Protocol Analysis of an FTP session from shirley.cis.temple.edu
The following is a log of an FTP session between shirley.cis.temple.edu
and cs.orst.edu. The characters I typed are in bold.
shirley> ftp cs.orst.edu
Connected to cs.orst.edu.
220 lynx FTP server (Version $Revision: 15.15 $
$Date: 89/08/31 10:33:40 $) ready.
Name (cs.orst.edu:stafford): anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> dir
200 PORT command okay.
150 Opening data connection for /bin/ls -l (129.32.1.64,2595) (0 bytes).
total 6
dr-xr-xr-x 2 root root 1024 Oct 15 1990 bin
dr-xr-xr-x 2 root root 1024 Jun 13 16:22 etc
drwxr-xr-x 24 root sys 1024 Sep 10 19:55 pub
226 Transfer complete.
186 bytes received in 0.05 seconds (3.74 Kbytes/s)
ftp> bye
221 Goodbye.
shirley>
The messages sent between my FTP client and the FTP server are as follows with the
messages sent from Shirley in bold:
220 lynx FTP server (Version $Revision: 15.15 $ $Date: 89/08/31 10:33:40 $) ready.
USER anonymous
331 Guest login ok, send ident as password.
PASS
230 Guest login ok, access restrictions apply.
PORT 129,32,1,64,10,31
200 PORT command okay.
LIST
150 Opening data connection for /bin/ls -l (129.32.1.64,2591) (0 bytes).
total 6
dr-xr-xr-x 2 root root 1024 Oct 15 1990 bin
dr-xr-xr-x 2 root root 1024 Jun 13 16:22 etc
drwxr-xr-x 24 root sys 1024 Sep 10 19:55 pub
226 Transfer complete.
QUIT
221 Goodbye.
The following pages contain a copy of the 42 packets generated on Temple's
Ethernet by the session above. The packets were captured using LANWatch
network analyzer software from FTP software. It was later converted to TCPDump
format and displayed using Ethereal software. The computers involved are:
Internet Name IP Address Ethernet Address Function
shirley.ocis.temple.edu 129.32.1.64 00:00:0f:00:7e:d9 My Next
prepnet.temple.edu 129.32.16.1 00:00:93:e0:70:55 Temple router
charon.psc.edu 128.182.65.6 Temple nameserver
cs.orst.edu 129.193.32.1 Oregon CS computer
A total of 42 Ethernet packets were captured. The first 2 Ethernet packets
contain ARP packets that Shirley uses to find out the Ethernet address of
prepnet.temple.edu. The remaining 40 Ethernet packets contain IP packets.
Shirley knows that the Temple router, prepnet.temple.edu, has an IP address
of 129.32.16.1. However, Shirley does not know the routers Ethernet address
(00:00:93:e0:70:55). Packets 1 and 2 are "ARP" protocol packets that Shirley
uses to find out the Ethernet address.
1. Shirley to everyone - Will 129.32.16.1 send me their Ethernet address
Frame 1 (60 bytes on wire, 60 bytes captured)
Time since reference or first frame: 0.000000000 seconds
Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: ff:ff:ff:ff:ff:ff
Type: ARP (0x0806)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:00:0f:00:7e:d9
Sender IP address: 129.32.1.64
Target MAC address: ff:ff:ff:ff:ff:ff
Target IP address: 129.32.16.1
0000 ff ff ff ff ff ff 00 00 0f 00 7e d9 08 06 00 01 ...... ~.....
0010 08 00 06 04 00 01 00 00 0f 00 7e d9 81 20 01 40 ...... ~.. .@
0020 ff ff ff ff ff ff 81 20 10 01 02 01 00 00 00 02 ......
0030 00 00 c0 05 92 00 00 00 00 00 00 00 ......
2. Prepnet to Shirley - My Ethernet address is 00:00:93:e0:70:55
Frame 2 (60 bytes on wire, 60 bytes captured)
Time since reference or first frame: 0.512969000 seconds
Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9
Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: 00:00:93:e0:70:55
Sender IP address: 129.32.16.1
Target MAC address: 00:00:0f:00:7e:d9
Target IP address: 129.32.1.64
0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 06 00 01 ....~.....pU....
0010 08 00 06 04 00 02 00 00 93 e0 70 55 81 20 10 01 ...... pU. ..
0020 00 00 0f 00 7e d9 81 20 01 40 02 01 00 00 00 02 ....~.. .@......
0030 00 00 c0 05 92 00 00 00 00 00 00 00 ......
In order to send packets to cs.orst.edu, Shirley needs to know its IP address.
To answer such questions, Shirley uses Temple’s name servers (which at the time
were comvax.ocis.temple.edu at address 129.32.1.2 and charon.psc.edu at address 128.182.65.6). However, Comvax happened to be "down" at the time, so Shirley
used charon.psc.edu (which happened to be located in Pittsburgh}. Shirley
first assumes that "cs.orst.edu" is a Temple computer and, in packet 3, asks
Charon about the name "cs.orst.edu.temple.edu". In packet 4, Shirley receives a
negative response from Charon. In packet 5. Shirley asks about the name
"cs.orst.edu" and receives the answer (and a lot of additional information) in
packet 6.
3. Shirley to Charon - What is the IP address of cs.orst.edu.temple.edu?
Frame 3 (82 bytes on wire, 82 bytes captured)
Time since reference or first frame: 1.025940000 seconds
Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55
Type: IP (0x0800)
Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.182.65.6
Version: 4 Header length: 20 bytes Total Length: 68
Identification: 0x1139 (4409) Flags: 0x00 Fragment offset: 0
Time to live: 30 Protocol: UDP (0x11) Header checksum: 0x4754 (correct)
User Datagram Protocol, Src Port: 4382, Dst Port: 53
Source port: 4382
Destination port: 53
Length: 48
Checksum: 0xcc98 (correct)
Domain Name System (query)
Transaction ID: 0x00a4
Flags: 0x0100 (Standard query)
0...... = Response: Message is a query
.000 0...... = Opcode: Standard query (0)
...... 0...... = Truncated: Message is not truncated
...... 1 ...... = Recursion desired: Do query recursively
...... 0...... = Z: reserved (0)
...... 0 .... = Non-authenticated data OK: Unacceptable
Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0
Queries
cs.orst.edu.temple.edu: type A, class inet
Name: cs.orst.edu.temple.edu
Type: Host address
Class: inet
0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E.
0010 00 44 11 39 00 00 1e 11 47 54 81 20 01 40 80 b6 .D.9....GT. .@..
0020 41 06 11 1e 00 35 00 30 cc 98 00 a4 01 00 00 01 A....5.0......
0030 00 00 00 00 00 00 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e
0040 64 75 06 74 65 6d 70 6c 65 03 65 64 75 00 00 01 du.temple.edu...
0050 00 01 ..
4. Charon to Shirley - No such computer.
Frame 4 (165 bytes on wire, 165 bytes captured)
Time since reference or first frame: 1.539229000 seconds
Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9
Type: IP (0x0800)
Internet Protocol, Src Addr: 128.182.65.6, Dst Addr: 129.32.1.64
Version: 4 Header length: 20 bytes Total Length: 151
Identification: 0x2ed9 (11993) Flags: 0x00 Fragment offset: 0
Time to live: 23 Protocol: UDP (0x11) Header checksum: 0x3061 (correct)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 4382 (4382)
Length: 131
Checksum: 0xd2ca (correct)
Domain Name System (response)
Transaction ID: 0x00a4
Flags: 0x8583 (Standard query response, No such name)
1...... = Response: Message is a response
.000 0...... = Opcode: Standard query (0)
.... .1...... = Authoritative: Server is an authority for domain
...... 0...... = Truncated: Message is not truncated
...... 1 ...... = Recursion desired: Do query recursively
...... 1...... = Recursion available: Server can do recursive queries
...... 0...... = Z: reserved (0)
...... 0. .... = Answer authenticated: Not authenticated by the server
...... 0011 = Reply code: No such name (3)
Questions: 1 Answer RRs: 0 Authority RRs: 1 Additional RRs: 0
Queries
cs.orst.edu.temple.edu: type A, class inet
Name: cs.orst.edu.temple.edu
Type: Host address
Class: inet
Authoritative nameservers
temple.EDU: type SOA, class inet, mname comvax.ocis.temple.edu
Name: temple.EDU
Type: Start of zone of authority
Class: inet
Time to live: 1 hour
Data length: 61
Primary name server: comvax.ocis.temple.edu
Responsible authority's mailbox: swazuk.fac.cis.temple.edu
Serial number: 13
Refresh interval: 1 hour
Retry interval: 5 minutes
Expiration limit: 8 days, 8 hours
Minimum TTL: 1 hour
0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E.
0010 00 97 2e d9 00 00 17 11 30 61 80 b6 41 06 81 20 ...... 0a..A..
0020 01 40 00 35 11 1e 00 83 d2 ca 00 a4 85 83 00 01 [email protected]......
0030 00 00 00 01 00 00 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e
0040 64 75 06 74 65 6d 70 6c 65 03 65 64 75 00 00 01 du.temple.edu...
0050 00 01 06 74 65 6d 70 6c 65 03 45 44 55 00 00 06 ...temple.EDU...
0060 00 01 00 00 0e 10 00 3d 06 63 6f 6d 76 61 78 04 ...... =.comvax.
0070 6f 63 69 73 06 74 65 6d 70 6c 65 03 65 64 75 00 ocis.temple.edu.
0080 06 73 77 61 7a 75 6b 03 66 61 63 03 63 69 73 c0 .swazuk.fac.cis.
0090 4a 00 00 00 0d 00 00 0e 10 00 00 01 2c 00 0a fc J...... ,...
00a0 80 00 00 0e 10 .....
5. Shirley to Charon - What is the IP address of cs.orst.edu?
Frame 5 (71 bytes on wire, 71 bytes captured)
Time since reference or first frame: 2.052561000 seconds
Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55
Type: IP (0x0800)
Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.182.65.6
Version: 4 Header length: 20 bytes Total Length: 57
Identification: 0x113b (4411) Flags: 0x00 Fragment offset: 0
Time to live: 30 Protocol: UDP (0x11) Header checksum: 0x475d (correct)
User Datagram Protocol, Src Port: 4383 (4383), Dst Port: 53 (53)
Length: 37
Checksum: 0xe664 (correct)
Domain Name System (query)
Transaction ID: 0x00a5
Flags: 0x0100 (Standard query)
0...... = Response: Message is a query
.000 0...... = Opcode: Standard query (0)
...... 0...... = Truncated: Message is not truncated
...... 1 ...... = Recursion desired: Do query recursively
...... 0...... = Z: reserved (0)
...... 0 .... = Non-authenticated data OK: Unacceptable
Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0
Queries
cs.orst.edu: type A, class inet
Name: cs.orst.edu
Type: Host address
Class: inet
0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E.
0010 00 39 11 3b 00 00 1e 11 47 5d 81 20 01 40 80 b6 .9.;....G]. .@..
0020 41 06 11 1f 00 35 00 25 e6 64 00 a5 01 00 00 01 A....5.%.d......
0030 00 00 00 00 00 00 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e
0040 64 75 00 00 01 00 01 du.....
6. Charon to Shirley - cs.orst.edu's IP address is 128.193.32.1.
Frame 6 (369 bytes on wire, 369 bytes captured)
Time since reference or first frame: 2.566228000 seconds
Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9
Type: IP (0x0800)
Internet Protocol, Src Addr: 128.182.65.6 (128.182.65.6), Dst Addr: 129.32.1.64
Version: 4 Header length: 20 bytes Total Length: 355
Identification: 0x2eda (11994) Flags: 0x00 Fragment offset: 0
Time to live: 23 Protocol: UDP (0x11) Header checksum: 0x2f94 (correct)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 4383 (4383)
Source port: 53 (53)
Destination port: 4383 (4383)
Length: 335
Checksum: 0xef3d (correct)
Domain Name System (response)
Transaction ID: 0x00a5
Flags: 0x8180 (Standard query response, No error)
1...... = Response: Message is a response
.000 0...... = Opcode: Standard query (0)
.... .0...... = Authoritative: Server is not an authority for domain
...... 0...... = Truncated: Message is not truncated
...... 1 ...... = Recursion desired: Do query recursively
...... 1...... = Recursion available: Server can do recursive queries
...... 0...... = Z: reserved (0)
...... 0. .... = Answer authenticated: Not authenticated by the server
...... 0000 = Reply code: No error (0)
Questions: 1 Answer RRs: 1
Authority RRs: 7 Additional RRs: 8
Queries
cs.orst.edu: type A, class inet
Name: cs.orst.edu
Type: Host address
Class: inet
Answers
cs.orst.edu: type A, class inet, addr 128.193.32.1
Name: cs.orst.edu
Type: Host address
Class: inet
Time to live: 1 day, 23 hours, 18 minutes, 56 seconds
Data length: 4
Addr: 128.193.32.1
Authoritative nameservers
cs.orst.EDU: type NS, class inet, ns CS.ORST.EDU
Name: cs.orst.EDU
Type: Authoritative name server
Class: inet
Time to live: 2 hours, 39 minutes, 13 seconds
Data length: 10
Name server: CS.ORST.EDU
cs.orst.EDU: type NS, class inet, ns beasley.UCS.ORST.EDU
cs.orst.EDU: type NS, class inet, ns ECE.ORST.EDU ...
cs.orst.EDU: type NS, class inet, ns OCE.ORST.EDU ...
cs.orst.EDU: type NS, class inet, ns nnsc.NSF.NET ...
cs.orst.EDU: type NS, class inet, ns UCS.ORST.EDU ...
cs.orst.EDU: type NS, class inet, ns mist.CS.ORST.EDU ...
Additional records
CS.ORST.EDU: type A, class inet, addr 128.193.32.1
Name: CS.ORST.EDU
Type: Host address
Class: inet
Time to live: 1 day, 23 hours, 18 minutes, 56 seconds
Data length: 4
Addr: 128.193.32.1
beasley.UCS.ORST.EDU: type A, class inet, addr 128.193.128.3
ECE.ORST.EDU: type A, class inet, addr 128.193.48.1
OCE.ORST.EDU: type A, class inet, addr 128.193.64.1
nnsc.NSF.NET: type A, class inet, addr 192.31.103.6
nnsc.NSF.NET: type A, class inet, addr 128.89.1.178
UCS.ORST.EDU: type A, class inet, addr 128.193.128.3
mist.CS.ORST.EDU: type A, class inet, addr 128.193.32.2
0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E.
0010 01 63 2e da 00 00 17 11 2f 94 80 b6 41 06 81 20 .c...... /...A..
0020 01 40 00 35 11 1f 01 4f ef 3d 00 a5 81 80 00 01 [email protected].=......
0030 00 01 00 07 00 08 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e
0040 64 75 00 00 01 00 01 c0 0c 00 01 00 01 00 02 99 du......
0050 60 00 04 80 c1 20 01 02 63 73 04 6f 72 73 74 03 `...... cs.orst.
0060 45 44 55 00 00 02 00 01 00 00 25 51 00 0a 02 43 EDU...... %Q...C
0070 53 04 4f 52 53 54 c0 35 c0 2d 00 02 00 01 00 00 S.ORST.5.-......
0080 25 51 00 0e 07 62 65 61 73 6c 65 79 03 55 43 53 %Q...beasley.UCS
0090 c0 47 c0 2d 00 02 00 01 00 00 25 51 00 06 03 45 .G.-...... %Q...E
00a0 43 45 c0 47 c0 2d 00 02 00 01 00 00 25 51 00 06 CE.G.-...... %Q..
00b0 03 4f 43 45 c0 47 c0 2d 00 02 00 01 00 00 25 51 .OCE.G.-...... %Q