我正在尝试生成一系列数据包来模拟 TCP 3 次握手过程,我的第一步是捕获真正的连接数据包,并尝试从同一台机器重新发送相同的数据包,但它没有'首先工作。
最后我发现我用 tcpdump 捕获的数据包不是我的计算机发出的,TCP 的校验和字段被更改,这让我认为即使 TCP 校验和不正确我也可以建立 tcp 连接。
所以我的问题是校验和字段是如何计算的?它是由 tcpdump 还是硬件修改的?为什么改变了?这是tcpdump的错误吗?或者是因为省略了计算。
下面是我在主机和虚拟机上抓取的截图,你可以看到在不同的机器上抓取的相同数据包除了 TCP 校验和之外都是一样的。
小窗口是我的虚拟机,我从主机使用命令“ssh 10.82.25.138”生成这些数据包
最佳答案
您看到的可能是校验和卸载的结果。引用 wireshark wiki ( http://wiki.wireshark.org/CaptureSetup/Offloading ):
Most modern operating systems support some form of network offloading, where some network processing happens on the NIC instead of the CPU. Normally this is a great thing. It can free up resources on the rest of the system and let it handle more connections. If you're trying to capture traffic it can result in false errors and strange or even missing traffic.
On systems that support checksum offloading, IP, TCP, and UDP checksums are calculated on the NIC just before they're transmitted on the wire. In Wireshark these show up as outgoing packets marked black with red Text and the note [incorrect, should be xxxx (maybe caused by "TCP checksum offload"?)].
Wireshark captures packets before they are sent to the network adapter. It won't see the correct checksum because it has not been calculated yet. Even worse, most OSes don't bother initialize this data so you're probably seeing little chunks of memory that you shouldn't.
虽然这是针对wireshark的,但是同样的原理也适用。在您的主机中,您看到了错误的校验和,因为它还没有被填充。它在 guest 上看起来是正确的,因为在它通过“线路”发送出去之前,它是填充的。尝试在处理此流量的接口(interface)上禁用校验和卸载,例如:
ethtool -K eth0 rx off tx off
如果是 eth0。
关于linux - 使用tcpdump抓包发送出去时,TCP的校验和是如何计算的,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15538786/