UCCN1003 Data Communications and NetworksLab 09: Wireshark Analysis of Protocols - Live CaptureInstructions:    1. Read th...
Introduction to Capture Filter of Wireshark for Live CapturePlease take note that, the capture filter syntax is different ...
Exercise 1 (Live Capture): Ping to Eagle Server with “Free IP Tools”  1. When you first open Wireshark and see the followi...
3. Open “Free IP tools” as shown in the following figure. If you don’t have it, please install   it on your PC. Click on “...
Exercise 2 (Live Capture): Trace Route with “Free IP Tools”  1. Click on the second button (“Show the capture options…”). ...
2. Click on “PortScan” tab in “Free IP Tools”. Click the button to “Conventional (full     connect)” in “Scanning mode”. K...
4. After the last “AAAA – IPv6 Address”, Stop the “Live Capture” in Wireshark and save     the captured packets as “Lab09_...
3. Click on “pub” => “eagle_labs” => “eagle1” => “chapter1” => “gaim-1.5.0.exe” and     save the file.  4. Click on “Up to...
ftp>cd try     ftp>pwd     ftp>put trying.txt     ftp>ls     ftp>delete trying.txt     ftp>cd ..     ftp>rmdir try     ftp...
[cisco@Eagle-Server            ~]$   ls -l       [cisco@Eagle-Server            ~]$   mkdir try       [cisco@Eagle-Server ...
2. On the Accounts window, click the “Add” button.Step 3: Add a new account.        1. See the following figure. On the Ad...
Step 2: Join the Chat.        When the IRC client connects to the IRC server, the status window closes and a Buddy        ...
The following figure shows a brief chat between users Root and student2. Multiple     students can join and interact with ...
2. Open the file “Lab09_Ex02_Tracert.pcap”. Answer the following questions:       a. Is there any ICMP reply in the captur...
c. Write a display filter syntax that will enable you to view the packets with a TCP         SYN, which have been sent by ...
_________________________________________________      e. Refer to the above figure, how many answer resource records have...
a. Has the FTP server asked you for any login name and password?      _________________________________________________   ...
a. In Wireshark, what FTP request has the command that you have typed in ftp   prompt “mkdir try” convert to?_____________...
8. Open the file “Lab09_Ex08_Telnet.pcap”. In the displayed filter, enter “telnet”. In the   Packet detail Pane, click on ...
AppendixDNS (Domain Name System) HeaderThe Domain Name System (DNS) is a distributed hierarchical naming system for comput...
Opcode           Description  0    QUERY, Standard query.  1    IQUERY, Inverse query.  2    STATUS, Server status request...
1 Recursive query support available.Z. 1 bit.AD, Authenticated data. 1 bit.Indicates in a response that all data included ...
23   -38403841   - Private use.40954096   -65535Total Questions. 16 bits, unsigned.Number of entries in the question list ...
Type                                Class                                           TTL                 Rdata Length      ...
31    EID, Endpoint Identifier.      NIMLOC, Nimrod Locator.32      NB, NetBIOS general Name Service.      SRV, Server Sel...
248 249 TKEY. 250 TSIG, Transaction Signature. 251 IXFR, Incremental transfer. 252 AXFR, A request for a transfer of an en...
was used for the control connection. The client does a passive open. For better or worse, mostcurrent FTP clients do not b...
MLSTMODE   Transfer mode.NLST   Name list.NOOP   No operation.OPTS   Options.PASS   Password.PASV   Passive mode.PBSZ   Pr...
FTP reply code format:Code                                          Description 1yz Positive Preliminary reply. 2yz Positi...
229   Extended Passive Mode Entered. 230   User logged in, proceed. 250   Requested file action okay, completed. 257   "PA...
reply as specified but it is not advised to wait forever for the reply; client to server and server toserver communication...
TOPIC          Change or view the topic of a channel.TRACE          Find the route to a server and information about its p...
212   RPL_STATSCOMMANDS     "<command> <count> <byte count> <remote count>"219   RPL_ENDOFSTATS        "<stats letter> :En...
348    RPL_EXCEPTLIST                   "<channel> <exceptionmask>"349    RPL_ENDOFEXCEPTLIST              "<channel> :End...
415   ERR_BADMASK                  "<mask> :Bad Server/host mask"421   ERR_UNKNOWNCOMMAND           "<command> :Unknown co...
Upcoming SlideShare
Loading in …5
×

Uccn1003 -may10_-_lab_09_-_wireshark_analysis_live_capture

1,361 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,361
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Uccn1003 -may10_-_lab_09_-_wireshark_analysis_live_capture

  1. 1. UCCN1003 Data Communications and NetworksLab 09: Wireshark Analysis of Protocols - Live CaptureInstructions: 1. Read the “Introduction” section for the background 2. Perform all the lab exercises, starting with exercise 1 3. Follow all the steps. 4. Record the results in all italic bold actions. 5. Paste your screen captures on a Word Document and save it. 6. Answer all the questions in italic and in blanks based on the observation of the results. 7. Write your answer in the same Word Document. 8. Please follow the sequence of the exercises, and don’t skip any step. 9. Please try your best to understand the steps of this lab. 10. Please read the appendix of this lab for more information on various protocols.Introduction to Wireshark Live Capture and A Re-visit of Eagle ServerIn this lab, you will learn how to perform Wireshark live capture with filter in order to examinethe packets flow between your PC and Eagle Server. You have learnt Eagle Server in the earlierlabs.This lab consists of two parts: live capture and packet analysis. During the live capture parts ofthe lab, you will access to services of the Eagle Server while perform packets live capture withWireshark. After that, you will save the live capture information in a file.During the packet analysis part, you will re-open the saved files of live capture data and answervarious questions. In E204A … In E204D/E211B In E204B … 1
  2. 2. Introduction to Capture Filter of Wireshark for Live CapturePlease take note that, the capture filter syntax is different from the display filter syntax !When capturing packets from a NIC, Wireshark’s default behavior is to capture all of the packetsthat come to the NIC. On a lightly loaded home network this is not a problem; however, on abusy network at a large enterprise, the deluge of packets would be too much to handle.Wireshark provides capture filters, which allow you to capture only the packets that you areinterested in. Example of capture filter syntax of Wireshark:To capture all IPv4 packets that have a source or destination address of 192.168.1.1:host 192.168.1.1To capture only source IP address of 192.168.1.1,src 192.168.1.1To capture only destination IP address of 192.168.1.2dst 192.168.1.2To capture any host on the 192.168.100.0/26 networksrc net 192.168.100.0/26To find all broadcast MAC packets:ether host ff:ff:ff:ff:ff:ffTo capture packets destined for a particular hardware address for either source or destination:ether src 00:f9:06:aa:01:03ether dst 00:f9:06:aa:01:03To capture only Hypertext Transfer Protocol (HTTP) packets:port 80To capture UDP packets destined for port 53:udp dst port 53To capture everything except DNS lookups:not port 53To look at Telnet packets to or from the host 192.168.10.10:host 192.168.10.10 and port 23If you want either Telnet packets or Secure Shell (SSH) packets coming from 192.168.10.5:src host 192.168.10.5 and (port telnet or port ssh)To capture all ICMP packets the capture filter use:icmp 2
  3. 3. Exercise 1 (Live Capture): Ping to Eagle Server with “Free IP Tools” 1. When you first open Wireshark and see the following figure, click on the “Capture Options” as highlighted in the figure. 2. The following dialog box should pop out. Make sure that you have selected the real NIC as shown in the top right corner (e.g;. Realtek 10/100/1000 Ethernet NIC for e204a,b). Please check your PC’s IP address now. In the box next to “Capture filter”, type in “host your_IP_address” (e.g. host 172.16.20.130), and then click on the “Start” button to perform live capture. (Note: Please check the appendix for more capture filter syntax. “host 172.16.20.130” will only capture packets with source IP and destination IP = 172.16.20.130) 3
  4. 4. 3. Open “Free IP tools” as shown in the following figure. If you don’t have it, please install it on your PC. Click on “Ping” tab (at the left side of the figure). Please check the Eagle Server’s IP and key it in the box below “Host or IP address” (e.g. 172.16.20.220), and then click on the “Start” button.4. In Wireshark, the following result should be shown as the following figure.5. In the “main toolbar”, click the fourth button from the left (“Stop the running live capture” button), as shown in the following figure, to stop the live capture.6. Save the capture packets as “Lab09_Ex01_ICMP.pcap”. 4 Your IP address
  5. 5. Exercise 2 (Live Capture): Trace Route with “Free IP Tools” 1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2. If another dialog box pops out, click on “Continue without Saving”, assuming that you have already saved the file in Ex.1. Wireshark should go to “live capture” mode. 2. Click on “TraceRoute” tab in “Free IP Tools”. Key in the value “10” for “End hop”. Key in www.google.com for “Host or IP address”, and then click on the “Start” button. Wait until the process stop (as shown in the following figure). Another indication is that after you have click the “Start” button, the “Start” will turn to “Stop”. After the process has stopped, the “Stop” turns back to “Start”. 3. Stop the “Live Capture” in Wireshark and save the captured packets as “Lab09_Ex02_Tracert.pcap”.Exercise 3 (Live Capture): Port Scanning Eagle Server with “Free IP Tools” 1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2 to make Wireshark on “live capture” mode. 5
  6. 6. 2. Click on “PortScan” tab in “Free IP Tools”. Click the button to “Conventional (full connect)” in “Scanning mode”. Key in Eagle_Server_IP for “Host or IP address”, and then click on the “Start” button. Wait until the process stop (as shown in the following figure). 3. Stop the “Live Capture” in Wireshark and save the captured packets as “Lab09_Ex03_PortScan.pcap”.Exercise 4 (Live Capture): NSLookUp with “Free IP Tools” 1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2 to make Wireshark on “live capture” mode. 2. Click on “NSLookUp” tab in “Free IP Tools”. Make sure that you have a valid DNS IP. Key in “www.cnn.com” for “Query”. Select “Standard Resolve Function” for “Query Type”, and then click on the “Start” button. 3. Continue to explore all other “Query Type” for “www.cnn.com”, and then click on the “Start” button. 6
  7. 7. 4. After the last “AAAA – IPv6 Address”, Stop the “Live Capture” in Wireshark and save the captured packets as “Lab09_Ex04_NSLookUp.pcap”.Exercise 5 (Live Capture): Networking Commands DHCP 1. Click on the second button (“Show the capture options…”). Clear the capture filter and make sure that the capture filter is empty. Then click “Start” button to make Wireshark go on “live capture” mode. 2. Type “ipconfig /release” and then type “ipconfig /renew”. 3. Make sure that you observe some captured DHCP packets before you stop the “Live Capture” in Wireshark and there will be quite a number of unwanted background traffic. Save the captured packets as “Lab09_Ex05_DHCP.pcap”.Exercise 6 (Live Capture): FTP with Browser 1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2 with the capture filter box having “host Your_IP_address”. Then click “Start” button to make Wireshark to go “live capture” mode. 2. Open a web browser and type ftp://eagle_server_IP. The following figure is what you should expect. 7
  8. 8. 3. Click on “pub” => “eagle_labs” => “eagle1” => “chapter1” => “gaim-1.5.0.exe” and save the file. 4. Click on “Up to higher level directory” until you see “pub” again, then close the browser. 5. Stop the “Live Capture” in Wireshark and save the captured file as “Lab09_Ex06_FTP_Web.pcap”.Exercise 7 (Live Capture): FTP with Commands 1. Open notepad and type “How are you?”. Save it in c:trying.txt 2. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2 with the capture filter box “host Your_PC_IP”. Then click “Start” button to make Wireshark to go “live capture” mode. 3. Open your command prompt, go to directory “c:” where “trying.txt” is located and type “ftp eagle_server_ip” 4. Login and password with “cisco” and “cisco”. 5. Type the following command in the correct order to download the file from the Eagle server. ftp>help ftp>ls ftp>get tftp-eagle-server.pcap ftp>mkdir try 8
  9. 9. ftp>cd try ftp>pwd ftp>put trying.txt ftp>ls ftp>delete trying.txt ftp>cd .. ftp>rmdir try ftp>bye 6. Stop the “Live Capture” in Wireshark. Save the captured file as “Lab09_Ex07_FTP_Command.pcap”.Exercise 8 (Live Capture): Telnet with PuTTy 1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2 with the capture filter box “host Your_IP_address”. Then click “Start” button to make Wireshark to go “live capture” mode. 2. Open PuTTY. Click on “Telnet” in “Connection type”. Key in Eagle_Server_IP. 3. Login name: cisco and Password: cisco for the telnet service. 4. After you have successfully login to the telnet service, type the following commands: 9
  10. 10. [cisco@Eagle-Server ~]$ ls -l [cisco@Eagle-Server ~]$ mkdir try [cisco@Eagle-Server ~]$ cd try [cisco@Eagle-Server ~]$ pwd [cisco@Eagle-Server ~]$ touch testing.txt [cisco@Eagle-Server ~]$ ls –l [cisco@Eagle-Server ~]$ rm testing.txt [cisco@Eagle-Server ~]$ cd .. [cisco@Eagle-Server ~]$ exit 5. Stop the “Live Capture” in Wireshark. Save the captured file as “Lab09_Ex08_Telnet.pcap”.Exercise 9 (Live Capture): IRC with Gaim 1. Click on the second button (“Show the capture options…”). Repeat the steps as depicted in Ex1.2 with the capture filter box “host Your_IP_address”. Then click “Start” button to make Wireshark to go “live capture” mode. 2. Perform the following tasks and steps.Task 1: Adding in an IRC AccountStep 1: Verify that there is an IRC client on the lab computer. If not, download and install gaim-1.5.0.exe (windows executable) from URL ftp://eagle- server.example.com/pub/eagle_labs/eagle1/chapter1. Accept the default settings during the installation. After verifying that the Gaim chat client is installed, use the following steps to configure Gaim:Step 2: Open Accounts window. 1. Open Gaim and select the Login window, icon Accounts. The Accounts window is shown in following Figure. Figure 25 10
  11. 11. 2. On the Accounts window, click the “Add” button.Step 3: Add a new account. 1. See the following figure. On the Add Account window, expand the “Show more options” option. Fill in required information: Protocol: IRC Screen Name: (how other will know you) Server: eagle-server_IP_address Proxy Type: No Proxy 2. When finished, click Save. 3. Close the Account window.Task 2: Connection to Chat ServerStep 1: Sign on. Return to the login window, where the new account to eagle-server should be visible. Click Sign-on. Two windows should open. A figure shows the IRC connect status window. Another figure shows the main Gaim IM client window, used for chatting or IM. 11
  12. 12. Step 2: Join the Chat. When the IRC client connects to the IRC server, the status window closes and a Buddy List window displays. Click Chat, as shown in following figure. Note: To join a chat channel, the Channel name must start with #. If the Channel name is incorrect, you will be in the chat room alone (unless other student made the similar error).Task 3: The Chat session 12
  13. 13. The following figure shows a brief chat between users Root and student2. Multiple students can join and interact with each other. 3. Stop the “Live Capture” in Wireshark. Save the captured file as “Lab09_Ex09_IRC.pcap”.Exercise 10: Analysis of Captured Trace File 1. Open the file “Lab09_Ex01_ICMP.pcap”. Answer the following questions: a. What is the frame size (in bytes) of ICMP reply? _________________________________________________ b. How many ICMP requests have been issued? _________________________________________________ c. What is the size (in bytes) of ICMP data? _________________________________________________ d. What are contained in the ICMP data, and does the data has any significance? _________________________________________________ e. List the ICMP Sequence Number of both the ICMP request and ICMP reply. _________________________________________________ 13
  14. 14. 2. Open the file “Lab09_Ex02_Tracert.pcap”. Answer the following questions: a. Is there any ICMP reply in the captured trace file? (Yes/No) _________________________________________________ b. What type of ICMP message has been sent back to you, and what are values of the ICMP Type and Code? _________________________________________________ c. In total, how many ICMP requests have been issued? _________________________________________________ d. What is the TTL value in IP header of the 5th ICMP request? _________________________________________________ e. What is the RTT of the 1st ICMP request and 1st ICMP return message? _________________________________________________ f. What is the RTT of the 6th ICMP request and 6th ICMP return message? _________________________________________________ g. What is the time difference between last ICMP request and second last ICMP request? _________________________________________________3. Open the file “Lab09_Ex03_PortScan.pcap”. Answer the following questions: a. Write a display filter syntax that will enable you to view the packets with a TCP SYN-ACK. _________________________________________________ b. List the service port numbers that have issued a SYN-ACK back to you? _________________________________________________ 14
  15. 15. c. Write a display filter syntax that will enable you to view the packets with a TCP SYN, which have been sent by you to the Eagle server. _________________________________________________ d. How many TCP SYN packets that have been sent by you to the Eagle server? _________________________________________________ e. Write a display filter syntax that will enable you to view the packets with a TCP RST-ACK, which have been sent to you by the Eagle server. _________________________________________________ f. How many TCP RST-ACK packets that have been sent to you by the Eagle server? _________________________________________________ g. Does TCP SYN packets (you to server) = TCP RST-ACK packets (server to you) + TCP SYN-ACK packets (server to you)? (Yes/No) _________________________________________________4. Open the file “Lab09_Ex04_NSLookUp.pcap”. Answer the following questions with reference to the appendix: a. A DNS request is an operation from client-to-server or server-to-client? _________________________________________________ b. If a packet contains QR = 1 in DNS header, is this packet from client-to-server or server-to-client? _________________________________________________ c. Refer to the above figure, what is the hexadecimal value of Query Type “A”, and what does the “A” really mean? _________________________________________________ d. Refer to the above figure, what does the “IN” really mean? 15
  16. 16. _________________________________________________ e. Refer to the above figure, how many answer resource records have been returned by the server, and please list the answers? _________________________________________________ f. What the hexadecimal value of Query Type “Standard query MAILB”?. _________________________________________________ g. How many answers are there for Query Type = “0x000b”? _________________________________________________ h. List the answers for Query Type = “0x0002”. _________________________________________________5. Open the file “Lab09_Ex05_DHCP.pcap”. Answer the following questions: (Note: Suggestion for display filter “bootp” instead of “dhcp”) a. A DHCP Release is an operation from client-to-server or server-to-client? _________________________________________________ b. A DHCP ACK is an operation from client-to-server or server-to-client? _________________________________________________ c. What is the frame size (in bytes) of a DHCP Discover? _________________________________________________ d. What is the value of DHCP Message Type = “DHCP Release”? (Note: Please look for this value in Option) _________________________________________________6. Open the file “Lab09_Ex06_FTP_Web.pcap”. Answer the following questions: (Suggestion for display filter: “ftp.request || ftp.response”) 16
  17. 17. a. Has the FTP server asked you for any login name and password? _________________________________________________ b. What is the login name and password of the FTP shown in the captured trace file? _________________________________________________ c. What does the FTP response code: 257 “/” really mean? _________________________________________________ d. What is the display filter syntax for viewing just the FTP request for changing of directories? _________________________________________________ e. What is the FTP request command to signal the downloading of a file? _________________________________________________ f. In the display filter, enter “ftp-data”. Examine all the source port number and destination port number of all the displayed packets. Is there any packet showing port number = 20? _________________________________________________ g. Refer to the above figure, what does FTP Response: “213 6967072” really mean? _________________________________________________ h. Refer to the above figure, what does FTP Response: “213 20070112043400” really mean? (Hint: Refer to a figure in Ex.6) _________________________________________________ i. What is the display filter syntax for viewing just the FTP response code of 150? _________________________________________________7. Open the file “Lab09_Ex07_FTP_Command.pcap”. Answer the following questions: (Suggestion for display filter: “ftp.request || ftp.response”) 17
  18. 18. a. In Wireshark, what FTP request has the command that you have typed in ftp prompt “mkdir try” convert to?_________________________________________________b. In Wireshark, what FTP request has the command that you have typed in ftp prompt “rmdir try” convert to?_________________________________________________c. Which hand typed FTP command is converted to “STOR trying.txt” in Wireshark?_________________________________________________d. In the display filter, enter “ftp-data”. Examine all the source port number and destination port number of all the displayed packets. Is there any packet showing port number = 20?_________________________________________________e. In “ftp-data”, what is the difference between FTP using web browser and FTP using command._________________________________________________f. Both the hand typed FTP command “ls” and “ls –l” display the file list of current directory of the FTP server. Which hand typed FTP command corresponds to FTP Request: LIST?_________________________________________________g. Examine the data contained inside FTP-DATA which is immediately after the FTP request: LIST. What do you observe?_________________________________________________ 18
  19. 19. 8. Open the file “Lab09_Ex08_Telnet.pcap”. In the displayed filter, enter “telnet”. In the Packet detail Pane, click on the ‘+’ next to “Telnet” to become ‘-‘. Examine all the telnet data in order to cross-check your hand typed telnet commands and server response based on Ex.8.9. Open the file “Lab09_Ex08_IRC.pcap”. In the displayed filter, enter “irc”. In the Packet detail Pane, click on the ‘+’ next to “Internet Relay Chat” to become ‘-‘. Examine all the IRC data in order to examine your IRC communication on Ex.9. Refer to the appendix for more protocol information on IRC. Recommended displayed filters for IRC are “irc.request” and “irc.response”. Important IRC request commands to look for are: “PASS”, “NICK”, “PRIVMSG”, and “JOIN”. 19
  20. 20. AppendixDNS (Domain Name System) HeaderThe Domain Name System (DNS) is a distributed hierarchical naming system for computers,services, or any resource connected to the Internet or a private network. It associates variousinformation with domain names assigned to each of the participants. Most importantly, ittranslates domain names meaningful to humans into the numerical (binary) identifiers associatedwith networking equipment for the purpose of locating and addressing these devices worldwide.The DNS implements a distributed, hierarchical, and redundant database for informationassociated with Internet domain names and addresses. In these domain servers, different recordtypes are used for different purposes.DNS header:00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Identification QR Opcode AA TC RD RA Z AD CD Rcode Total Questions Total Answer RRs Total Authority RRs Total Additional RRs Questions [] ::: Answer RRs [] ::: Authority RRs [] ::: Additional RRs [] :::Identification. 16 bits.Used to match request/reply packets.DNS flags. 16 bits.DNS flags = QR + Opcode + AA + TC + RD + RA + Z + AD + CD + RcodeQR, Query/Response. 1 bit.QR Description 0 Query. 1 Response.Opcode. 4 bits. 20
  21. 21. Opcode Description 0 QUERY, Standard query. 1 IQUERY, Inverse query. 2 STATUS, Server status request. 3 reserved. 4 Notify. 5 Update. 6 - reserved. 15AA, Authoritative Answer. 1 bit.Specifies that the responding name server is an authority for the domain name in question section.Note that the contents of the answer section may have multiple owner names because of aliases.This bit corresponds to the name which matches the query name, or the first owner name in theanswer section.AA Description 0 Not authoritative. 1 Is authoritative.TC, Truncated. 1 bit.Indicates that only the first 512 bytes of the reply was returned.TC Description 0 Not truncated. 1 Message truncated.RD, Recursion Desired. 1 bit.May be set in a query and is copied into the response. If set, the name server is directed to pursuethe query recursively. Recursive query support is optional.RD Description 0 Recursion not desired. 1 Recursion desired.RA, Recursion Available. 1 bit.Indicates if recursive query support is available in the name server.RA Description 0 Recursive query support not available. 21
  22. 22. 1 Recursive query support available.Z. 1 bit.AD, Authenticated data. 1 bit.Indicates in a response that all data included in the answer and authority sections of the responsehave been authenticated by the server according to the policies of that server. It should be setonly if all data in the response has been cryptographically verified or otherwise meets the serverslocal security policy.CD, Checking Disabled. 1 bit.Rcode, Return code. 4 bits.Rcode Description 0 No error. The request completed successfully. 1 Format error. The name server was unable to interpret the query. Server failure. The name server was unable to process this query due to a problem with 2 the name server. Name Error. Meaningful only for responses from an authoritative name server, this code 3 signifies that the domain name referenced in the query does not exist. 4 Not Implemented. The name server does not support the requested kind of query. Refused. The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular 5 requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data. 6 YXDomain. Name Exists when it should not. 7 YXRRSet. RR Set Exists when it should not. 8 NXRRSet. RR Set that should exist does not. 9 NotAuth. Server Not Authoritative for zone. 10 NotZone. Name not contained in zone. 11 - reserved. 15 BADVERS.Bad OPT Version. 16 BADSIG.TSIG Signature Failure. 17 BADKEY. Key not recognized. 18 BADTIME. Signature out of time window. 19 BADMODE. Bad TKEY Mode. 20 BADNAME. Duplicate key name. 21 BADALG. Algorithm not supported. 22 BADTRUNC. Bad truncation. 22
  23. 23. 23 -38403841 - Private use.40954096 -65535Total Questions. 16 bits, unsigned.Number of entries in the question list that were returned.Total Answer RRs. 16 bits, unsigned.Number of entries in the answer resource record list that were returned.Total Authority RRs. 16 bits, unsigned.Number of entries in the authority resource record list that were returned.Total Additional RRs. 16 bits, unsigned.Number of entries in the additional resource record list that were returned.Questions[]. Variable length.A list of zero or more Query structures.Answer RRs[]. Variable length.A list of zero or more Answer Resource Record structures.Authority RRs[]. Variable length.A list of zero or more Authority Resource Record structures.Additional RRs[]. Variable length.A list of zero or more Additional Resource Record structures.Query. Variable length.00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Query Name ::: Type ClassResource Record. Variable length.00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Name ::: 23
  24. 24. Type Class TTL Rdata Length Rdata :::Type. 16 bits, unsigned.Type Description 0 1 A, IPv4 address. 2 NS, Authoritative name server. 3 MD, Mail destination. Obsolete use MX instead. 4 MF, Mail forwarder. Obsolete use MX instead. 5 CNAME, Canonical name for an alias. 6 SOA, Marks the start of a zone of authority. 7 MB, Mailbox domain name. 8 MG, Mail group member. 9 MR, Mail rename domain name. 10 NULL, Null resource record. 11 WKS, Well known service description. 12 PTR, Domain name pointer. 13 HINFO, Host information. 14 MINFO, Mailbox or mail list information. 15 MX, Mail exchange. 16 TXT, Text strings. 17 RP, Responsible Person. 18 AFSDB, AFS Data Base location. 19 X25, X.25 PSDN address. 20 ISDN, ISDN address. 21 RT, Route Through. 22 NSAP, NSAP address. NSAP style A record. 23 NSAP-PTR. 24 SIG, Security signature. 25 KEY, Security key. 26 PX, X.400 mail mapping information. 27 GPOS, Geographical Position. 28 AAAA, IPv6 Address. 29 LOC, Location Information. 30 NXT, Next Domain (obsolete). 24
  25. 25. 31 EID, Endpoint Identifier. NIMLOC, Nimrod Locator.32 NB, NetBIOS general Name Service. SRV, Server Selection.33 NBSTAT, NetBIOS NODE STATUS. 34 ATMA, ATM Address. 35 NAPTR, Naming Authority Pointer. 36 KX, Key Exchanger. 37 CERT. 38 A6. 39 DNAME. 40 SINK. 41 OPT. 42 APL. 43 DS, Delegation Signer. 44 SSHFP, SSH Key Fingerprint. 45 IPSECKEY. 46 RRSIG. 47 NSEC, NextSECure. 48 DNSKEY. 49 DHCID, DHCP identifier. 50 NSEC3. 51 NSEC3PARAM. 52 53 54 55 HIP, Host Identity Protocol. 56 NINFO. 57 RKEY. 58 - 98 99 SPF, Sender Policy Framework.100 UINFO.101 UID.102 GID.103 UNSPEC.104 - 25
  26. 26. 248 249 TKEY. 250 TSIG, Transaction Signature. 251 IXFR, Incremental transfer. 252 AXFR, A request for a transfer of an entire zone. 253 MAILB, A request for mailbox-related records (MB, MG or MR). 254 MAILA, A request for mail agent RRs. Obsolete. 255 *. A request for all records. 256 -3276732768 DNSSEC Trust Authorities.32769 DNSSEC Lookaside Validation.Class. 16 bits, unsigned.Class Description 0 Reserved. 1 IN, Internet. 2 3 CH, Chaos. 4 HS, Hesiod. 5 - 253 254 None. 255 Any (QCLASS only). 256 -6527965280 - Private use.6553465535FTP (File Transfer Protocol) HeaderThe FTP specification says that by default, all data transfers should be over a single connection.An active open is done by the server, from its port 20 to the same port on the client machine as 26
  27. 27. was used for the control connection. The client does a passive open. For better or worse, mostcurrent FTP clients do not behave that way. A new connection is used for each transfer; to avoidrunning afoul of TCPs TIMEWAIT state, the client picks a new port number each time andsends a PORT command announcing that to the server.FTP message format:FTP commands are Telnet strings terminated by the Telnet end of line code. The command codesthemselves are alphabetic character strings terminated by the character <Space> if parametersfollow and <CRLF> otherwise.FTP Commands:Command DescriptionABOR Abort.ACCT Account.ADAT Authentication/Security Data.ALLO Allocate.APPE Append.AUTH Authentication/Security Mechanism.CCC Clear Command Channel.CDUP Change to parent directory.CONF Confidentiality Protected Command.CWD Change working directory.DELE Delete.ENC Privacy Protected Command.EPRT Extended Data port.EPSV Extended Passive.FEAT Feature.HELP Help.LANG Language negotiation.LIST List.LPRT Long data port.LPSV Long passive.MDTM File modification time.MIC Integrity Protected Command.MKD Make directory.MLSD 27
  28. 28. MLSTMODE Transfer mode.NLST Name list.NOOP No operation.OPTS Options.PASS Password.PASV Passive mode.PBSZ Protection Buffer Size.PORT Data port.PROT Data Channel Protection Level.PWD Print working directory.QUIT Logout.REIN Reinitialize.REST Restart of interrupted transfer.RETR Retrieve.RMD Remove directory.RNFR Rename from.RNTO Rename to.SITE Site parameters.SIZE File size.SMNT Structure mount.STAT Status.STOR Store.STOU Store unique.STRU File structure.SYST System.TYPE Representation type.USER User name.XCUP Change to the parent of the current working directory.XMKD Make a directory.XPWD Print the current working directory.XRCPXRMD Remove the directory.XRSQXSEM Send, Mail if cannot.XSEN Send to terminal. 28
  29. 29. FTP reply code format:Code Description 1yz Positive Preliminary reply. 2yz Positive Completion reply. 3yz Positive Intermediate reply. 4yz Transient Negative Completion reply. 5yz Permanent Negative Completion reply. Syntax. These replies refer to syntax errors, syntactically correct commands that dont fit x0z any functional category, unimplemented or superfluous commands. x1z Information. These are replies to requests for information, such as status or help. x2z Connections. Replies referring to the control and data connections. x3z Authentication and accounting. Replies for the login process and accounting procedures. x4z Unspecified as of RFC 959 File system. These replies indicate the status of the Server file system vis-a-vis the x5z requested transfer or other file system action.FTP reply codes:Code Description110 Restart marker reply.120 Service ready in nnn minutes.125 Data connection already open; transfer starting.150 File status okay; about to open data connection.200 Command okay.202 Command not implemented, superfluous at this site.211 System status, or system help reply.212 Directory status.213 File status.214 Help message.215 NAME system type.220 Service ready for new user.221 Service closing control connection.225 Data connection open; no transfer in progress.226 Closing data connection.227 Entering Passive Mode <h1,h2,h3,h4,p1,p2>.228 Entering Long Passive Mode. 29
  30. 30. 229 Extended Passive Mode Entered. 230 User logged in, proceed. 250 Requested file action okay, completed. 257 "PATHNAME" created. 331 User name okay, need password. 332 Need account for login. 350 Requested file action pending further information. 421 Service not available, closing control connection. 425 Cant open data connection. 426 Connection closed; transfer aborted. 450 Requested file action not taken. 451 Requested action aborted. Local error in processing. 452 Requested action not taken. 500 Syntax error, command unrecognized. 501 Syntax error in parameters or arguments. 502 Command not implemented. 503 Bad sequence of commands. 504 Command not implemented for that parameter. 521 Supported address families are <af1, .., afn> 522 Protocol not supported. 530 Not logged in. 532 Need account for storing files. 550 Requested action not taken. 551 Requested action aborted. Page type unknown. 552 Requested file action aborted.3553 Requested action not taken. 554 Requested action not taken: invalid REST parameter. 555 Requested action not taken: type or stru mismatch.IRC (Internet Relay Chat Protocol) HeaderIRC was developed as a means for users on a BBS to chat amongst themselves. IRC has beendesigned over a number of years for use with text based conferencing.The IRC protocol has been developed on systems using the TCP/IP network protocol, althoughthere is no requirement that this remain the only sphere in which it operates.Servers and clients send each other messages which may or may not generate a reply. If themessage contains a valid command, as described in later sections, the client should expect a 30
  31. 31. reply as specified but it is not advised to wait forever for the reply; client to server and server toserver communication is essentially asynchronous in nature.Request Commands:Command DescriptionADMIN Get information about the administrator of a server.AWAY Set an automatic reply string for any PRIVMSG commands.CONNECT Request a new connection to another server immediately.DIE Shutdown the server.ERROR Report a serious or fatal error to a peer.INFO Get information describing a server.INVITE Invite a user to a channel.ISON Determine if a nickname is currently on IRC.JOIN Join a channel.KICK Request the forced removal of a user from a channel.KILL Close a client-server connection by the server which has the actual connection.LINKS List all servernames which are known by the server answering the query.LIST List channels and their topics.LUSERS Get statistics about the size of the IRC network.MODE User mode.MOTD Get the Message of the Day.NAMES List all visible nicknames.NICK Define a nickname.NJOIN Exchange the list of channel members for each channel between servers.NOTICEOPER Obtain operator privileges.PART Leave a channel.PASS Set a connection password.PING Test for the presence of an active client or server.PONG Reply to a PING message.PRIVMSG Send private messages between users, as well as to send messages to channels.QUIT Terminate the client session.REHASH Force the server to re-read and process its configuration file.RESTART Force the server to restart itself.SERVER Register a new server.SERVICE Register a new service.SERVLIST List services currently connected to the network.SQUERYSQUIRT Disconnect a server link.SQUIT Break a local or remote server link.STATS Get server statistics.SUMMON Ask a user to join IRC.TIME Get the local time from the specified server. 31
  32. 32. TOPIC Change or view the topic of a channel.TRACE Find the route to a server and information about its peers.USER Specify the username, hostname and realname of a new user.USERHOST Get a list of information about upto 5 nicknames.USERS Get a list of users logged into the server.VERSION Get the version of the server program.WALLOPS Send a message to all currently connected users who have set the w user mode.WHO List a set of users.WHOIS Get information about a specific user.WHOWAS Get information about a nickname which no longer exists.Reply codes:Replies in the range from 001 to 099 are used for client-server connections only and shouldnever travel between servers.Code Reply Format1 RPL_WELCOME "Welcome to the Internet Relay Network <nick>!<user>@<host>"2 RPL_YOURHOST "Your host is <servername>, running version <ver>"3 RPL_CREATED "This server was created <date>"4 RPL_MYINFO "<servername> <version> <available user modes> <available channel modes>"5 RPL_BOUNCE "Try server <server name>, port <port number>"Replies generated in the response to commands are found in the range from 200 to 399.Code Reply Format200 RPL_TRACELINK "Link <version & debug level> <destination> <next server> V<protocol version> <link uptime in seconds> <backstream sendq> <upstream sendq>"201 RPL_TRACECONNECTING "Try. <class> <server>"202 RPL_TRACEHANDSHAKE "H.S. <class> <server>"203 RPL_TRACEUNKNOWN "???? <class> [<client IP address in dot form>]"204 RPL_TRACEOPERATOR "Oper <class> <nick>"205 RPL_TRACEUSER "User <class> <nick>"206 RPL_TRACESERVER "Serv <class> <int>S <int>C <server> <nick!user|*!*>@<host|server> V<protocol version>"207 RPL_TRACESERVICE "Service <class> <name> <type> <active type>"208 RPL_TRACENEWTYPE "<newtype> 0 <client name>"209 RPL_TRACECLASS "Class <class> <count>"210 RPL_TRACERECONNECT Unused.211 RPL_STATSLINKINFO "<linkname> <sendq> <sent messages> <sent Kbytes> <received messages> <received Kbytes> <time open>" 32
  33. 33. 212 RPL_STATSCOMMANDS "<command> <count> <byte count> <remote count>"219 RPL_ENDOFSTATS "<stats letter> :End of STATS report"221 RPL_UMODEIS "<user mode string>"234 RPL_SERVLIST "<name> <server> <mask> <type> <hopcount> <info>"235 RPL_SERVLISTEND "<mask> <type> :End of service listing"242 RPL_STATSUPTIME ":Server Up %d days %d:%02d:%02d"243 RPL_STATSOLINE "O <hostmask> * <name>"251 RPL_LUSERCLIENT ":There are <integer> users and <integer> services on <integer> servers"252 RPL_LUSEROP "<integer> :operator(s) online"253 RPL_LUSERUNKNOWN "<integer> :unknown connection(s)"254 RPL_LUSERCHANNELS "<integer> :channels formed"255 RPL_LUSERME ":I have <integer> clients and <integer> servers"256 RPL_ADMINME "<server> :Administrative info"257 RPL_ADMINLOC1 ":<admin info>"258 RPL_ADMINLOC2 ":<admin info>"259 RPL_ADMINEMAIL ":<admin info>"261 RPL_TRACELOG "File <logfile> <debug level>"262 RPL_TRACEEND "<server name> <version & debug level> :End of TRACE"263 RPL_TRYAGAIN "<command> :Please wait a while and try again."301 RPL_AWAY "<nick> :<away message>"302 RPL_USERHOST ":*1<reply> *( " " <reply> )"303 RPL_ISON ":*1<nick> *( " " <nick> )"305 RPL_UNAWAY ":You are no longer marked as being away"306 RPL_NOWAWAY ":You have been marked as being away"311 RPL_WHOISUSER "<nick> <user> <host> * :<real name>"312 RPL_WHOISSERVER "<nick> <server> :<server info>"313 RPL_WHOISOPERATOR "<nick> :is an IRC operator"314 RPL_WHOWASUSER "<nick> <user> <host> * :<real name>"315 RPL_ENDOFWHO "<name> :End of WHO list"317 RPL_WHOISIDLE "<nick> <integer> :seconds idle"318 RPL_ENDOFWHOIS "<nick> :End of WHOIS list"319 RPL_WHOISCHANNELS "<nick> :*( ( "@" / "+" ) <channel> " " )"321 RPL_LISTSTART Obsolete.322 RPL_LIST "<channel> <# visible> :<topic>"323 RPL_LISTEND ":End of LIST"324 RPL_CHANNELMODEIS "<channel> <mode> <mode params>"325 RPL_UNIQOPIS "<channel> <nickname>"331 RPL_NOTOPIC "<channel> :No topic is set"332 RPL_TOPIC "<channel> :<topic>"341 RPL_INVITING "<channel> <nick>"342 RPL_SUMMONING "<user> :Summoning user to IRC"346 RPL_INVITELIST "<channel> <invitemask>"347 RPL_ENDOFINVITELIST "<channel> :End of channel invite list" 33
  34. 34. 348 RPL_EXCEPTLIST "<channel> <exceptionmask>"349 RPL_ENDOFEXCEPTLIST "<channel> :End of channel exception list"351 RPL_VERSION "<version>.<debuglevel> <server> :<comments>"352 RPL_WHOREPLY "<channel> <user> <host> <server> <nick> ( "H" / "G" > ["*"] [ ( "@" / "+" ) ] :<hopcount> <real name>"353 RPL_NAMREPLY "( "=" / "*" / "@" ) <channel> :[ "@" / "+" ] <nick> *( " " [ "@" / "+" ] <nick> )"364 RPL_LINKS "<mask> <server> :<hopcount> <server info>"365 RPL_ENDOFLINKS "<mask> :End of LINKS list"366 RPL_ENDOFNAMES "<channel> :End of NAMES list"367 RPL_BANLIST "<channel> <banmask>"368 RPL_ENDOFBANLIST "<channel> :End of channel ban list"369 RPL_ENDOFWHOWAS "<nick> :End of WHOWAS"371 RPL_INFO ":<string>"372 RPL_MOTD ":- <text>"374 RPL_ENDOFINFO ":End of INFO list"375 RPL_MOTDSTART ":- <server> Message of the day - "376 RPL_ENDOFMOTD ":End of MOTD command"381 RPL_YOUREOPER ":You are now an IRC operator"382 RPL_REHASHING "<config file> :Rehashing"383 RPL_YOURESERVICE "You are service <servicename>"391 RPL_TIME "<server> :<string showing servers local time>"392 RPL_USERSSTART ":UserID Terminal Host"393 RPL_USERS ":<username> <ttyline> <hostname>"394 RPL_ENDOFUSERS ":End of users"395 RPL_NOUSERS ":Nobody logged in"Error replies are found in the range from 400 to 599.Code Reply Format401 ERR_NOSUCHNICK "<nickname> :No such nick/channel"402 ERR_NOSUCHSERVER "<server name> :No such server"403 ERR_NOSUCHCHANNEL "<channel name> :No such channel"404 ERR_CANNOTSENDTOCHAN "<channel name> :Cannot send to channel"405 ERR_TOOMANYCHANNELS "<channel name> :You have joined too many channels"406 ERR_WASNOSUCHNICK "<nickname> :There was no such nickname"407 ERR_TOOMANYTARGETS "<target> :<error code> recipients. <abort message>"408 ERR_NOSUCHSERVICE "<service name> :No such service"409 ERR_NOORIGIN ":No origin specified"411 ERR_NORECIPIENT ":No recipient given (<command>)"412 ERR_NOTEXTTOSEND ":No text to send"413 ERR_NOTOPLEVEL "<mask> :No toplevel domain specified"414 ERR_WILDTOPLEVEL "<mask> :Wildcard in toplevel domain" 34
  35. 35. 415 ERR_BADMASK "<mask> :Bad Server/host mask"421 ERR_UNKNOWNCOMMAND "<command> :Unknown command"422 ERR_NOMOTD ":MOTD File is missing"423 ERR_NOADMININFO "<server> :No administrative info available"424 ERR_FILEERROR ":File error doing <file op> on <file>"431 ERR_NONICKNAMEGIVEN ":No nickname given"432 ERR_ERRONEUSNICKNAME "<nick> :Erroneous nickname"433 ERR_NICKNAMEINUSE "<nick> :Nickname is already in use"436 ERR_NICKCOLLISION "<nick> :Nickname collision KILL from <user>@<host>"437 ERR_UNAVAILRESOURCE "<nick/channel> :Nick/channel is temporarily unavailable"441 ERR_USERNOTINCHANNEL "<nick> <channel> :They arent on that channel"442 ERR_NOTONCHANNEL "<channel> :Youre not on that channel"443 ERR_USERONCHANNEL "<user> <channel> :is already on channel"444 ERR_NOLOGIN "<user> :User not logged in"445 ERR_SUMMONDISABLED ":SUMMON has been disabled"446 ERR_USERSDISABLED ":USERS has been disabled"451 ERR_NOTREGISTERED ":You have not registered"461 ERR_NEEDMOREPARAMS "<command> :Not enough parameters"462 ERR_ALREADYREGISTRED ":Unauthorized command (already registered)"463 ERR_NOPERMFORHOST ":Your host isnt among the privileged"464 ERR_PASSWDMISMATCH ":Password incorrect"465 ERR_YOUREBANNEDCREEP ":You are banned from this server"466 ERR_YOUWILLBEBANNED467 ERR_KEYSET "<channel> :Channel key already set"471 ERR_CHANNELISFULL "<channel> :Cannot join channel (+l)"472 ERR_UNKNOWNMODE "<char> :is unknown mode char to me for <channel>"473 ERR_INVITEONLYCHAN "<channel> :Cannot join channel (+i)"474 ERR_BANNEDFROMCHAN "<channel> :Cannot join channel (+b)"475 ERR_BADCHANNELKEY "<channel> :Cannot join channel (+k)"476 ERR_BADCHANMASK "<channel> :Bad Channel Mask"477 ERR_NOCHANMODES "<channel> :Channel doesnt support modes"478 ERR_BANLISTFULL "<channel> <char> :Channel list is full"481 ERR_NOPRIVILEGES ":Permission Denied- Youre not an IRC operator"482 ERR_CHANOPRIVSNEEDED "<channel> :Youre not channel operator"483 ERR_CANTKILLSERVER ":You cant kill a server!"484 ERR_RESTRICTED ":Your connection is restricted!"485 ERR_UNIQOPPRIVSNEEDED ":Youre not the original channel operator"491 ERR_NOOPERHOST ":No O-lines for your host"501 ERR_UMODEUNKNOWNFLAG ":Unknown MODE flag"502 ERR_USERSDONTMATCH ":Cannot change mode for other users" 35

×