first

Start with an interview question

Trivia: A simple application case

The process of saving Execl files

Tips you’re sure to love

< 1 >. Caught:

  • Only grasp the baotou

  • Only grab the necessary bags

<2>. Personalized Settings:

  • Adjust time format

  • Different types of network packages can have custom colors

  • Edit-preferences More Settings

  • The time zone can be set to the same as that of the server

< 3 >. Filter:

  • Filter by protocol name

  • IP address +Port number

  • Use the mouse to help filter

  • You can save the filtered network package in a new file. Small files are more convenient to operate

<4>. Let Wireshark analyze automatically

  1. Analyze->Export Info Composite

  2. Statistics->Service Response Time

  3. Statistics->TCP Stream Graph

  4. Statistics->Summary

<5>. Ctrl + F

The story of Patrick

From then on, I fell in love with Wireshark, because it is really useful, just like a martial arts student getting a good sword

The story of Wireshark

When you look at the web through it, instead of meaningless zeros and ones, you can understand simple words. With its professional commentary, we can read almost everything happening on the Internet directly. Problems that had previously been difficult to detect were revealed by its intervention. It also provides authoritative analysis, such as retransmission statistics, response times, and conversation lists, which frees up overloaded network administrators to focus on other things.

Gerald named the software Ethereal, which is exactly what it does – restore Ethernet truth

Ethereal \[I ɪ θɪriəl\] n. Elegant; The light; Ethereal. Extraordinary; \[例句] tiest, most ethereal romantic in the movies. She is the most beautiful and ethereal romantic heroine in any movie.Copy the code

Skilled and magical craftsmanship

NFS protocol parsing

In the early 1980s, an amazing company was born in Silicon Valley, Sun Microsystems. The name has nothing to do with the sun, but is derived from the initials of the Eden of the Internet —-Stanford University Network. In less than 30 years, SUN created countless enduring works. Among them, Java.Solaris and SPARC-based servers are still well known today. One of the reasons for SUN’s decline turned out to be technology excess.

The Network File System (NFS) protocol was also designed by SUN. As the name implies, NFS is a file system on a network.

Portmap maintains a table of processes and port numbers, and its own port number 11 is well known

Rpcinfo command

Telnet command

Viewing network layering from the Wireshark

Transport Layer: Despite its name, the transport layer does not transfer network packets from one device to another, but merely controls the transfer behavior. It is the network layer and the data link layer that are responsible for the transmission between devices.

Division of labor (layering) brings many benefits, because everyone can focus on their own areas of expertise and better serve others.

The network has a limit on packet size. The maximum size is called MTU, or maximum transmission unit.

It is easy to know one’s MTU, but how to obtain the MTU of the other party? When a TCP connection is established (three-way handshake), both parties tell each other their Maxinum Segment Size (MSS). MSS adds the length of TCP and IP headers to get the MTU.

If MSS is 8960, MTU is

8960+20(TCP header)+20(IP header)=90008960+20(TCP header)+20(IP header)=9000

.

If the MSS is 1460, the MTU is

1460+20(TCP header)+20(IP header)=15001460+20(TCP header)+20(IP header)=1500

.

The size of packets sent is determined by the party with the smaller MTU

TCP connection initiation

Nslookup command

Why use three packets to establish a connection, but not two? It works, but it’s not reliable. To illustrate this problem, consider a situation where a network has multiple paths, and the first packet a client requests to establish a connection runs on a path that is too late to reach the server. Therefore, the client can only assume that the request was lost and must request it again. Because the second request took the right path, the work was done quickly and the connection was closed. For the client, it seems to be over. Unexpectedly its first request after a long journey, or reached the server. The server did not know that this was an old invalid request and responded as usual. If TCP requires only two handshakes, an invalid connection is thus established on the server. In a three-way handshake, when the client receives the reply from the server, it knows that the connection is not what it wants, so it sends a rejection packet. When the server receives the packet, it also abandons the connection.

Disconnecting with four waves of the hand is not entirely reliable, but there is no 100% reliable communication mechanism.

The question of two armies and the question of Byzantine generals

The delivery man’s work strategy----TCP window

TCP obviously doesn’t use a battery car to deliver packets, but it does have the need for “round trips.” After sending the packet, we do not know whether the other party can receive it or not, so we have to wait until the packet arrives, which takes a round trip time. If each packet is stopped for confirmation, only one packet can be sent per round trip, which is inefficient. The quickest way would be to send out all the bags at one go and confirm them together. But there are practical limitations: the receiver’s cache (receive window) may not be able to handle that much data at once; The network bandwidth may not be large enough. Sending too many packets at a time may cause packet loss. Therefore, the sender needs to know which of the two constraints – the receiving window or the network – is more stringent, and then sends as many packets as possible within its limits. This amount of data that can be sent at one time is known as the TCP send window.

How much does the send window affect performance? In the same round trip time, there is twice as much data on the right as on the left. In the real world, the send window can often reach tens of MSS.

<1>. (As shown) The TCP layer of each packet contains the message “Windows Size:” (i.e. Win =). Does this value represent the size of the send window?

Many people mistake the receive window for the send window. Windows Size is actually not a sending window, but to declare their own receive window.

The sliding window mechanism is the relationship between these two Windows

<2>. How do I see the size of the send window in the package?

Unfortunately, there is no easy way, and sometimes no way at all.

<3>. What is the relationship between the send window and MSS?

<4>. If the sender sends n packets in one window, does it receive n acknowledgement packets?

<5>. I often hear about the concept of “TCP Window Scale”. What does it have to do with the receiving Window?

Pay attention to retransmission

As mentioned above, the sender’s send window is influenced by the receiver’s receive window and network, where more restrictive factors play a decisive role. The effect of the receive window is as simple as notifying the sender with “Win=” in the package. However, the influence mode of network is very complicated, and this article is dedicated to introduce it.

The amount of data that causes network congestion is called a congestion point

Slow start process

Congestion avoidance

Timeout retransmission

RTO

Duplicate confirmation (Dup Ack)

The fast retransmission

Fast recovery

NewReno

“This article is a bit informative and you may need some time to digest it. It doesn’t matter if you don’t understand some of the parts immediately, but remembering just a few of the conclusions from this article can be useful in your work:”

  • When there is no congestion, the larger the send window, the better the performance. Therefore, if bandwidth is not limited, the receiving window should be enlarged as much as possible, such as enabling Scale Option (refer to KB224829 on Windows).

  • If congestion occurs frequently, limiting the send window can actually improve performance, since even 1 in 10,000 retransmissions can have a significant impact on performance. On many operating systems, you can reduce the send window by limiting the receive window. On Windows, you can also refer to KB 224829

  • Timed retransmission has the greatest performance impact because it does not transfer any data for a period of time (RTO), and the congestion window is set to 1 MSS, so try to avoid timed retransmission.

  • Fast retransmission has less of a performance impact because it has no wait time and the congestion window does not decrease as much.

  • SACK and NewReno improve retransmission efficiency and transmission performance.

  • Packet loss affects very small files more severely than large files. Because the number of packets required to read and write a small file is very small, the number of Dup Acks is usually less than three when the packet is lost, and you have to wait for retransmission due to timeout. Large files are more likely to trigger fast retransmission. The following experiment shows the different effects of the same packet loss rate on small files: Test in Figure 11 is a directory containing many small files, while HI in Figure 12 is a large file. When packet loss occurs, the time for packet loss increases more than seven times, while the time for packet loss increases less than four times.

Delay validation and Nagle algorithm

This approach is inefficient, because a packet’s TCP and IP headers are at least 40 bytes long and carry only one character of data. It’s as wasteful as a delivery man driving a big van to deliver a small package.

Delayed validation does not directly improve performance, it just reduces some validation packets and reduces the network burden.

As with deferred validation,Nagle does not directly improve performance, but simply improves transmission efficiency and reduces network load.

Schools of thought contend

Slow start algorithm

Congestion avoidance algorithm

Westwood: Westwood is best used in environments where non-congested packet loss occurs frequently, such as wireless networks

Vegas: a unique way to adjust packet sending speed by monitoring network status, so as to realize the real “congestion avoidance”

Compared with other algorithms, Vegas looks like a sensitive, stable and modest gentleman. We can imagine that when all the senders in the environment use Vegas, the overall transmission situation is more stable and efficient, because almost no packet loss occurs. However, when Vegas and other algorithms exist in the environment, the sender using Vegas may have the worst performance, because it first detects that the network is busy and then actively reduces its transmission speed. This concession may relieve pressure on the network to avoid packet loss to other senders. This situation is a bit like driving, if every driver on the road car goods are very good, humble obey the rules, the overall traffic condition is good; A good driver with a group of bad drivers, on the other hand, can be bumped up so often that he ends up being the slowest.

The price of simplicity---- UDP

<1>. Unlike TCP, UDP does not care about the size of mtus on both sides. After it takes the data from the application layer, it just types the UDP header and passes it on to the next layer. What happens when the MTU is exceeded? In this case, the sender’s network layer is responsible for shards, and the receiver receives the shards and reassembles them, a process that consumes resources and degrades performance. A 32 KB write operation may be divided into 23 fragments according to the MTU of the sender.

<2>. UDP has no retransmission mechanism, so packet loss is handled by the application layer. For example, a write operation takes 6 packages to complete. When a packet is lost in a UDP-based write operation, the client has to retransmit the entire write operation (six packets). In contrast, tcp-based write operations are much better, as long as the lost packet can be retransmitted.

<3>. The sharding mechanism has weaknesses and can be targeted by hackers. The recipient knows when to assemble shards because each packet has a “More fragments” flag. 1 indicates that there are More shards to follow, and 0 indicates that this is the last shard ready to assemble. If a hacker keeps sending UDP packets with flag 1 at a rapid rate and the recipient is never able to assemble them, it could run out of memory.

Analyzing the CIFS Protocol

“You’ve seen a file sharing protocol, NFS, designed by Sun. In theory, NFS can be used on any operating system, but in reality it is only popular on Linux/UNIX due to historical reasons. What sharing protocols are used on Windows? It is the Microsoft-maintained SMB protocol, also known as the Common InternetFile System (CIFS). CIFS comes in three versions: SMB, SMB2, and SMB3, and SMB and SMB2 are more Common today.”

Network river’s lake

Sharing protocols on Linux and Windows

NFS vs CIFS

DNS small science

  • A (Address) Record: From domain name resolution to IP Address.

  • PTR record: Reverse the function of A record, it resolves from IP address to domain name. What does the PTR do? For example, the IT department found that the data flow between the company’s machine 10.32.106.47 and YouTube was very large recently, and IT knew that IT was Ah Man who peeks at the video during working hours by nsLookup a PTR record

  • SRV records: Domain administrators on Windows are particularly concerned about SRV records because they point to resources in the domain. For example, if I want to know what DC exists in the domain nas.com of our company, I just need to query the SRV record _ldap._tcp.dc._MSdcs.nas.com on any computer. If you also want to check your company’s DC, please change nas.com to the correct domain name.

  • CNAME record: also known as Alias record, which stands for Alias. For example, my server 10.32.106.73 provides web (WWW), mail (mail) and map (map) services simultaneously. Can I distribute 10.32.106.73 directly to Mail and Map? Of course you can, but if you want to change the IP address someday, you will have to change the WWW, mail, and map records on DNS. In the case of aliases, only the IP address of the WWW entry is changed. Mail and map do not need to be changed. The use of aliases saves administration time, and webmasters should like this feature.

  • Recursive query

  • Iterative query

Disadvantages of DNS:

  • Like Diao brand washing powder by Zhou Jia brand imitation, DNS also exist copycat domain names. For example, the domain name of China Merchants Bank is www.cmbchina.com, but www.cmbchina.com.cn and www.cmbchina.cn do not necessarily belong to China Merchants Bank. If the two domains were directed to phishing sites that looked like CMB, it could have fooled some users into their bank accounts and passwords.

  • It is also dangerous if the DNS server is maliciously modified. For example, although the correct domain name www.cmbchina.com is used when logging in to China Merchants Bank website, but because the DNS server is controlled by hackers, it is likely to resolve to the IP of a phishing website

  • Even with a regular DNS server, it is possible to be fooled. Legitimate DNS servers, for example, will become untrusted after being buffered.

  • In addition to being used for deception, NS can also be used as an assault weapon. The famous DNS amplification attack is a headache. Using this amplification effect, hackers can bring down a large website by taking control of just a few computers.

An old agreement---- FTP

FTP is transmitted in plain text. If you have high security requirements, you cannot use this method

Active versus passive modes

Learning of Internet access – HTTP

This is for everyone

From Alan Turing, who laid the foundations of modern computing, to Donald Davies, who invented packet switching, to Tim Berners-Lee, the father of the World Wide Web, There were British people at every major stage.

HTTP, which Tim implemented, is the network protocol we use to browse the web today. The website he set up is still accessible today, with the domain name HTTP: / info. CRM. Ch, although this page has been updated, but we can also in http//www3.org/Histor/1992110 – ypertexthypertext/wwW/News / 9201. See the HTML content.

Decrypt HTTPS packages:

Edit->Preferences->Protocl->SSL->RSA key list.

The key used for decryption can only be exported on the server side

Watertight Kerberos

‘In ancient Greek mythology, the gates of the underworld were guarded by a fierce dog. This dog has three heads. He keeps watch by the river Styx, and no soul can escape when he is awake. This fierce dog is the symbol of Kerberos, the security guard. The ancient Greeks buried honey cakes in order to please it. Modern games also have its heroic posture, such as “Heroes and Incomparable” with an enemy in the hell fierce dog.

The authentication protocol in this article is also called Kerberos, and it has a wide range of applications, such as authentication in Windows domain environments. We log in with a domain account, and without realizing it, we have completed a Kerberos authentication process.

The Kerberos authentication result is bidirectional —- When account A accesses resource B, account B not only needs to ensure that account A is not an impersonator, but also needs to verify that account B is not A fake. We usually only know the former, such as the aforementioned CIFS server in the Session Setup to verify visitors. The latter is rarely mentioned, because people generally do not suspect that the resource they are accessing is fake. The latter is necessary, for example: If your boss makes a fake Internet printer, but you can’t verify its authenticity, you might send a cover letter to his or her office and then actually apply for a job. In fact, there are also scenes requiring mutual authentication in Journey to the West. For example, Buddha tathagata needs to identify the fake visitor, the six-eear macaque, and Tang Monks and disciples also need to identify the fake “resource” Small Lei Yin Temple.

There are more than one ways of two-way authentication. The simplest way is to exchange passwords. The process is like using a code in a movie. A said, “The scenery is good in the South of the Yangtze River.” B said, “Red flowers bloom everywhere.” If both parties check, shake hands excitedly “comrade, I found you!” If one of them gives a wrong signal, the connection fails. This method has many disadvantages, the biggest problem is inconvenient management. For example, in an environment where hundreds of employees share hundreds of machines, when a new employee joins, the account information has to be updated on hundreds of machines. I believe no administrator can tolerate such an environment. ‘

The story of the TCP/IP

Initially the two protocols were not layered, but combined

The TCP/IP design was very successful. Over the past 30 years, the bandwidth, latency, and media at the bottom have changed dramatically, and there are many more applications at the top, but TCP/IP remains unchanged. It not only beats the OSI seven-layer model of the International Organization for Standardization, but is not likely to be replaced by other schemes at present. The first generation of engineers working on TCP/IP are also working on a sunrise industry when they reach retirement age.

Inexplicably, college courses still introduce the OSI seven-layer model. Because the OSI model has so many layers, many students simply cannot understand it, or even remember the order. So the teachers used “All People Seem To Need Data Processing” To help them remember, because the first letters of those seven words were the same as the first letters of each layer of the OSI model. The exam-oriented education of the university can be seen from this.

‘To this day, the OSI model is almost dead, and its influence is limited to textbooks that haven’t been updated yet.’

Probably the only non-technical RFC:

rfc2468 -I REMEMBER IANA

The ease with which

“I’ll get back to you within the hour.”

NAT(Network Address Translation)

Life is tough,but Wireshark makes it easy.

Midnight bell

Out-of-order causes retransmission, which affects performance

It’s really like investigating a crime…

Deep knowledge and fame

Generally, storage devices read faster than write

Generally, the bandwidth of the storage device is high and that of the client is low. When a file is read, data flows from a large bandwidth to a small bandwidth, just as a large river flows into a small stream, which may overflow (congestion on the network) and cause performance problems. The file is written in the opposite direction, so the probability of congestion is low and the performance is better

Diamond cut diamond

NFS Network Lock Manager (NLM)

Live and learn

➜ ~ tshark - h:

TShark (Wireshark) 2.4.3 (v2.4.3-0 - g368ba1e) Dump and analyze network traffic. See https://www.wireshark.org for more information. Usage: tshark \[options\] ... Capture interface: -i <interface> name or idx of interface (def: first non-loopback) -f <capture filter> packet filter in libpcap filter syntax -s <snaplen> packet snapshot length (def:  appropriate maximum) -p don't capture in promiscuous mode -I capture in monitor mode, if available -B <buffer size> size of kernel buffer (def: 2MB) -y <link type> link layer type (def: first appropriate) -D print list of interfaces and exit -L print list of link-layer types of iface and exit Capture stop  conditions: -c <packet count> stop after n packets (def: infinite) -a <autostop cond.> ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB files:NUM - stop after NUM files Capture output: -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files Input file: -r <infile> set the filename to read from (- to read from stdin) Processing: -2 perform a two-pass analysis -M <packet count> perform session auto reset -R <read filter> packet Read filter in Wireshark display filter syntax (requires -2) -Y <display filter> packet displaY filter in Wireshark display filter syntax -n disable all name resolutions (def: all enabled) -N <name resolve flags> enable specific name resolution(s): "mnNtCd" -d <layer\_type>==<selector>,<decode\_as\_protocol> ... "Decode As", see the man page for details Example: tcp.port==8888,http -H <hosts file> read a list of entries from a hosts file, which will then be written to a capture file. (Implies -W n) --enable-protocol <proto\_name> enable dissection of proto\_name --disable-protocol <proto\_name> disable dissection of proto\_name --enable-heuristic <short\_name> enable dissection of heuristic protocol --disable-heuristic <short\_name> disable dissection of heuristic protocol Output: -w <outfile|-> write packets to a pcap-format file named "outfile" (or to the standard output for "-") -C <config profile> start with specified configuration profile -F <output file type> set the output file type, default is pcapng an empty "-F" option will list the file types -V add output of packet tree (Packet Details) -O <protocols> Only show packet details of these protocols, comma separated -P print packet summary even when writing to a file -S <separator> the line separator to print between packets -x add output of hex and ASCII dump (Packet Bytes) -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? format of text output (def: text) -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected (e.g. "ip ip.flags text", filter does not expand child nodes, unless child is specified also in the filter) -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected (e.g. "http tcp", filter which expands all child nodes) -e <field> field to print if -Tfields selected (e.g. tcp.port, \_ws.col.Info) this option can be repeated to print multiple fields -E<fieldsoption>=<value> set options for output when  -Tfields selected: bom=y|n print a UTF-8 BOM header=y|n switch headers on and off separator=/t|/s|<char> select tab, space, printable character as separator occurrence=f|l|a print first, last or all occurrences of each field aggregator=,|/s|<char> select comma, space, printable character as aggregator quote=d|s|n select double, single, no quotes for values -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first) -u s|hms output format of seconds (def: s: seconds) -l flush standard output after each packet -q be more quiet on stdout (e.g. when using statistics) -Q only log true errors to stderr (quieter than -q) -g enable group read access on the output file(s) -W n Save extra information in  the file, if supported. n = write network address resolution information -X <key>:<value> eXtension options, see the man page for details -U tap\_name PDUs export mode, see the man page for details -z <statistics> various statistics, see the man page for details --capture-comment <comment> add a capture comment to the newly created output file (only for pcapng) --export-objects <protocol>,<destdir> save exported objects for a protocol to a directory named "destdir" Miscellaneous: -h display this help and exit -v display version info and exit -o <name>:<value> ... override preference setting -K <keytab> keytab file to use for kerberos decryption -G \[report\] dump one of several available reports and exit default report="fields" use "-G help" for more helpCopy the code

Confessions of a tech guy

As for technology, the current hot topic is Full Stack Engineer, which translates to Full Stack Engineer. My understanding is from the front end to the back end, from software to hardware all understand the generalist. In fact, before the concept of full stack, the discussion about the breadth and depth of technology has never stopped. Given the limited time available, should you expand your horizons and cover all kinds of technologies, or should you focus all your energy on one? Personally, I prefer the latter, because when you learn a technology at a deeper level, your vision changes, and you can easily achieve a similar level with other technologies. If a person is good at the best technology, the learning of other skills will be superficial. The relationship between depth and breadth of technology is like the height and vision of mountain climbing. If you stop halfway up the mountain and look, you can only see half of it. But if you climb to the top of the mountain, the wind is endless