IP报文分片抓包简析
IP报文分片
发送1472
- ICMP报文长度8+IP头部20+数据1472=1500(最大MTU),故而不会进行IP报文拆包
# 发送ping[root@localhost ~]# ping -c 10 -s 1472 192.168.0.10PING 192.168.0.10 (192.168.0.10) 1472(1500) bytes of data.1480 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=0.133 ms1480 bytes from 192.168.0.10: icmp_seq=2 ttl=64 time=0.060 ms1480 bytes from 192.168.0.10: icmp_seq=3 ttl=64 time=0.074 ms1480 bytes from 192.168.0.10: icmp_seq=4 ttl=64 time=0.045 ms1480 bytes from 192.168.0.10: icmp_seq=5 ttl=64 time=0.056 ms1480 bytes from 192.168.0.10: icmp_seq=6 ttl=64 time=0.069 ms1480 bytes from 192.168.0.10: icmp_seq=7 ttl=64 time=0.068 ms1480 bytes from 192.168.0.10: icmp_seq=8 ttl=64 time=0.160 ms1480 bytes from 192.168.0.10: icmp_seq=9 ttl=64 time=0.064 ms1480 bytes from 192.168.0.10: icmp_seq=10 ttl=64 time=0.064 ms![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Mh8GDfl8-1647668934105)(image/image-20220319132116619.png)]](https://img-blog.csdnimg.cn/c241c54fe2f74321841a2e4401176afb.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5pe65LuUX-eJm-Wltg==,size_20,color_FFFFFF,t_70,g_se,x_16)
可见此时没有分片
发送5000
# 发送ping包[root@localhost ~]# ping -c 5 -s 5000 10.70.2.1PING 10.70.2.1 (10.70.2.1) 5000(5028) bytes of data.5008 bytes from 10.70.2.1: icmp_seq=1 ttl=128 time=6.47 ms5008 bytes from 10.70.2.1: icmp_seq=2 ttl=128 time=2.14 ms5008 bytes from 10.70.2.1: icmp_seq=3 ttl=128 time=2.35 ms5008 bytes from 10.70.2.1: icmp_seq=4 ttl=128 time=9.83 ms5008 bytes from 10.70.2.1: icmp_seq=5 ttl=128 time=2.97 ms--- 10.70.2.1 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4007msrtt min/avg/max/mdev = 2.142/4.757/9.837/2.985 ms
注:
- Identification(10037)一样的表示属于同一个IP报文的
- offset=0的表示为第一个分片,最后一个offset=(1480纯数据)+(1480纯数据)+(1480纯数据)=4440(该值表示之前已经发送了3*1480字节的数据,后续要需要发送560字节数据,然后再构建最后一个数据包时560+8(icmp)+20(IP头部)+ 16(MAC层)=604总包大小)
