TCP是我们实际工作中最常用到的传输层协议,同时TCP协议的配置选项比较多,配置选项勾选的差异,会直接导致我们看到wireshark数据包的显示的效果,本文章意在详细解释一下TCP协议的配置选项的每个参数的含义和作用。
1,TCP配置首选项
- 编辑>>配置首选项>>protocols或者ctrl+shift+P>>protocols,找到tcp协议配置部分
2,tcp协议配置参数
上面截图实际和下面配置文件参数名一 一对应。
# Whether the TCP summary line should be shown in the protocol tree
# TRUE or FALSE (case-insensitive)
#tcp.summary_in_tree: TRUE
#tcp概要信息行是否显示在协议树种,这个配置选项通常勾选。
# Whether to validate the TCP checksum or not. (Invalid checksums will cause reassembly, if enabled, to fail.)
# TRUE or FALSE (case-insensitive)
#tcp.check_checksum: FALSE
#tcp层是否做checksum校验
# Whether subdissector can request TCP streams to be reassembled
# TRUE or FALSE (case-insensitive)
#tcp.desegment_tcp_streams: TRUE
#控制tcp流中分片的数据包wireshark的子解析器是否进行重组,如果配置成开启,
wireshark会尝试对分片的tcp流进行重新组装,这样可以看到完整的信息。如果不勾选可能
会看到wireshark的提示报错信息“[BoundError Unreassembled Packet: HTTP2]”
# Whether out-of-order segments should be buffered and reordered before passing it to a subdissector. To use this option you must also enable "Allow subdissector to reassemble TCP streams".
# TRUE or FALSE (case-insensitive)
tcp.reassemble_out_of_order: TRUE
#对于乱序的分片,在wireshark 子解析器中是否进行缓存并进行重新排序,该选项与tcp.desegment_tcp_streams参数
配合使用,如果不开启这个参数,对于乱序的tcp分片将无法进行重组。
# Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT
# TRUE or FALSE (case-insensitive)
tcp.analyze_sequence_numbers: FALSE
#是否让wireshark tcp解析器去分析tcp序列号,找出并标记重传分片,丢失分片以及RTT时间。tcp序列号是tcp协议最重
要的机制,也是tcp协议最复杂的机制,其他好多参数功能都依托tcp序列号的分析。开启后可能看到数据包以下子变成
了一片红,所以如果不分析重传,丢包等技术问题,可以选择关闭。关闭后与之相关的参数功能也相当于关闭。
相关参数功能:
tcp.relative_sequence_numbers
tcp.track_bytes_in_flight
实际对tcp.desegment_tcp_streams参数也有一定影响,后面举例3中可以看到具体的影响。
# Make the TCP dissector use relative sequence numbers instead of absolute ones. To use this option you must also enable "Analyze TCP sequence numbers".
# TRUE or FALSE (case-insensitive)
#tcp.relative_sequence_numbers: TRUE
#开启此参数,tcp解析器用tcp相对序列号代替绝对序列号,绝对序列号是真是的序列号,比较大。相对序列号,从1开始,详细影响看举例4.记得这个参数依托于tcp序号分析,如果不开tcp序号分析,这个参数开启也没有实际意义。
# Make the TCP dissector use this scaling factor for streams where the signalled scaling factor is not visible in the capture
# One of: Not known, 0 (no scaling), 1 (multiply by 2), 2 (multiply by 4), 3 (multiply by 8), 4 (multiply by 16), 5 (multiply by 32), 6 (multiply by 64), 7 (multiply by 128), 8 (multiply by 256), 9 (multiply by 512), 10 (multiply by 1024), 11 (multiply by 2048), 12 (multiply by 4096), 13 (multiply by 8192), 14 (multiply by 16384)
# (case-insensitive).
tcp.default_window_scaling: 14 (multiply by 16384)
#如果抓包滑动窗口不可见,使用默认的滑动窗口,该配置一般不进行更改,保持勾选即可。
# Make the TCP dissector track the number on un-ACKed bytes of data are in flight per packet. To use this option you must also enable "Analyze TCP sequence numbers". This takes a lot of memory but allows you to track how much data are in flight at a time and graphing it in io-graphs
# TRUE or FALSE (case-insensitive)
#tcp.track_bytes_in_flight: TRUE
#tcp解析器是否track未确认数据bytes的数量,该参数也依托于tcp序号分析,该参数也不常用,一般保持默认。
# Evaluate BiF on actual sequence numbers or use the historical method based on payloads (default). This option has no effect if not used with "Track number of bytes in flight".
# TRUE or FALSE (case-insensitive)
#tcp.bif_seq_based: FALSE
#和上面tcp.track_bytes_in_flight配合使用
# Calculate timestamps relative to the first frame and the previous frame in the tcp conversation
# TRUE or FALSE (case-insensitive)
#tcp.calculate_timestamps: TRUE
#是否计算数据帧相对第一个和前一个数据帧的时间间隔,对分析时延可能有意义。
# Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port
# TRUE or FALSE (case-insensitive)
tcp.try_heuristic_first: TRUE
#使用heuristic子解析器解码数据包在使用使用子解析器注册特定端口之前,暂时没了解此配置的实际意义。
# Do not place the TCP Timestamps in the summary line
# TRUE or FALSE (case-insensitive)
#tcp.ignore_tcp_timestamps: FALSE
#在summary中忽略 Timestamps行,暂时没发现实际使用意义。
# When interpreting ambiguous packets, give precedence to Fast Retransmission or OOO
# TRUE or FALSE (case-insensitive)
#tcp.fastrt_supersedes_ooo: TRUE
#解析不明确的数据包时,优先使用快速重传或者乱序重传。
# Do not call any subdissectors for Retransmitted or OutOfOrder segments
# TRUE or FALSE (case-insensitive)
#tcp.no_subdissector_on_error: TRUE
#不调用任何子解析器for 重传和乱序分片
# Assume TCP Experimental Options (253, 254) have a Magic Number and use it for dissection
# TRUE or FALSE (case-insensitive)
#tcp.dissect_experimental_options_with_magic: TRUE
# Collect and store process information retrieved from IPFIX dissector
# TRUE or FALSE (case-insensitive)
#tcp.display_process_info_from_ipfix: FALSE
3,tcp协议参数配置选项影响举例
1,分片重组举例
tcp.desegment_tcp_streams true+tcp.reassemble_out_of_order ture
分片即使存在乱序,分片依然可以被重组。
tcp.desegment_tcp_streams true+tcp.reassemble_out_of_order false
分片存在乱序,分片无法被重组。
2,tcp序列号分析举例
analyze_sequence_numbers: FALSE
false时不会显示乱序,重传,丢包等信息
analyze_sequence_numbers: true
true时会看到一片红,不过如果需要分析乱序,丢包和重传时还是需要打开的。
3,tcp序号分析对分片重组影响举例
tcp.desegment_tcp_streams true+tcp.reassemble_out_of_order ture+analyze_sequence_numbers: true
重组比较完全,将全部接收的20个包含乱序分片进行了重组。
tcp.desegment_tcp_streams true+tcp.reassemble_out_of_order ture+analyze_sequence_numbers: false
进行了2次不完全重组,实际无法看到完整的全局分片内容,如果要查看分片重组内容时,可以尝试将tcp序号分析打开,否则即使开启了分片重组相关的2个参数,也无法获取到完整的重组内容。
4,相对和绝对序列号参数举例
tcp.relative_sequence_numbers: false
tcp序列号比较大,不利于做数据包乱序,丢包,重传的分析。
tcp.relative_sequence_numbers: TRUE+analyze_sequence_numbers: true
序列号从1开始,分析乱序,重传,丢包看着较为友好。
