|
广播报文在以太网中应用浅析 江西电信遂川分企业 袁良忠
目录
图表目录
摘要:本文通过实验抓捕报文的方式,模拟常见的网络应用,浅析在以太网通信过程中广播报文的作用、特性。从底层了解数据报文的交互过程及数据报的流动,从表面现象剖析内层的原理本质。从而清晰了解链路层的工作模式原理,为大家排障故障提供参考帮助。 关键字交换机原理 广播报文 广播域 Flood 广播风暴 PING PPPOE wireshark
前言 什么是广播报文,广播报文在大家的通信中究竟起到什么作用呢?什么时候会产生广播报文呢?广播给网络带来什么危害?有什么手段解决?带着这些问题,大家以常见网络用途和使用方式,以抓包的方式,向大家呈现一个底层数据报文的通信过程,来一一解答这些问题。 通过了解广播报文的特性与作用后,在日常设备维护过程中,充分发挥报文的作用,避免报文引发的故障,提升网络服务水平。
第1章 原理篇1.1 以太网交换机的工作原理·交换机根据收到数据帧中的源MAC地址建立该地址同交换机端口的映射,并将其写入MAC地址表中。 ·交换机将数据帧中的目的MAC地址同已建立的MAC地址表进行比较,以决定由哪个端口进行转发。 ·如数据帧中的目的MAC地址不在MAC地址表中,则向所有端口转发。这一过程称之为泛洪(flood)。 ·广播帧和组播帧向所有的端口转发。 1.2 什么是广播报文?什么是广播域?什么是广播报文? 广播报文简单地定义为当交换机收到某些特征报文时,交换机把这些报文转发给除发送端口外的其它所有端口,通常特征就是数据帧中目的MAC地址为全1的报文(思考:广播报文是不是目的MAC一定是全1呢?),就像老师(报文发送者)在教室中(交换机的区域中,即广播域)中大声说,”同学们,下课了”(广播报文),在座的所有同学都听的到了(这就是广播)。 广播域就是网络中能接收任何一设备发出的广播帧的所有设备的集合。例如PC1发出广播报文broadcast1,能够接收到broadcast1报文的设备集合就称为一个广播域,通常一个交换机的所有端口以及连在该交换机上的交换机的所有端口处在同一广播域中。
第2章 实验篇2.1 实验网络环境下面搭建一个的网络环境,三台PC电脑分别接到一台HUAWEIS2008交换机上(实验也可用普通二层交换机),在PC机上装上优秀的抓包工具wireshark 0.9905。通过它捕获PC机在通信时的所发送和接收到的报文。 图1:网络环境拓扑 图表 1网络环境拓扑 表格 1三台电脑的网络参数 2.2 实验一:两台PC之间Ping测试的广播报文当PC1在PING PC3时,PC1发出了什么报文?收到了什么报文?PC2又能收到什么报文?根据TCP/IP协议卷三,大家推测PC1在PINGPC3时,由于两个地址在同一个网段,PC1发送ARP广播报文,请求PC3IP 地址的MAC地址,同时PC2上能捕获到ARP广播报文。通过以下实验来验证一下。 在PC1和PC2上打开抓包工具wireshark,并在 PC1上运行PING命令: | 微软 Windows XP [版本 5.1.2600] (C) 版权所有 1985-2001 微软 Corp. C:\Documents and Settings\Administrator>cd\ C:\>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time<1ms TTL=64 Reply from 192.168.1.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C ^C C:\>
|
|
 表格 2 PC1 PING PC3在PC1抓到的报文: | No. | | | | | | | 1 | | | | | Who has 192.168.1.1? Tell 192.168.1.100 | | Frame 1 (42 bytes on wire, 42 bytes captured) Ethernet II, Src: 00:13:d4:1f:c1:38 (00:13:d4:1f:c1:38), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request) | | 注解:PC1发送了一个目的MAC为全1的ARP广播报文 | | No. | | | | | | | 2 | | | | | 192.168.1.1 is at 00:40:05:db:0f:72 | | Frame 2 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: 00:40:05:db:0f:72 (00:40:05:db:0f:72), Dst: 00:13:d4:1f:c1:38 (00:13:d4:1f:c1:38) Address Resolution Protocol (reply) | | 注解:PC3 192.168.1.1 响应ARP | | No. | | | | | | | 3 | | | | | | | Frame 3 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: 00:13:d4:1f:c1:38 (00:13:d4:1f:c1:38), Dst: 00:40:05:db:0f:72 (00:40:05:db:0f:72) Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.1 (192.168.1.1) Internet Control Message Protocol | | 注解:PC1 192.168.1.100 向 PC3 192.168.1.1发送PING请求 | | No. | | | | | | | 4 | | | | | | | Frame 4 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: 00:40:05:db:0f:72 (00:40:05:db:0f:72), Dst: 00:13:d4:1f:c1:38 (00:13:d4:1f:c1:38) Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.100 (192.168.1.100) Internet Control Message Protocol | | 注解:PC3应答PC1的PING请求 | | No. | | | | | | | 5 | | | | | | | Frame 5 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: 00:13:d4:1f:c1:38 (00:13:d4:1f:c1:38), Dst: 00:40:05:db:0f:72 (00:40:05:db:0f:72) Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.1 (192.168.1.1) Internet Control Message Protocol | | 注解:PC1 192.168.1.100 向 PC3 192.168.1.1发送PING请求 | | No. | | | | | | | 6 | | | | | | | Frame 6 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: 00:40:05:db:0f:72 (00:40:05:db:0f:72), Dst: 00:13:d4:1f:c1:38 (00:13:d4:1f:c1:38) Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.100 (192.168.1.100) Internet Control Message Protocol | | 注解:PC3应答PC1的PING请求 |
在PC2上抓到的报文: 表格 3PC1 PING PC3时在PC2上抓到的报文: | No. | | | | | | | 1 | | | | | Who has 192.168.1.1? Tell 192.168.1.100 | | Frame 1 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: AsustekC_1f:c1:38 (00:13:d4:1f:c1:38), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request) | | 注解:PC2 上收到PC1发出的ARP广播报文 |
通过以上实验,大家发现广播报文,并了解广播报文的特性,向除发送端口外的其它广播域中的端口广播,即广播域中的设备都能接收到广播Frame。完全证实大家的推论是正确的。 2.3 实验二:广播报文的另种形式,flood是不是广播报文目的MAC地址一定是全1呢?大家接着上面的实验再做个实验。 在PC1上PING下PC3,拨掉PC3接在交换机上的网上再马上拨上(目的是清掉交换机MAC地址表中学到的PC3的MAC地址),在PC1上再次PING PC3,同时打开PC1和PC2上的的抓包工具。 PC1上的PING命令过程如下: 表格 4在PC1上第二次PINGPC3时在PC1抓到的报文 | No. | | | | | | | 7 | | | | | | | Frame 7 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: AsustekC_1f:c1:38 (00:13:d4:1f:c1:38), Dst: AniCommu_db:0f:72 (00:40:05:db:0f:72) Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.1 (192.168.1.1) Internet Control Message Protocol | | 注解:由于PC1中第已PING过PC3,已经缓存了PC3的ARP,本次PING未发ARP请求,直接把目的MAC
封装进报文发送出去。 | | No. | | | | | | | 8 | | | | | | | Frame 8 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: AniCommu_db:0f:72 (00:40:05:db:0f:72), Dst: AsustekC_1f:c1:38 (00:13:d4:1f:c1:38) Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.100 (192.168.1.100) Internet Control Message Protocol | | 注解:PC1收到来自PC3的PING应答报文 |
在PC1抓包的同时, 在PC2上抓到的报文 表格 5 PC1 PING PC, 在PC2上抓到的Flood报文 | No. | | | | | | | 2 | | | | | | | Frame 2 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: AsustekC_1f:c1:38 (00:13:d4:1f:c1:38), Dst: AniCommu_db:0f:72 (00:40:05:db:0f:72) Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.1 (192.168.1.1) Internet Control Message Protocol | | 注解:在PC2上居然抓到了目的MAC是PC3的报文!!! |
PC1 PING PC3,正常应答,PC2上抓到了PC1发出的单播PING报文,为什么呢?按理这个目的MAC地址是明确的,交换机应该直接转发给PC3上的端口。 大家再回想下交换机的工作原理,交换机收到目的MAC明确的单播报文时,查询MAC地址表,找到则直接单独转发到对应的端口,如果未找到则广播。在PC1 第二次PING PC3前,拨插了PC3的网线,导致交换掉清掉了PC3的MAC记录,当交换机收到PC1的PING报文时,未能找到PC3的MAC,于是交换机就广播出该报文,这就是Flood,泛洪,广播报文的另种形式。 2.4 实验三:广播报文的危害,环路等因素引发广播风暴广播报文带来便捷的通信方式,如使用不当,会有什么问题吗?做个如下实验 在交换机上直接用网线将两个端口A和B连在一起,在PC1 上试着随便PING个地址,如192.168.1.2,同时打开抓包工具。 表格 6出现广播风暴时在PC1瞬间抓到大量的广播包 PC1瞬间抓到无数的广播包 | No.Time Source Destination Protocol Info 1 0.000000 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 2 0.000013 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 3 0.000023 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 4 0.000967 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 5 0.000972 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 6 0.001377 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 7 0.001381 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 8 0.001957 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 9 0.001962 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 10 0.002314 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 ……………………………. ……………………………. …………………………….. No. Time Source Destination Protocol Info 27938 4.559987 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27939 4.560092 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27940 4.560291 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27941 4.560364 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27942 4.560449 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27943 4.560523 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27944 4.560877 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27945 4.560961 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27946 4.561160 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27947 4.561244 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27948 4.561328 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27949 4.561434 00:74:04:e5:65:0c Broadcast ARP Who has 192.168.1.2? Tell 192.168.1.1 27948 4.561328 00:74:04:e5:65:0c Broadcast0c ARP Who has 192.168.1.2? Tell 192.168.1.1 27949 4.561434 00:74:04:e5:65:0c Broadcast0c ARP Who has 192.168.1.2? Tell 192.168.1.1
|
|
参考文献 <<TCP/IP协议卷三>> wireshark帮助说明 中兴8220操作手册
| 
发表于 2013-6-17 10:16:00
