d22ff000a1cfb
Name: R2

R3#interface Serial3/3
R3#ip address 202.100.23.3 255.255.255.0
R3#encapsulation ppp
R3#ppp chap hostname r2
R3#ppp chap password 0 r2        #缺点：密钥配置为明文
R3#serial restart-delay 0

# 2、被认证者 计算hash值作为应答
Frame 3318: 27 bytes on wire (216 bits), 27 bytes captured (216 bits) on interface 0
Point-to-Point Protocol
Address: 0xff
Control: 0x03
Protocol: Challenge Handshake Authentication Protocol (0xc223)
PPP Challenge Handshake Authentication Protocol
Code: Response (2)
Identifier: 1
Length: 23
Data
Value Size: 16
Value: 2f9020d01b7b41ba6c754b014a8e6767     # hash值
Name: r2                                    # 用户名

# 3、认证者根据它自己的预期哈希值的计算来检查应答，如果值匹配，认证得到承认；否则，连接应该终止。
# 认证失败，终止连接
3317 1534.518709 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0xe85aa3c02b52edb78c6d22ff000a1cfb)
3318 1534.525085 N/A N/A PPP CHAP 27 Response (NAME='r2', VALUE=0x2f9020d01b7b41ba6c754b014a8e6767)
3319 1534.526536 N/A N/A PPP CHAP 29 Failure (MESSAGE='Authentication failed')
3320 1534.527368 N/A N/A PPP LCP 8 Termination Request
3321 1534.528521 N/A N/A PPP LCP 8 Termination Ack

# 认证成功，进行NCP协议互推地址
3874 1669.630159 N/A N/A PPP CHAP 27 Challenge (NAME='R2', VALUE=0x3695e79508d494098c6d22fffd432110)
3875 1669.635094 N/A N/A PPP CHAP 27 Response (NAME='r2', VALUE=0x0695a3e64fb3a059987d1ff616e1a846)
3876 1669.643600 N/A N/A PPP CHAP 8 Success (MESSAGE='')
3877 1669.645975 N/A N/A PPP IPCP 14 Configuration Request
3878 1669.646095 N/A N/A PPP IPCP 14 Configuration Request
3880 1669.646844 N/A N/A PPP IPCP 14 Configuration Ack
3881 1669.647354 N/A N/A PPP IPCP 14 Configuration Ack

PPP其他知识点
环路检测：magic number(是否与本身magic number相同)
Multiple port-channel