frame relay 抓包分析
2017-08-27 16:55
357 查看
# frame relay (帧中继) # 常用拓扑结构 hub-spoke 和 full mesh # 通道vc(virtual circuit) 将划分一根物理线路划分为多个逻辑线路,大大降低成本 # 数据链路链接标识 DLCI(data link connection identifier)用于标识不同的通道, # 可以理解为二层编址方法,给对端使用,本地有效 # DLCI最多可支持1024条虚电路 10 bit (0-1023) # 0 - 15 保留 # 16 - 1007 可用 # 1008- 1023 保留 9 35.550726 Inverse ARP 34 Who is 1861? Tell 0000 # 计算DLCI号 102 对应 1861 Frame 9: 34 bytes on wire (272 bits), 34 bytes captured (272 bits) on interface 0 Frame Relay First address octet: 0x18 0001 10.. = Upper DLCI: 0x06 # DLCI 前6 bit为 0001 10,对应 0x18 .... ..0. = CR: Response .... ...0 = EA: More Follows Second address octet: 0x61, EA # DLCI 后4 bit为 0110 , 对应 0x61,DLCI十六进制为 0x1861 0110 .... = Second DLCI: 0x6 .... 0... = FECN: False .... .0.. = BECN: False .... ..0. = DE: False .... ...1 = EA: Last Octet DLCI: 102 # DLCI 号共10bit为 0001 100110, 对应十进制为 102 Control field: U, func=UI (0x03) Padding NLPID: SNAP (0x80) Organization Code: Encapsulated Ethernet (0x000000) Type: ARP (0x0806) Address Resolution Protocol (inverse request)
# frame relay帧结构 # 开始Flag:指示帧的开始,也叫做帧中继的第一地址,使用一个八位组表示。 # LMI DLCI:指示帧中继的LMI信令所使用的DLCI号码,需要注意的是,LMI的DLCI号码并非虚拟电路(VC)所使用的DLCI号码, # LMI DLCI 与信令的类型有关,如果LMI的信令型类采用cisco的LMI类型,那么DLCI号就是1023;如果采用ANSI或ITU(q33a)类型的LMI,那么DLCI号就是0。 # C/R:(Command/Response)命令响应,该字段通常不用。 # EA:扩展地址用来指示包含EA字段的是否是最后一个帧标记,如果该字段的值为1则表示这是最后一个结束帧标记, # 因为帧中继有两个帧标记,一个开始Flag,一个结束Flag 。它会出现在两个地方,开始Flag和结束Flag中, # 所以当EA标记出现在图9中的开始标记部分其值为0;而在结束标记部分其值为1。 # FECN:前向显式拥塞通知,该字段使用在帧中继网络发生拥塞的时候, # 帧中继交换机(DCE设备)会将该字段设置为1并发送给帧中继的目标接入设备(DTE),指示网络拥塞## ,收到FECN的设备会实施适当的流量控制措施。 # BECN:后向显式拥塞通知,该字段使用在帧中继网络发生拥塞的时候, # 帧中继交换机(DCE设备)会将该字段设置为1并发送给帧中继的源接入设备(DTE),指示网络拥塞,收到BECN的设备会降低25%左右的发送速率。 # DE:可丢弃标记,如果该字段被设置为1的帧中继数据报文在遇到网络拥塞时会被丢弃。 # 需要注意的是该标记一般由帧中继的接入设备(DTE)设置,并且被设置了DE标志的数据不是立即被丢弃,只会在网络拥塞时会被优先丢弃。 # Data:指示在帧中继中被封装的上层数据。 # 结束Flag:指示帧的结束,也叫做帧中继的第二地址,使用一个八位组表示。 # FCS:用于检测传输错误。 # Frame 689: 13 bytes on wire (104 bits), 13 bytes captured (104 bits) on interface 0 Frame Relay First address octet: 0x00 0000 00.. = Upper DLCI: 0x00 .... ..0. = CR: Response .... ...0 = EA: More Follows Second address octet: 0x01, EA 0000 .... = Second DLCI: 0x0 .... 0... = FECN: False .... .0.. = BECN: False .... ..0. = DE: False .... ...1 = EA: Last Octet DLCI: 0 Control field: U, func=UI (0x03) 000. 00.. = Command: Unnumbered Information (0x00) .... ..11 = Frame type: Unnumbered frame (0x3) # LMI帧结构: # 标志:包括帧中继的起始标志与结束标志,用于标记数据帧的开始与结束。 # 未编号信息标志(UII):未编号信息标志用于将轮询最后位设置为0。 # 协议标识符(NLPID):协议标识符字段说明该数据帧是一个帧中继LMI的数据帧。 # 呼叫参考(call Ref):呼叫参考暂时不使用,其值一般为0。 # 消息类型(messagetype):该字段有两种可能,一个是指示状态查询(enquiry),另一个是状态响应(Stauts)。 # 消息元素(informationElement):包括数量指定的独立信息元素,如IE标识符和IE长度。 # FCS :数据帧校验序列,用于数据的验证,保证数据传输的完整性。 # 使用LMI维护帧中继的信令分为状态查询(enquiry)和状态响应(Stauts),以每10秒为一个间隔周期完成,帧中继交换机间隔60秒发送 Status进行响应 # lmi-type支持的三种类型 cisco ansi q933a R1(config-if)#frame-relay lmi-type ? cisco ansi q933a # 以ANSI类型为例 Frame 698: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Frame Relay Q.933 Protocol discriminator: Q.933 Call reference value length: 0 Message type: STATUS ENQUIRY (0x75) .... .101 = Locking shift to codeset: Information elements for national use (5) Report type (ANSI) Information element: Report type (ANSI) Length: 1 Report type: Full Status (0) Keep Alive (ANSI) Information element: Keep Alive (ANSI) Length: 2 TX Sequence: 1 RX Sequence: 0
# frame relay 动态协商过程(获取DLCI号的过程)分析 # R1接口配置 R1(config-if)#do sh run int s3/1 Building configuration... Current configuration : 121 bytes ! interface Serial3/1 ip address 202.100.123.1 255.255.255.0 encapsulation frame-relay # 二层封装类型为,frame-relay frame-relay lmi-type ansi # lmi-type封装类型,默认为ansi end R1(config-if)#do sh int s3/1 Serial3/1 is up, line protocol is up Hardware is M4T Internet address is 202.100.123.1/24 MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, crc 16, loopback not set # 接口封装类型 Encapsulation FRAME-RELAY Keepalive set (10 sec) LMI enq sent 462, LMI stat recvd 424, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE segmentation inactive # 接口lmi-type类型 LMI type is ANSI FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 23/0, interface broadcasts 0 Last input 00:00:02, output 00:00:02, output hang never Last clearing of "show interface" counters 01:17:03 # 当端口配置为frame-relay模式后,端口向帧中继交换机主动发送三种不同lmi二层 status enquiry 数据包,进行协商 # 如果协商成功,帧中继交换机会响应 STATUS # 如果协商不成功,帧中继交换机不会响应,端口进入协议down # lmi协商成功后,响应STATUS 262 1393.007120 Q.933 14 STATUS ENQUIRY # ansi STATUS ENQUIRY 263 1393.007292 Q.933 13 STATUS ENQUIRY # q933a STATUS ENQUIRY 264 1393.007323 LMI 13 Status Enquiry # cisco Status Enquiry 265 1393.007605 Q.933 19 STATUS # 帧中继响应类型为 ansi # 发送端发送 ANSI类型 STATUS ENQUIRY Frame 262: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) on interface 0 Frame Relay First address octet: 0x00 Second address octet: 0x01, EA DLCI: 0 # 采用ANSI或ITU(q33a)类型的LMI,那么LMI DLCI号就是0 Control field: U, func=UI (0x03) Q.933 Protocol discriminator: Q.933 Call reference value length: 0 Message type: STATUS ENQUIRY (0x75) .... .101 = Locking shift to codeset: Information elements for national use (5) Report type (ANSI) # lmi 类型为 ANSI Information element: Report type (ANSI) Length: 1 Report type: Full Status (0) Keep Alive (ANSI) Information element: Keep Alive (ANSI) Length: 2 TX Sequence: 1 # ANSI 第一次发送的数据包 RX Sequence: 0 # 发送端发送q933a类型 STATUS ENQUIRY Frame 263: 13 bytes on wire (104 bits), 13 bytes captured (104 bits) on interface 0 Frame Relay First address octet: 0x00 Second address octet: 0x01, EA DLCI: 0 # 采用ANSI或ITU(q33a)类型的LMI,那么LMI DLCI号就是0 Control field: U, func=UI (0x03) Q.933 Protocol discriminator: Q.933 Call reference value length: 0 Message type: STATUS ENQUIRY (0x75) Report type Information element: Report type Length: 1 Report type: Full Status (0) Link integrity verification Information element: Link integrity verification Length: 2 Data: 0100 # 发送端发送 cisco 类型 Status Enquiry Frame 264: 13 bytes on wire (104 bits), 13 bytes captured (104 bits) on interface 0 Frame Relay First address octet: 0xfc Second address octet: 0xf1, EA DLCI: 1023 # 采用cisco的LMI类型,那么LMI DLCI号就是1023 Control field: U, func=UI (0x03) NLPID: LMI (0x09) Local Management Interface Call reference: 0x00 Message Type: Status Enquiry (0x75) Information Element: Report Type: Report (1) Length: 1 Record Type: Full Status (0) Information Element: Keep Alive Type: Keep Alive (3) Length: 2 Send Seq: 1 # cisco 第一次发送的数据包 Recv Seq: 0 # 帧中继交换机响应 ANSI STATUS,指定连接的 VC类型和DLCI号,并存在Keep-alive机制 Frame 265: 19 bytes on wire (152 bits), 19 bytes captured (152 bits) on interface 0 Frame Relay First address octet: 0x00 Second address octet: 0x01, EA DLCI: 0 Control field: U, func=UI (0x03) Q.933 Protocol discriminator: Q.933 Call reference value length: 0 Message type: STATUS (0x7d) .... .101 = Locking shift to codeset: Information elements for national use (5) Report type (ANSI) Information element: Report type (ANSI) Length: 1 Report type: Full Status (0) Keep Alive (ANSI) # ANSI的 keep alive机制 Information element: Keep Alive (ANSI) Length: 2 TX Sequence: 1 RX Sequence: 1 PVC Status (ANSI) # 帧中继交换机响应VC类型为 PVC ,分配链路DLCI号为 301 Information element: PVC Status (ANSI) Length: 3 DLCI: 301 # DLCI号为 301 .... 0.1. = Status: Unknown (1) # lmi协商不成功,则帧中继交换机不会响应,端口进入协议down R3(config-if)#fram lmi-type cisco *Aug 27 13:39:29.557: %LINK-5-CHANGED: Interface Serial3/3, changed state to administratively down
# frame relay为NBMA技术(none broadcast multiple access 非广播多路接入) # 不支持广播和组播,不使用三层技术可以建立多个连接 # inverse ARP用于 IP 查找 DLCI 号,通过三层ip地址 转换为二层DLCI 动态映射, # 帧中继的逆向ARP解析与局域网环境中的ARP地址解析协议非常相似,局域网中的ARP解析是知道目标IP地址后,去解析目标的MAC地址; # 而帧中继的ARP逆向解析是路由器将已知的二层地址(本地的DLCI号码)去映射远程端设备的三层IP地址。 # Inverse ARP是对原有ARP协议的扩展, # request帧结构 # hrd - 0x000F the value assigned to Frame Relay # pro - protocol type for which you are searching # (i.e. IP = 0x0800) # hln - 2,3, or 4 byte addressing length # pln - byte length of protocol address for which you # are searching (for IP = 4) # op - 8; InARP request # sha - Q.922 [6] address of requesting station # spa - protocol address of requesting station # tha - Q.922 address of newly announced virtual circuit # tpa - 0; This is what is being requested # response帧结构 # hrd - 0x000F the value assigned to Frame Relay # pro - protocol type for which you are searching # (i.e. IP = 0x0800) # hln - 2,3, or 4 byte addressing length # pln - byte length of protocol address for which you # are searching (for IP = 4) # op - 9; InARP response # sha - Q.922 address of responding station # spa - protocol address requested # tha - Q.922 address of requesting station # tpa - protocol address of requesting station # lmi协商成功后,每隔60秒发送InARP请求获取;并将目的ip地址用 0.0.0.0 填充 Frame 1005: 34 bytes on wire (272 bits), 34 bytes captured (272 bits) on interface 0 Frame Relay First address octet: 0x48 0100 10.. = Upper DLCI: 0x12 .... ..0. = CR: Response .... ...0 = EA: More Follows Second address octet: 0xd1, EA 1101 .... = Second DLCI: 0xd .... 0... = FECN: False .... .0.. = BECN: False .... ..0. = DE: False .... ...1 = EA: Last Octet DLCI: 301 # 发送者的DLCI为 301 Control field: U, func=UI (0x03) 000. 00.. = Command: Unnumbered Information (0x00) .... ..11 = Frame type: Unnumbered frame (0x3) Padding NLPID: SNAP (0x80) Organization Code: Encapsulated Ethernet (0x000000) Type: ARP (0x0806) Address Resolution Protocol (inverse request) Hardware type: Frame Relay DLCI (15) Protocol type: IPv4 (0x0800) Hardware size: 2 Protocol size: 4 Opcode: inverse request (8) Sender hardware address: 0000 Sender IP address: 202.100.123.1 # 发送者的IP为 202.100.123.1 Target hardware address: 1871 # 请求响应设备的DLCI号 103对应0X1871,00011000(前6bit) 01110001(前4bit)即二进制 0001100111对应DLCI 103 Target IP address: 0.0.0.0 # 请求DLCI号 103设备的IP地址,用0.0.0.0表示 # inverse ARP协商过程 # InARP与ARP运行机制基本相同,最大的区别在于InARP不需要广播request,因为目的hardware address(DLCI)已知 # 发送端R1 依据目的DLCI号 发送InARP request,包括发送端的 DLCI 和 IP Frame 53: 34 bytes on wire (272 bits), 34 bytes captured (272 bits) on interface 0 Frame Relay First address octet: 0x18 Second address octet: 0x71, EA DLCI: 103 Control field: U, func=UI (0x03) Padding NLPID: SNAP (0x80) Organization Code: Encapsulated Ethernet (0x000000) Type: ARP (0x0806) Address Resolution Protocol (inverse request) Hardware type: Frame Relay DLCI (15) Protocol type: IPv4 (0x0800) Hardware size: 2 Protocol size: 4 Opcode: inverse request (8) Sender hardware address: 0000 Sender IP address: 202.100.123.3 Target hardware address: 48d1 Target IP address: 0.0.0.0 # 接收端R3 接收到InARP request后,生成发送端的map表项 Frame 57: 34 bytes on wire (272 bits), 34 bytes captured (272 bits) on interface 0 Frame Relay First address octet: 0x48 Second address octet: 0xd1, EA DLCI: 301 Control field: U, func=UI (0x03) Padding NLPID: SNAP (0x80) Organization Code: Encapsulated Ethernet (0x000000) Type: ARP (0x0806) Address Resolution Protocol (inverse request) Hardware type: Frame Relay DLCI (15) Protocol type: IPv4 (0x0800) Hardware size: 2 Protocol size: 4 Opcode: inverse request (8) Sender hardware address: 0000 Sender IP address: 202.100.123.3 Target hardware address: 48d1 Target IP address: 0.0.0.0 # 接收端R3 依据目的ip地址 发送InARP reply,并将R1的ip地址封装 Frame 58: 34 bytes on wire (272 bits), 34 bytes captured (272 bits) on interface 0 Frame Relay First address octet: 0x48 Second address octet: 0xd1, EA DLCI: 301 Control field: U, func=UI (0x03) Padding NLPID: SNAP (0x80) Organization Code: Encapsulated Ethernet (0x000000) Type: ARP (0x0806) Address Resolution Protocol (inverse reply) Hardware type: Frame Relay DLCI (15) Protocol type: IPv4 (0x0800) Hardware size: 2 Protocol size: 4 Opcode: inverse reply (9) Sender hardware address: 0000 Sender IP address: 202.100.123.1 Target hardware address: 48d1 Target IP address: 202.100.123.3 # 发送端R1 接收InARP reply后生成map表项 Frame 54: 34 bytes on wire (272 bits), 34 bytes captured (272 bits) on interface 0 Frame Relay First address octet: 0x18 Second address octet: 0x71, EA DLCI: 103 Control field: U, func=UI (0x03) Padding NLPID: SNAP (0x80) Organization Code: Encapsulated Ethernet (0x000000) Type: ARP (0x0806) Address Resolution Protocol (inverse reply) Hardware type: Frame Relay DLCI (15) Protocol type: IPv4 (0x0800) Hardware size: 2 Protocol size: 4 Opcode: inverse reply (9) Sender hardware address: 0000 Sender IP address: 202.100.123.1 Target hardware address: 48d1 Target IP address: 202.100.123.3
相关文章推荐
- OpenWrt实现多SSID wifi连接功能并抓包分析
- HTTP隧道代理及wireshark抓包分析HTTPS过程
- 【HTTP】Fiddler(二) - 使用Fiddler做抓包分析
- Wireshark数据抓包教程之认识捕获分析数据包
- 抓包分析-User-agent-switcher
- Wireshark 抓包分析 RTSP/RTP/RTCP 基本工作过程
- tcpdump抓包二进制tcp协议详细分析
- PCAP文件格式分析(做抓包软件之必备)
- 【HTTP】Fiddler(二) - 使用Fiddler做抓包分析
- PCAP文件格式分析(做抓包软件之必备)
- Python 爬虫知识点 - 淘宝商品检索结果抓包分析
- HTTP抓包分析
- 推荐一个免费的HTTP抓包分析工具 Fiddler Web Debugger
- 学习笔记:openwrt 使用 tcpdump 抓包后通过 plink 连接到 Wireshark 实时过滤分析
- tcpdump安装配置及抓包分析
- 【WinPcap】自制抓包+分析+ARP攻击(二)
- 抓包分析IP报文结构
- 【WinPcap】自制抓包+分析+ARP攻击(三)
- Centos6.5下使用tcpdump抓包并用wireshark分析
- 详解使用tcpdump、wireshark对Android应用程序进行抓包并分析