Wireshark packet capture: message information

Use wires hark Grab the bag

• Color rules ：

black ： Message error （TCP Parse error 、 Retransmission 、 Disorder 、 Packet loss 、 Repeat response ）

TCP dup ack： Repeat the response 
TCP Retransmission：TCP Retransmission ,TCP There is a timeout retransmission mechanism 
TCP Otu-of-Order： Disorder , Network congestion leads to different packet arrival times , Time extension , Resulting in packet loss 

Reference resources ：https://my.oschina.net/hex2016/blog/833097

TCP Previous segment not captured： The previous paragraph did not capture , The loss of 
TCP Dup ACK：TCP Repeat the response ,# The front indicates the missing serial number , The following indicates the number of times lost 
TCP Retransmission：TCP Retransmission 
TCP ACKed unseen segment： The message is incomplete , This message is ACK message 
TCP ZeroWindow And TCP Window Full：
TCP ZeroWindow： Tell them , The size of my receiving window , That is, tell the other party not to send data when it appears 
TCP Window Full： When the data to be sent is 0, appear Full, It means that I can't send data anymore 

Reference resources ：https://www.cnblogs.com/nzbbody/p/8622497.html

HSRP State Change：HSRP（ Hot backup protocol ）, Indicates that the status is not active and standby
Spanning Tree Topology Change： The spanning tree protocol status is 0x80, Topology changes 
OSPF State Chang：OSPF Of msg The type is not hello
ICMP errors：ICMP Protocol error , agreement type Field value error 

Red ： All kinds of abnormalities

TCP RST：TCP Flow quilt RESET, Reasons for appearance ：1、 Port not open 2、 request timeout 3、 Close connection in advance 4、 In a closed socket Collect data . disconnect , When the remote server tries to open the link but there is no result , Will also be the first intention RST The signal , This is the case that the firewall blocks the connection , Every SYN All return to one RST

Reference resources ：
https://blog.csdn.net/pj1258/article/details/17009517?utm_source=app&app_version=4.14.0&code=app_1562916241&uLinkId=usr1mkqgl919blen

SCTP ABORT： Stream control protocol chunk_type by ABORT
TTL low or unexpected：TTL abnormal 
Checksum Errors： All kinds of conditions checksum abnormal , stay PC When capturing packets, some settings of the network card often make Wireskark Show this error 

other ： normal

SMB：Server Message Block Class protocol 
IPX： Internet Packet Exchange Protocol 
TCP SYN/FIN：TCP Start and close of connection 
TCP/ARP/ICMP/UDP/HTTP/Routing/Broadcast：TCP/ARP/ICMP/UDP/HTTP/ Routing protocol / Broadcast data 

adopt TCP Three handshakes ：SYN-SYN ACK-ACK, Establishing a connection
To grab 443 For example （ encryption , The port is not necessarily 443）：
First ：DNS request

DNS request ：

DNS response：

Client initiated TCP Three handshakes ：

for the first time ：SYN=1,ACK=0, port 61020–443

The second time ：SYN=1,ACK=0+1, port 443-61020, Confirm the serial number = Serial number +1

third time ：ACK=1, port 61020–443

Client send out hello package ：

Random： Randomly generated numbers , Used to generate the final key
Session ID： Session identifier
Cipher　Suites： Encryption suite ,
Compression　Merhods： Compression method
Server hello：

The server also generates a random number and sends it to the client , Both sides have two random numbers at the same time
Server returns Certificate , After the client receives it, it can distinguish the authenticity according to the certificate chain , There is a public key in the server , Used to encrypt the generated later Prenaster secret（ session key ）
Secure connection establishment , send data ：Application Data
TLS Transmission process ：

①-④： handshake phase
⑤： After shaking hands, both parties use the negotiated key to communicate
② There are multiple types in , Because it is a multi handshake message , Send multiple handshake protocol packets at one time
SNI：TLS An extension of , It is used to solve the problem that a server has multiple domain names
TLS The handshake information does not carry the target address that the client wants to access , If a server uses multiple virtual hosts , And the domain name is different , Using a different certificate ,TLS Use add host To identify which virtual host to access , In the first stage of handshake ClientHello Add
SNI Contained in the Server NAME, namely Host Content

WireShark Error analysis can refer to ：

https://blog.csdn.net/qq_43148894/article/details/125638706?spm=1001.2014.3001.5501