Uccn1003 -may10_-_lab_09_-_wireshark_analysis_live_capture

1

UCCN1003 Data Communications and Networks

Lab 09: Wireshark Analysis of Protocols - Live Capture Instructions:

1. Read the “Introduction” section for the background

2. Perform all the lab exercises, starting with exercise 1

3. Follow all the steps.

4. Record the results in all italic bold actions.

5. Paste your screen captures on a Word Document and save it.

6. Answer all the questions in italic and in blanks based on the observation of the results.

7. Write your answer in the same Word Document.

8. Please follow the sequence of the exercises, and don’t skip any step.

9. Please try your best to understand the steps of this lab.

10. Please read the appendix of this lab for more information on various protocols.

Introduction to Wireshark Live Capture and A Re-visit of Eagle Server

In this lab, you will learn how to perform Wireshark live capture with filter in order to examine

the packets flow between your PC and Eagle Server. You have learnt Eagle Server in the earlier

labs.

This lab consists of two parts: live capture and packet analysis. During the live capture parts of

the lab, you will access to services of the Eagle Server while perform packets live capture with

Wireshark. After that, you will save the live capture information in a file.

During the packet analysis part, you will re-open the saved files of live capture data and answer

various questions.

In E204A

…

In E204B

…

In E204D/E211B

2

Introduction to Capture Filter of Wireshark for Live Capture

Please take note that, the capture filter syntax is different from the display filter syntax !

When capturing packets from a NIC, Wireshark’s default behavior is to capture all of the packets

that come to the NIC. On a lightly loaded home network this is not a problem; however, on a

busy network at a large enterprise, the deluge of packets would be too much to handle.

Wireshark provides capture filters, which allow you to capture only the packets that you are

interested in. Example of capture filter syntax of Wireshark:

To capture all IPv4 packets that have a source or destination address of 192.168.1.1: host 192.168.1.1

To capture only source IP address of 192.168.1.1, src 192.168.1.1

To capture only destination IP address of 192.168.1.2 dst 192.168.1.2

To capture any host on the 192.168.100.0/26 network src net 192.168.100.0/26

To find all broadcast MAC packets: ether host ff:ff:ff:ff:ff:ff

To capture packets destined for a particular hardware address for either source or destination: ether src 00:f9:06:aa:01:03

ether dst 00:f9:06:aa:01:03

To capture only Hypertext Transfer Protocol (HTTP) packets: port 80

To capture UDP packets destined for port 53: udp dst port 53

To capture everything except DNS lookups: not port 53

To look at Telnet packets to or from the host 192.168.10.10: host 192.168.10.10 and port 23

If you want either Telnet packets or Secure Shell (SSH) packets coming from 192.168.10.5: src host 192.168.10.5 and (port telnet or port ssh)

To capture all ICMP packets the capture filter use: icmp

3

Exercise 1 (Live Capture): Ping to Eagle Server with “Free IP Tools”

1. When you first open Wireshark and see the following figure, click on the “Capture

Options” as highlighted in the figure.

2. The following dialog box should pop out. Make sure that you have selected the real NIC

as shown in the top right corner (e.g;. Realtek 10/100/1000 Ethernet NIC for e204a,b).

Please check your PC’s IP address now. In the box next to “Capture filter”, type in “host

your_IP_address” (e.g. host 172.16.20.130), and then click on the “Start” button to

perform live capture. (Note: Please check the appendix for more capture filter syntax.

“host 172.16.20.130” will only capture packets with source IP and destination IP =

172.16.20.130)

4

3. Open “Free IP tools” as shown in the following figure. If you don’t have it, please install

it on your PC. Click on “Ping” tab (at the left side of the figure). Please check the Eagle

Server’s IP and key it in the box below “Host or IP address” (e.g. 172.16.20.220), and

then click on the “Start” button.

4. In Wireshark, the following result should be shown as the following figure.

5. In the “main toolbar”, click the fourth button from the left (“Stop the running live

capture” button), as shown in the following figure, to stop the live capture.

6. Save the capture packets as “Lab09_Ex01_ICMP.pcap”.

Your IP address

5

Exercise 2 (Live Capture): Trace Route with “Free IP Tools”

1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted

in Ex1.2. If another dialog box pops out, click on “Continue without Saving”, assuming

that you have already saved the file in Ex.1. Wireshark should go to “live capture” mode.

2. Click on “TraceRoute” tab in “Free IP Tools”. Key in the value “10” for “End hop”. Key

in www.google.com for “Host or IP address”, and then click on the “Start” button. Wait

until the process stop (as shown in the following figure). Another indication is that after

you have click the “Start” button, the “Start” will turn to “Stop”. After the process has

stopped, the “Stop” turns back to “Start”.

3. Stop the “Live Capture” in Wireshark and save the captured packets as

“Lab09_Ex02_Tracert.pcap”.

Exercise 3 (Live Capture): Port Scanning Eagle Server with “Free IP Tools”


in Ex1.2 to make Wireshark on “live capture” mode.

6

2. Click on “PortScan” tab in “Free IP Tools”. Click the button to “Conventional (full

connect)” in “Scanning mode”. Key in Eagle_Server_IP for “Host or IP address”, and

then click on the “Start” button. Wait until the process stop (as shown in the following

figure).

3. Stop the “Live Capture” in Wireshark and save the captured packets as

“Lab09_Ex03_PortScan.pcap”.

Exercise 4 (Live Capture): NSLookUp with “Free IP Tools”


in Ex1.2 to make Wireshark on “live capture” mode.

2. Click on “NSLookUp” tab in “Free IP Tools”. Make sure that you have a valid DNS IP.

Key in “www.cnn.com” for “Query”. Select “Standard Resolve Function” for “Query

Type”, and then click on the “Start” button.

3. Continue to explore all other “Query Type” for “www.cnn.com”, and then click on the

“Start” button.

7

4. After the last “AAAA – IPv6 Address”, Stop the “Live Capture” in Wireshark and save

the captured packets as “Lab09_Ex04_NSLookUp.pcap”.

Exercise 5 (Live Capture): Networking Commands DHCP

1. Click on the second button (“Show the capture options…”). Clear the capture filter and

make sure that the capture filter is empty. Then click “Start” button to make Wireshark

go on “live capture” mode.

2. Type “ipconfig /release” and then type “ipconfig /renew”.

3. Make sure that you observe some captured DHCP packets before you stop the “Live

Capture” in Wireshark and there will be quite a number of unwanted background traffic.

Save the captured packets as “Lab09_Ex05_DHCP.pcap”.

Exercise 6 (Live Capture): FTP with Browser


in Ex1.2 with the capture filter box having “host Your_IP_address”. Then click “Start”

button to make Wireshark to go “live capture” mode.

2. Open a web browser and type ftp://eagle_server_IP. The following figure is what you

should expect.

8

3. Click on “pub” => “eagle_labs” => “eagle1” => “chapter1” => “gaim-1.5.0.exe” and

save the file.

4. Click on “Up to higher level directory” until you see “pub” again, then close the browser.

5. Stop the “Live Capture” in Wireshark and save the captured file as

“Lab09_Ex06_FTP_Web.pcap”.

Exercise 7 (Live Capture): FTP with Commands

1. Open notepad and type “How are you?”. Save it in c:\trying.txt


in Ex1.2 with the capture filter box “host Your_PC_IP”. Then click “Start” button to

make Wireshark to go “live capture” mode.

3. Open your command prompt, go to directory “c:\” where “trying.txt” is located and type

“ftp eagle_server_ip”

4. Login and password with “cisco” and “cisco”.

5. Type the following command in the correct order to download the file from the Eagle

server.

ftp>help

ftp>ls

ftp>get tftp-eagle-server.pcap

ftp>mkdir try

9

ftp>cd try

ftp>pwd

ftp>put trying.txt

ftp>ls

ftp>delete trying.txt

ftp>cd ..

ftp>rmdir try

ftp>bye

6. Stop the “Live Capture” in Wireshark. Save the captured file as

“Lab09_Ex07_FTP_Command.pcap”.

Exercise 8 (Live Capture): Telnet with PuTTy


in Ex1.2 with the capture filter box “host Your_IP_address”. Then click “Start” button to


2. Open PuTTY. Click on “Telnet” in “Connection type”. Key in Eagle_Server_IP.

3. Login name: cisco and Password: cisco for the telnet service.

4. After you have successfully login to the telnet service, type the following commands:

10

[cisco@Eagle-Server ~]$ ls -l

[cisco@Eagle-Server ~]$ mkdir try

[cisco@Eagle-Server ~]$ cd try

[cisco@Eagle-Server ~]$ pwd [cisco@Eagle-Server ~]$ touch testing.txt

[cisco@Eagle-Server ~]$ ls –l

[cisco@Eagle-Server ~]$ rm testing.txt [cisco@Eagle-Server ~]$ cd .. [cisco@Eagle-Server ~]$ exit


“Lab09_Ex08_Telnet.pcap”.

Exercise 9 (Live Capture): IRC with Gaim


in Ex1.2 with the capture filter box “host Your_IP_address”. Then click “Start” button to


2. Perform the following tasks and steps.

Task 1: Adding in an IRC Account

Step 1: Verify that there is an IRC client on the lab computer.

If not, download and install gaim-1.5.0.exe (windows executable) from URL ftp://eagle-

server.example.com/pub/eagle_labs/eagle1/chapter1. Accept the default settings during

the installation. After verifying that the Gaim chat client is installed, use the following

steps to configure Gaim:

Step 2: Open Accounts window.

1. Open Gaim and select the Login window, icon Accounts. The Accounts window is

shown in following Figure.

Figure 25

11

2. On the Accounts window, click the “Add” button.

Step 3: Add a new account.

1. See the following figure. On the Add Account window, expand the “Show more

options” option. Fill in required information:

Protocol: IRC

Screen Name: (how other will know you) Server: eagle-server_IP_address

Proxy Type: No Proxy

2. When finished, click Save.

3. Close the Account window.

Task 2: Connection to Chat Server

Step 1: Sign on.

Return to the login window, where the new account to eagle-server should be visible.

Click Sign-on. Two windows should open. A figure shows the IRC connect status

window. Another figure shows the main Gaim IM client window, used for chatting or IM.

12

Step 2: Join the Chat.

When the IRC client connects to the IRC server, the status window closes and a Buddy

List window displays. Click Chat, as shown in following figure.

Note: To join a chat channel, the Channel name must start with #. If the Channel name is

incorrect, you will be in the chat room alone (unless other student made the similar error).

Task 3: The Chat session

13

The following figure shows a brief chat between users Root and student2. Multiple

students can join and interact with each other.


“Lab09_Ex09_IRC.pcap”.

Exercise 10: Analysis of Captured Trace File

1. Open the file “Lab09_Ex01_ICMP.pcap”. Answer the following questions:

a. What is the frame size (in bytes) of ICMP reply?

_________________________________________________

b. How many ICMP requests have been issued?

_________________________________________________

c. What is the size (in bytes) of ICMP data?

_________________________________________________

d. What are contained in the ICMP data, and does the data has any significance?

_________________________________________________

e. List the ICMP Sequence Number of both the ICMP request and ICMP reply.

_________________________________________________

14

2. Open the file “Lab09_Ex02_Tracert.pcap”. Answer the following questions:

a. Is there any ICMP reply in the captured trace file? (Yes/No)

_________________________________________________

b. What type of ICMP message has been sent back to you, and what are values of

the ICMP Type and Code?

_________________________________________________

c. In total, how many ICMP requests have been issued?

_________________________________________________

d. What is the TTL value in IP header of the 5th

ICMP request?

_________________________________________________

e. What is the RTT of the 1st ICMP request and 1

st ICMP return message?

_________________________________________________

f. What is the RTT of the 6th

ICMP request and 6th

ICMP return message?

_________________________________________________

g. What is the time difference between last ICMP request and second last ICMP

request?

_________________________________________________

3. Open the file “Lab09_Ex03_PortScan.pcap”. Answer the following questions:

a. Write a display filter syntax that will enable you to view the packets with a TCP

SYN-ACK.

_________________________________________________

b. List the service port numbers that have issued a SYN-ACK back to you?

_________________________________________________

15

c. Write a display filter syntax that will enable you to view the packets with a TCP

SYN, which have been sent by you to the Eagle server.

_________________________________________________

d. How many TCP SYN packets that have been sent by you to the Eagle server?

_________________________________________________

e. Write a display filter syntax that will enable you to view the packets with a TCP

RST-ACK, which have been sent to you by the Eagle server.

_________________________________________________

f. How many TCP RST-ACK packets that have been sent to you by the Eagle server?

_________________________________________________

g. Does TCP SYN packets (you to server) = TCP RST-ACK packets (server to you)

+ TCP SYN-ACK packets (server to you)? (Yes/No)

_________________________________________________

4. Open the file “Lab09_Ex04_NSLookUp.pcap”. Answer the following questions with

reference to the appendix:

a. A DNS request is an operation from client-to-server or server-to-client?

_________________________________________________

b. If a packet contains QR = 1 in DNS header, is this packet from client-to-server or

server-to-client?

_________________________________________________

c. Refer to the above figure, what is the hexadecimal value of Query Type “A”, and

what does the “A” really mean?

_________________________________________________

d. Refer to the above figure, what does the “IN” really mean?

16

_________________________________________________

e. Refer to the above figure, how many answer resource records have been returned

by the server, and please list the answers?

_________________________________________________

f. What the hexadecimal value of Query Type “Standard query MAILB”?.

_________________________________________________

g. How many answers are there for Query Type = “0x000b”?

_________________________________________________

h. List the answers for Query Type = “0x0002”.

_________________________________________________

5. Open the file “Lab09_Ex05_DHCP.pcap”. Answer the following questions: (Note:

Suggestion for display filter “bootp” instead of “dhcp”)

a. A DHCP Release is an operation from client-to-server or server-to-client?

_________________________________________________

b. A DHCP ACK is an operation from client-to-server or server-to-client?

_________________________________________________

c. What is the frame size (in bytes) of a DHCP Discover?

_________________________________________________

d. What is the value of DHCP Message Type = “DHCP Release”? (Note: Please

look for this value in Option)

_________________________________________________

6. Open the file “Lab09_Ex06_FTP_Web.pcap”. Answer the following questions:

(Suggestion for display filter: “ftp.request || ftp.response”)

17

a. Has the FTP server asked you for any login name and password?

_________________________________________________

b. What is the login name and password of the FTP shown in the captured trace file?

_________________________________________________

c. What does the FTP response code: 257 “/” really mean?

_________________________________________________

d. What is the display filter syntax for viewing just the FTP request for changing of

directories?

_________________________________________________

e. What is the FTP request command to signal the downloading of a file?

_________________________________________________

f. In the display filter, enter “ftp-data”. Examine all the source port number and

destination port number of all the displayed packets. Is there any packet showing

port number = 20?

_________________________________________________

g. Refer to the above figure, what does FTP Response: “213 6967072” really mean?

_________________________________________________

h. Refer to the above figure, what does FTP Response: “213 20070112043400”

really mean? (Hint: Refer to a figure in Ex.6)

_________________________________________________

i. What is the display filter syntax for viewing just the FTP response code of 150?

_________________________________________________

7. Open the file “Lab09_Ex07_FTP_Command.pcap”. Answer the following questions:

(Suggestion for display filter: “ftp.request || ftp.response”)

18

a. In Wireshark, what FTP request has the command that you have typed in ftp

prompt “mkdir try” convert to?

_________________________________________________

b. In Wireshark, what FTP request has the command that you have typed in ftp

prompt “rmdir try” convert to?

_________________________________________________

c. Which hand typed FTP command is converted to “STOR trying.txt” in Wireshark?

_________________________________________________

d. In the display filter, enter “ftp-data”. Examine all the source port number and

destination port number of all the displayed packets. Is there any packet showing

port number = 20?

_________________________________________________

e. In “ftp-data”, what is the difference between FTP using web browser and FTP

using command.

_________________________________________________

f. Both the hand typed FTP command “ls” and “ls –l” display the file list of

current directory of the FTP server. Which hand typed FTP command corresponds

to FTP Request: LIST?

_________________________________________________

g. Examine the data contained inside FTP-DATA which is immediately after the

FTP request: LIST. What do you observe?

_________________________________________________

19

8. Open the file “Lab09_Ex08_Telnet.pcap”. In the displayed filter, enter “telnet”. In the

Packet detail Pane, click on the ‘+’ next to “Telnet” to become ‘-‘. Examine all the telnet

data in order to cross-check your hand typed telnet commands and server response based

on Ex.8.

9. Open the file “Lab09_Ex08_IRC.pcap”. In the displayed filter, enter “irc”. In the Packet

detail Pane, click on the ‘+’ next to “Internet Relay Chat” to become ‘-‘. Examine all the

IRC data in order to examine your IRC communication on Ex.9.

Refer to the appendix for more protocol information on IRC. Recommended displayed

filters for IRC are “irc.request” and “irc.response”. Important IRC request commands to

look for are: “PASS”, “NICK”, “PRIVMSG”, and “JOIN”.

20

Appendix

DNS (Domain Name System) Header

The Domain Name System (DNS) is a distributed hierarchical naming system for computers,

services, or any resource connected to the Internet or a private network. It associates various

information with domain names assigned to each of the participants. Most importantly, it

translates domain names meaningful to humans into the numerical (binary) identifiers associated

with networking equipment for the purpose of locating and addressing these devices worldwide.

The DNS implements a distributed, hierarchical, and redundant database for information

associated with Internet domain names and addresses. In these domain servers, different record

types are used for different purposes.

DNS header:

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Identification QR Opcode AA TC RD RA Z AD CD Rcode

Total Questions Total Answer RRs

Total Authority RRs Total Additional RRs

Questions [] :::

Answer RRs [] :::

Authority RRs [] :::

Additional RRs [] :::

Identification. 16 bits.

Used to match request/reply packets.

DNS flags. 16 bits.

DNS flags = QR + Opcode + AA + TC + RD + RA + Z + AD + CD + Rcode

QR, Query/Response. 1 bit.

QR Description

0 Query.

1 Response.

Opcode. 4 bits.

21

Opcode Description

0 QUERY, Standard query.

1 IQUERY, Inverse query.

2 STATUS, Server status request.

3 reserved.

4 Notify.

5 Update.

6

-

15

reserved.

AA, Authoritative Answer. 1 bit.

Specifies that the responding name server is an authority for the domain name in question section.

Note that the contents of the answer section may have multiple owner names because of aliases.

This bit corresponds to the name which matches the query name, or the first owner name in the

answer section.

AA Description

0 Not authoritative.

1 Is authoritative.

TC, Truncated. 1 bit.

Indicates that only the first 512 bytes of the reply was returned.

TC Description

0 Not truncated.

1 Message truncated.

RD, Recursion Desired. 1 bit.

May be set in a query and is copied into the response. If set, the name server is directed to pursue

the query recursively. Recursive query support is optional.

RD Description

0 Recursion not desired.

1 Recursion desired.

RA, Recursion Available. 1 bit.

Indicates if recursive query support is available in the name server.

RA Description

0 Recursive query support not available.

22

1 Recursive query support available.

Z. 1 bit.

AD, Authenticated data. 1 bit.

Indicates in a response that all data included in the answer and authority sections of the response

have been authenticated by the server according to the policies of that server. It should be set

only if all data in the response has been cryptographically verified or otherwise meets the server's

local security policy.

CD, Checking Disabled. 1 bit.

Rcode, Return code. 4 bits.

Rcode Description

0 No error. The request completed successfully.

1 Format error. The name server was unable to interpret the query.

2 Server failure. The name server was unable to process this query due to a problem with

the name server.

3 Name Error. Meaningful only for responses from an authoritative name server, this code

signifies that the domain name referenced in the query does not exist.

4 Not Implemented. The name server does not support the requested kind of query.

5

Refused. The name server refuses to perform the specified operation for policy reasons.

For example, a name server may not wish to provide the information to the particular

requester, or a name server may not wish to perform a particular operation (e.g., zone

transfer) for particular data.

6 YXDomain. Name Exists when it should not.

7 YXRRSet. RR Set Exists when it should not.

8 NXRRSet. RR Set that should exist does not.

9 NotAuth. Server Not Authoritative for zone.

10 NotZone. Name not contained in zone.

11

-

15

reserved.

16 BADVERS.Bad OPT Version.

BADSIG.TSIG Signature Failure.

17 BADKEY. Key not recognized.

18 BADTIME. Signature out of time window.

19 BADMODE. Bad TKEY Mode.

20 BADNAME. Duplicate key name.

21 BADALG. Algorithm not supported.

22 BADTRUNC. Bad truncation.

23

23

-

3840

3841

-

4095

Private use.

4096

-

65535

Total Questions. 16 bits, unsigned.

Number of entries in the question list that were returned.

Total Answer RRs. 16 bits, unsigned.

Number of entries in the answer resource record list that were returned.

Total Authority RRs. 16 bits, unsigned.

Number of entries in the authority resource record list that were returned.

Total Additional RRs. 16 bits, unsigned.

Number of entries in the additional resource record list that were returned.

Questions[]. Variable length.

A list of zero or more Query structures.

Answer RRs[]. Variable length.

A list of zero or more Answer Resource Record structures.

Authority RRs[]. Variable length.

A list of zero or more Authority Resource Record structures.

Additional RRs[]. Variable length.

A list of zero or more Additional Resource Record structures.

Query. Variable length.

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Query Name :::

Type Class

Resource Record. Variable length.

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Name :::

24

Type Class

TTL

Rdata Length Rdata :::

Type. 16 bits, unsigned.

Type Description

0

1 A, IPv4 address.

2 NS, Authoritative name server.

3 MD, Mail destination. Obsolete use MX instead.

4 MF, Mail forwarder. Obsolete use MX instead.

5 CNAME, Canonical name for an alias.

6 SOA, Marks the start of a zone of authority.

7 MB, Mailbox domain name.

8 MG, Mail group member.

9 MR, Mail rename domain name.

10 NULL, Null resource record.

11 WKS, Well known service description.

12 PTR, Domain name pointer.

13 HINFO, Host information.

14 MINFO, Mailbox or mail list information.

15 MX, Mail exchange.

16 TXT, Text strings.

17 RP, Responsible Person.

18 AFSDB, AFS Data Base location.

19 X25, X.25 PSDN address.

20 ISDN, ISDN address.

21 RT, Route Through.

22 NSAP, NSAP address. NSAP style A record.

23 NSAP-PTR.

24 SIG, Security signature.

25 KEY, Security key.

26 PX, X.400 mail mapping information.

27 GPOS, Geographical Position.

28 AAAA, IPv6 Address.

29 LOC, Location Information.

30 NXT, Next Domain (obsolete).

25

31 EID, Endpoint Identifier.

32 NIMLOC, Nimrod Locator.

NB, NetBIOS general Name Service.

33 SRV, Server Selection.

NBSTAT, NetBIOS NODE STATUS.

34 ATMA, ATM Address.

35 NAPTR, Naming Authority Pointer.

36 KX, Key Exchanger.

37 CERT.

38 A6.

39 DNAME.

40 SINK.

41 OPT.

42 APL.

43 DS, Delegation Signer.

44 SSHFP, SSH Key Fingerprint.

45 IPSECKEY.

46 RRSIG.

47 NSEC, NextSECure.

48 DNSKEY.

49 DHCID, DHCP identifier.

50 NSEC3.

51 NSEC3PARAM.

52

53

54

55 HIP, Host Identity Protocol.

56 NINFO.

57 RKEY.

58

-

98

99 SPF, Sender Policy Framework.

100 UINFO.

101 UID.

102 GID.

103 UNSPEC.

104

-

26

248

249 TKEY.

250 TSIG, Transaction Signature.

251 IXFR, Incremental transfer.

252 AXFR, A request for a transfer of an entire zone.

253 MAILB, A request for mailbox-related records (MB, MG or MR).

254 MAILA, A request for mail agent RRs. Obsolete.

255 *. A request for all records.

256

-

32767

32768 DNSSEC Trust Authorities.

32769 DNSSEC Lookaside Validation.

Class. 16 bits, unsigned.

Class Description

0 Reserved.

1 IN, Internet.

2

3 CH, Chaos.

4 HS, Hesiod.

5

-

253

254 None.

255 Any (QCLASS only).

256

-

65279

65280

-

65534

Private use.

65535

FTP (File Transfer Protocol) Header

The FTP specification says that by default, all data transfers should be over a single connection.

An active open is done by the server, from its port 20 to the same port on the client machine as

27

was used for the control connection. The client does a passive open. For better or worse, most

current FTP clients do not behave that way. A new connection is used for each transfer; to avoid

running afoul of TCP's TIMEWAIT state, the client picks a new port number each time and

sends a PORT command announcing that to the server.

FTP message format:

FTP commands are Telnet strings terminated by the Telnet end of line code. The command codes

themselves are alphabetic character strings terminated by the character <Space> if parameters

follow and <CRLF> otherwise.

FTP Commands:

Command Description

ABOR Abort.

ACCT Account.

ADAT Authentication/Security Data.

ALLO Allocate.

APPE Append.

AUTH Authentication/Security Mechanism.

CCC Clear Command Channel.

CDUP Change to parent directory.

CONF Confidentiality Protected Command.

CWD Change working directory.

DELE Delete.

ENC Privacy Protected Command.

EPRT Extended Data port.

EPSV Extended Passive.

FEAT Feature.

HELP Help.

LANG Language negotiation.

LIST List.

LPRT Long data port.

LPSV Long passive.

MDTM File modification time.

MIC Integrity Protected Command.

MKD Make directory.

MLSD

28

MLST

MODE Transfer mode.

NLST Name list.

NOOP No operation.

OPTS Options.

PASS Password.

PASV Passive mode.

PBSZ Protection Buffer Size.

PORT Data port.

PROT Data Channel Protection Level.

PWD Print working directory.

QUIT Logout.

REIN Reinitialize.

REST Restart of interrupted transfer.

RETR Retrieve.

RMD Remove directory.

RNFR Rename from.

RNTO Rename to.

SITE Site parameters.

SIZE File size.

SMNT Structure mount.

STAT Status.

STOR Store.

STOU Store unique.

STRU File structure.

SYST System.

TYPE Representation type.

USER User name.

XCUP Change to the parent of the current working directory.

XMKD Make a directory.

XPWD Print the current working directory.

XRCP

XRMD Remove the directory.

XRSQ

XSEM Send, Mail if cannot.

XSEN Send to terminal.

29

FTP reply code format:

Code Description

1yz Positive Preliminary reply.

2yz Positive Completion reply.

3yz Positive Intermediate reply.

4yz Transient Negative Completion reply.

5yz Permanent Negative Completion reply.

x0z Syntax. These replies refer to syntax errors, syntactically correct commands that don't fit

any functional category, unimplemented or superfluous commands.

x1z Information. These are replies to requests for information, such as status or help.

x2z Connections. Replies referring to the control and data connections.

x3z Authentication and accounting. Replies for the login process and accounting procedures.

x4z Unspecified as of RFC 959

x5z File system. These replies indicate the status of the Server file system vis-a-vis the

requested transfer or other file system action.

FTP reply codes:

Code Description

110 Restart marker reply.

120 Service ready in nnn minutes.

125 Data connection already open; transfer starting.

150 File status okay; about to open data connection.

200 Command okay.

202 Command not implemented, superfluous at this site.

211 System status, or system help reply.

212 Directory status.

213 File status.

214 Help message.

215 NAME system type.

220 Service ready for new user.

221 Service closing control connection.

225 Data connection open; no transfer in progress.

226 Closing data connection.

227 Entering Passive Mode <h1,h2,h3,h4,p1,p2>.

228 Entering Long Passive Mode.

30

229 Extended Passive Mode Entered.

230 User logged in, proceed.

250 Requested file action okay, completed.

257 "PATHNAME" created.

331 User name okay, need password.

332 Need account for login.

350 Requested file action pending further information.

421 Service not available, closing control connection.

425 Can't open data connection.

426 Connection closed; transfer aborted.

450 Requested file action not taken.

451 Requested action aborted. Local error in processing.

452 Requested action not taken.

500 Syntax error, command unrecognized.

501 Syntax error in parameters or arguments.

502 Command not implemented.

503 Bad sequence of commands.

504 Command not implemented for that parameter.

521 Supported address families are <af1, .., afn>

522 Protocol not supported.

530 Not logged in.

532 Need account for storing files.


551 Requested action aborted. Page type unknown.

552 Requested file action aborted.


554 Requested action not taken: invalid REST parameter.

555 Requested action not taken: type or stru mismatch.

IRC (Internet Relay Chat Protocol) Header

IRC was developed as a means for users on a BBS to chat amongst themselves. IRC has been

designed over a number of years for use with text based conferencing.

The IRC protocol has been developed on systems using the TCP/IP network protocol, although

there is no requirement that this remain the only sphere in which it operates.

Servers and clients send each other messages which may or may not generate a reply. If the

message contains a valid command, as described in later sections, the client should expect a

31

reply as specified but it is not advised to wait forever for the reply; client to server and server to

server communication is essentially asynchronous in nature.

Request Commands:

Command Description

ADMIN Get information about the administrator of a server.

AWAY Set an automatic reply string for any PRIVMSG commands.

CONNECT Request a new connection to another server immediately.

DIE Shutdown the server.

ERROR Report a serious or fatal error to a peer.

INFO Get information describing a server.

INVITE Invite a user to a channel.

ISON Determine if a nickname is currently on IRC.

JOIN Join a channel.

KICK Request the forced removal of a user from a channel.

KILL Close a client-server connection by the server which has the actual connection.

LINKS List all servernames which are known by the server answering the query.

LIST List channels and their topics.

LUSERS Get statistics about the size of the IRC network.

MODE User mode.

MOTD Get the Message of the Day.

NAMES List all visible nicknames.

NICK Define a nickname.

NJOIN Exchange the list of channel members for each channel between servers.

NOTICE

OPER Obtain operator privileges.

PART Leave a channel.

PASS Set a connection password.

PING Test for the presence of an active client or server.

PONG Reply to a PING message.

PRIVMSG Send private messages between users, as well as to send messages to channels.

QUIT Terminate the client session.

REHASH Force the server to re-read and process its configuration file.

RESTART Force the server to restart itself.

SERVER Register a new server.

SERVICE Register a new service.

SERVLIST List services currently connected to the network.

SQUERY

SQUIRT Disconnect a server link.

SQUIT Break a local or remote server link.

STATS Get server statistics.

SUMMON Ask a user to join IRC.

TIME Get the local time from the specified server.

32

TOPIC Change or view the topic of a channel.

TRACE Find the route to a server and information about it's peers.

USER Specify the username, hostname and realname of a new user.

USERHOST Get a list of information about upto 5 nicknames.

USERS Get a list of users logged into the server.

VERSION Get the version of the server program.

WALLOPS Send a message to all currently connected users who have set the 'w' user mode.

WHO List a set of users.

WHOIS Get information about a specific user.

WHOWAS Get information about a nickname which no longer exists.

Reply codes:

Replies in the range from 001 to 099 are used for client-server connections only and should

never travel between servers.

Code Reply Format

1 RPL_WELCOME "Welcome to the Internet Relay Network <nick>!<user>@<host>"

2 RPL_YOURHOST "Your host is <servername>, running version <ver>"

3 RPL_CREATED "This server was created <date>"

4 RPL_MYINFO "<servername> <version> <available user modes> <available

channel modes>"

5 RPL_BOUNCE "Try server <server name>, port <port number>"

Replies generated in the response to commands are found in the range from 200 to 399.

Code Reply Format

200 RPL_TRACELINK "Link <version & debug level> <destination> <next

server> V<protocol version> <link uptime in seconds>

<backstream sendq> <upstream sendq>"

201 RPL_TRACECONNECTING "Try. <class> <server>"

202 RPL_TRACEHANDSHAKE "H.S. <class> <server>"

203 RPL_TRACEUNKNOWN "???? <class> [<client IP address in dot form>]"

204 RPL_TRACEOPERATOR "Oper <class> <nick>"

205 RPL_TRACEUSER "User <class> <nick>"

206 RPL_TRACESERVER "Serv <class> <int>S <int>C <server>

<nick!user|*!*>@<host|server> V<protocol version>"

207 RPL_TRACESERVICE "Service <class> <name> <type> <active type>"

208 RPL_TRACENEWTYPE "<newtype> 0 <client name>"

209 RPL_TRACECLASS "Class <class> <count>"

210 RPL_TRACERECONNECT Unused.

211 RPL_STATSLINKINFO "<linkname> <sendq> <sent messages> <sent Kbytes>

<received messages> <received Kbytes> <time open>"

33

212 RPL_STATSCOMMANDS "<command> <count> <byte count> <remote count>"

219 RPL_ENDOFSTATS "<stats letter> :End of STATS report"

221 RPL_UMODEIS "<user mode string>"

234 RPL_SERVLIST "<name> <server> <mask> <type> <hopcount> <info>"

235 RPL_SERVLISTEND "<mask> <type> :End of service listing"

242 RPL_STATSUPTIME ":Server Up %d days %d:%02d:%02d"

243 RPL_STATSOLINE "O <hostmask> * <name>"

251 RPL_LUSERCLIENT ":There are <integer> users and <integer> services on

<integer> servers"

252 RPL_LUSEROP "<integer> :operator(s) online"

253 RPL_LUSERUNKNOWN "<integer> :unknown connection(s)"

254 RPL_LUSERCHANNELS "<integer> :channels formed"

255 RPL_LUSERME ":I have <integer> clients and <integer> servers"

256 RPL_ADMINME "<server> :Administrative info"

257 RPL_ADMINLOC1 ":<admin info>"

258 RPL_ADMINLOC2 ":<admin info>"

259 RPL_ADMINEMAIL ":<admin info>"

261 RPL_TRACELOG "File <logfile> <debug level>"

262 RPL_TRACEEND "<server name> <version & debug level> :End of

TRACE"

263 RPL_TRYAGAIN "<command> :Please wait a while and try again."

301 RPL_AWAY "<nick> :<away message>"

302 RPL_USERHOST ":*1<reply> *( " " <reply> )"

303 RPL_ISON ":*1<nick> *( " " <nick> )"

305 RPL_UNAWAY ":You are no longer marked as being away"

306 RPL_NOWAWAY ":You have been marked as being away"

311 RPL_WHOISUSER "<nick> <user> <host> * :<real name>"

312 RPL_WHOISSERVER "<nick> <server> :<server info>"

313 RPL_WHOISOPERATOR "<nick> :is an IRC operator"

314 RPL_WHOWASUSER "<nick> <user> <host> * :<real name>"

315 RPL_ENDOFWHO "<name> :End of WHO list"

317 RPL_WHOISIDLE "<nick> <integer> :seconds idle"

318 RPL_ENDOFWHOIS "<nick> :End of WHOIS list"

319 RPL_WHOISCHANNELS "<nick> :*( ( "@" / "+" ) <channel> " " )"

321 RPL_LISTSTART Obsolete.

322 RPL_LIST "<channel> <# visible> :<topic>"

323 RPL_LISTEND ":End of LIST"

324 RPL_CHANNELMODEIS "<channel> <mode> <mode params>"

325 RPL_UNIQOPIS "<channel> <nickname>"

331 RPL_NOTOPIC "<channel> :No topic is set"

332 RPL_TOPIC "<channel> :<topic>"

341 RPL_INVITING "<channel> <nick>"

342 RPL_SUMMONING "<user> :Summoning user to IRC"

346 RPL_INVITELIST "<channel> <invitemask>"

347 RPL_ENDOFINVITELIST "<channel> :End of channel invite list"

34

348 RPL_EXCEPTLIST "<channel> <exceptionmask>"

349 RPL_ENDOFEXCEPTLIST "<channel> :End of channel exception list"

351 RPL_VERSION "<version>.<debuglevel> <server> :<comments>"

352 RPL_WHOREPLY "<channel> <user> <host> <server> <nick> ( "H" / "G"

> ["*"] [ ( "@" / "+" ) ] :<hopcount> <real name>"

353 RPL_NAMREPLY "( "=" / "*" / "@" ) <channel> :[ "@" / "+" ] <nick> *( "

" [ "@" / "+" ] <nick> )"

364 RPL_LINKS "<mask> <server> :<hopcount> <server info>"

365 RPL_ENDOFLINKS "<mask> :End of LINKS list"

366 RPL_ENDOFNAMES "<channel> :End of NAMES list"

367 RPL_BANLIST "<channel> <banmask>"

368 RPL_ENDOFBANLIST "<channel> :End of channel ban list"

369 RPL_ENDOFWHOWAS "<nick> :End of WHOWAS"

371 RPL_INFO ":<string>"

372 RPL_MOTD ":- <text>"

374 RPL_ENDOFINFO ":End of INFO list"

375 RPL_MOTDSTART ":- <server> Message of the day - "

376 RPL_ENDOFMOTD ":End of MOTD command"

381 RPL_YOUREOPER ":You are now an IRC operator"

382 RPL_REHASHING "<config file> :Rehashing"

383 RPL_YOURESERVICE "You are service <servicename>"

391 RPL_TIME "<server> :<string showing server's local time>"

392 RPL_USERSSTART ":UserID Terminal Host"

393 RPL_USERS ":<username> <ttyline> <hostname>"

394 RPL_ENDOFUSERS ":End of users"

395 RPL_NOUSERS ":Nobody logged in"

Error replies are found in the range from 400 to 599.

Code Reply Format

401 ERR_NOSUCHNICK "<nickname> :No such nick/channel"

402 ERR_NOSUCHSERVER "<server name> :No such server"

403 ERR_NOSUCHCHANNEL "<channel name> :No such channel"

404 ERR_CANNOTSENDTOCHAN "<channel name> :Cannot send to channel"

405 ERR_TOOMANYCHANNELS "<channel name> :You have joined too many

channels"

406 ERR_WASNOSUCHNICK "<nickname> :There was no such nickname"

407 ERR_TOOMANYTARGETS "<target> :<error code> recipients. <abort

message>"

408 ERR_NOSUCHSERVICE "<service name> :No such service"

409 ERR_NOORIGIN ":No origin specified"

411 ERR_NORECIPIENT ":No recipient given (<command>)"

412 ERR_NOTEXTTOSEND ":No text to send"

413 ERR_NOTOPLEVEL "<mask> :No toplevel domain specified"

414 ERR_WILDTOPLEVEL "<mask> :Wildcard in toplevel domain"

35

415 ERR_BADMASK "<mask> :Bad Server/host mask"

421 ERR_UNKNOWNCOMMAND "<command> :Unknown command"

422 ERR_NOMOTD ":MOTD File is missing"

423 ERR_NOADMININFO "<server> :No administrative info available"

424 ERR_FILEERROR ":File error doing <file op> on <file>"

431 ERR_NONICKNAMEGIVEN ":No nickname given"

432 ERR_ERRONEUSNICKNAME "<nick> :Erroneous nickname"

433 ERR_NICKNAMEINUSE "<nick> :Nickname is already in use"

436 ERR_NICKCOLLISION "<nick> :Nickname collision KILL from

<user>@<host>"

437 ERR_UNAVAILRESOURCE "<nick/channel> :Nick/channel is temporarily

unavailable"

441 ERR_USERNOTINCHANNEL "<nick> <channel> :They aren't on that channel"

442 ERR_NOTONCHANNEL "<channel> :You're not on that channel"

443 ERR_USERONCHANNEL "<user> <channel> :is already on channel"

444 ERR_NOLOGIN "<user> :User not logged in"

445 ERR_SUMMONDISABLED ":SUMMON has been disabled"

446 ERR_USERSDISABLED ":USERS has been disabled"

451 ERR_NOTREGISTERED ":You have not registered"

461 ERR_NEEDMOREPARAMS "<command> :Not enough parameters"

462 ERR_ALREADYREGISTRED ":Unauthorized command (already registered)"

463 ERR_NOPERMFORHOST ":Your host isn't among the privileged"

464 ERR_PASSWDMISMATCH ":Password incorrect"

465 ERR_YOUREBANNEDCREEP ":You are banned from this server"

466 ERR_YOUWILLBEBANNED

467 ERR_KEYSET "<channel> :Channel key already set"

471 ERR_CHANNELISFULL "<channel> :Cannot join channel (+l)"

472 ERR_UNKNOWNMODE "<char> :is unknown mode char to me for

<channel>"

473 ERR_INVITEONLYCHAN "<channel> :Cannot join channel (+i)"

474 ERR_BANNEDFROMCHAN "<channel> :Cannot join channel (+b)"

475 ERR_BADCHANNELKEY "<channel> :Cannot join channel (+k)"

476 ERR_BADCHANMASK "<channel> :Bad Channel Mask"

477 ERR_NOCHANMODES "<channel> :Channel doesn't support modes"

478 ERR_BANLISTFULL "<channel> <char> :Channel list is full"

481 ERR_NOPRIVILEGES ":Permission Denied- You're not an IRC operator"

482 ERR_CHANOPRIVSNEEDED "<channel> :You're not channel operator"

483 ERR_CANTKILLSERVER ":You can't kill a server!"

484 ERR_RESTRICTED ":Your connection is restricted!"

485 ERR_UNIQOPPRIVSNEEDED ":You're not the original channel operator"

491 ERR_NOOPERHOST ":No O-lines for your host"

501 ERR_UMODEUNKNOWNFLAG ":Unknown MODE flag"

502 ERR_USERSDONTMATCH ":Cannot change mode for other users"

Uccn1003 -may10_-_lab_09_-_wireshark_analysis_live_capture

Documents

wireshark live capture

capture options

capture filters

live capture information

ffto capture packets

live capture mode

running live capture

capture filter use