Software download for analysis: Wireshark-win32-1.10.2.exe
Read the guided Tour
1. Analysis of application TCP protocol, and TCP link management
2. Analyzing Application UDP protocol
Analysis requirements
(1) TCP section:
- Learn the configuration and use of 3CDaemon FTP server
- Design applications to obtain TCP messages
- Analyze the format and content of TCP messages (analyze at least 5 messages and understand the relationship between them)
- Analyze the "three-time handshake" process established by the TCP connection to find the corresponding message
(2) UDP part:
- Learn about the configuration and use of Cisco TFTP Server
- Design applications to obtain UDP messages
- Analyze the format and content of UDP messages (analyze at least 5 messages and understand the relationship between them)
- What is the difference between analyzing a UDP message and a TCP message? Realize the difference between UDP protocol and TCP protocol
Analyze content
(1) TCP section:
- Learn the configuration and use of 3CDaemon FTP server
Download and install the 3CDaemon software and configure the FTP server section
- Design applications to obtain TCP messages
Log in to the FTP server using the Anonymous account "anonymous" built into the 3CDaemon system to obtain TCP messages
- Analyze the format and content of TCP messages (analyze at least 5 messages and understand the relationship between them)
See part Fourth of the analysis
- Analyze the "three-time handshake" process established by the TCP connection to find the corresponding message
(2) UDP part:
- Learn about the configuration and use of Cisco TFTP Server
Configuring Cisco TFTP Server
- Design applications to obtain UDP messages
Use the TFTP client command in Windows command-line mode to connect to the TFTP server and download the F1.txt file:
Tftp–i 172.18.3.188 GET F1.txt
Upload f2.txt file:
Tftp-i 172.18.3.188 PUT F2.txt
Grab packets at the same time to get UDP messages
- Analyze the format and content of UDP messages (analyze at least 5 messages and understand the relationship between them)
See part Fourth of the analysis
- What is the difference between analyzing a UDP message and a TCP message? Realize the difference between UDP protocol and TCP protocol
Analysis Results and summary
1. Acquiring and analyzing TCP messages
(1) Log in to the FTP server: 172.18.3.154 establish the SYN message for the TCP connection:
07a200151ea58e8f000000008002ffff5ad20000020405b40103030301010402
SOURCE Port: 07A2
Source Port:abr-api (1954)
Destination Port: 0015
Destination Port:ftp (21)
Sequence Number: 1e A5 8e 8f
Sequence number:0 (relative Sequence number)
Header Length: 8
Header length:32 bytes
Bit bit: 02
flags:0x002 (SYN)
window: FF FF
Window size value:65535
Calculated window size:65535
Checksum: 5ad2
checksum:0x5ad2 [Validation disabled]
Options: B4 01 03 03 03 01 01 04 02
Options: (bytes), Maximum segment size, no-operation (NOP), Window scale, no-operation (NOP), No-operation (NOP), SACK Permitted
(2) Log in to the FTP server: 172.18.3.154 establish a TCP connection Syn+ack message:
00e04c512b4e00e04c500ff9080045000034287040004006b2fcac12039aac120399001507a263bcdaf71ea58e908012ffff1c0d0000020405b401030 30301010402
SOURCE Port: 00 15
Source Port:ftp (21)
Destination Port: A2
Destination Port:abr-api (1954)
Serial number: BC DA F7
Sequence number:0 (relative Sequence number)
Confirmation Number: 1e A5 8e 90
Acknowledgment number:1 (relative ACK number)
Header Length: 8
Header length:32 bytes
Bit bit: 12
flags:0x012 (SYN, ACK)
window: FF FF
Window size value:65535
Calculated window size:65535
Checksum: 1c 0d
checksum:0x1c0d [Validation disabled]
Option: 020405b40103030301010402
Options: (bytes), Maximum segment size, no-operation (NOP), Window scale, no-operation (NOP), No-operation (NOP), SACK Permitted
(3) Log in to the FTP server: 172.18.3.154 establish a second ACK message for the TCP connection:
07a200151ea58e9063bcdaf85010b5c9a7110000
SOURCE Port: 07A2
Source Port:abr-api (1954)
Destination Port: 0015
Destination Port:ftp (21)
Sequence Number: 1e A5 8e 90
Sequence number:1 (relative Sequence number)
Confirmation Number: BC DA F8
Acknowledgment number:1 (relative ACK number)
Header Length: 5
Header length:20 bytes
Bit bit: 10
flags:0x010 (ACK)
window: B5 C9
Window size value:46537
Calculated window size:372296
Window Size Scaling Factor:8
Checksum: A7 11
checksum:0xa711 [Validation disabled]
(4) FTP server: 172.18.3.154 Disconnect the Fin+ack seq=x message from the TCP connection:
00e04c512b4e00e04c500ff908004500002854fb40004006867dac12039aac12039900150966cb76f9c531de53865011b5b846a70000000000000000
SOURCE Port: 00 15
Source Port:ftp (21)
Destination Port: 09 66
Destination Port:jediserver (2406)
Serial number: CB F9 C5
Sequence number:437 (relative Sequence number)
Confirmation Number: 86 de 53
Acknowledgment number:135 (relative ACK number)
Header Length: 5
Header length:20 bytes
Bit bit: 11
flags:0x011 (FIN, ACK)
window: B5 B8
Window size value:46520
Calculated window size:372160
Window Size Scaling Factor:8
Checksum: A7
checksum:0x46a7 [Validation disabled]
(5) FTP server: 172.18.3.154 Disconnect the ACK x+1 message for the TCP connection:
0966001531de5386cb76f9c65010b59346cc0000
SOURCE Port: 09 66
Source Port:jediserver (2406)
Destination Port: 00 15
Destination Port:ftp (21)
Serial number: to de 53 86
Sequence number:135 (relative Sequence number)
Confirmation Number: CB F9 C6
Acknowledgment number:438 (relative ACK number)
Header Length: 5
Header length:20 bytes
Bit bit: 10
flags:0x010 (ACK)
Window: B5 93
Window size value:46483
Calculated window size:371864
Window Size Scaling Factor:8
Checksum: + CC
checksum:0x46cc [Validation disabled]
(6) FTP server: 172.18.3.154 disconnects the fin seq =y, ACK +1 messages for TCP connections:
0966001531de5386cb76f9c65011b59346cb0000
SOURCE Port: 09 66
Source Port:jediserver (2406)
Destination Port: 00 15
Destination Port:ftp (21)
Serial number: to de 53 86
Sequence number:135 (relative Sequence number)
Confirmation Number: CB F9 C6
Acknowledgment number:438 (relative ACK number)
Header Length: 5
Header length:20 bytes
Bit bit: 11
flags:0x011 (FIN, ACK)
Window: B5 93
Window size value:46483
Calculated window size:371864
Window Size Scaling Factor:8
Checksum: CB
CHECKSUM:0X46CB [Validation disabled]
(7) FTP server: 172.18.3.154 Disconnect the ACK y+1 message for the TCP connection:
00e04c512b4e00e04c500ff908004500002854fc40004006867cac12039aac12039900150966cb76f9c631de53875010b5b846a60000000000000000
SOURCE Port: 00 15
Source Port:ftp (21)
Destination Port: 09 66
Destination Port:jediserver (2406)
Serial Number: CB F9 C6
Sequence number:438 (relative Sequence number)
Confirmation Number: 87 de 53
Acknowledgment number:136 (relative ACK number)
Header Length: 5
Header length:20 bytes
Bit bit: 10
flags:0x010 (ACK)
window: B5 B8
Window size value:46520
Calculated window size:372160
Window Size Scaling Factor:8
Checksum: A6
CHECKSUM:0X46A6 [Validation disabled]
For the TCP connection establishment process:
The client sends a SYN message with the ordinal x, and the server receives a SYN with a sequence number of Y and an ACK message with the sequence number x+1, and the client receives the ACK message with the sequence number y+1, and TCP establishes three handshakes in this order.
For a graceful shutdown of the TCP connection:
Dot 1 Send the fin message ordinal x, Dot 2 received after the sending sequence number is x+1 ack message, Dot 2 and then send the number y of fin and serial number for X+1 ACK message, Dot 1 received after sending the serial number is y+1 ack message, DOT 2 receive the message, the connection is closed normally, This is an improved three-time handshake method.
2. Acquiring and analyzing UDP messages
(1) tftp–i 172.18.3.188 GET F1.txt's first UDP message:
0c3e00450017bd5c
SOURCE Port: 0c 3e
Source port:3134 (3134)
Destination Port: 0045
Destination port:69 (69)
Message Length: 00 17
Length:23
CHECKSUM: BD 5c
checksum:0xbd5c [Validation disabled]
Data for TFTP messages
(2) Tftp–i 172.18.3.188 GET F1.txt's second UDP message:
09f30c3e001b8124
Source Port: F3
Source port:2547 (2547)
Destination Port: 0c3e
Destination port:3134 (3134)
Message Length: 1b
Length:27
Checksum: 81 24
checksum:0x8124 [Validation disabled]
Data for TFTP messages
(3) Tftp–i 172.18.3.188 GET f1.txt third UDP message:
0c3e09f3000c8a32
SOURCE Port: 0c 3e
Source port:3134 (3134)
Destination port: F3
Destination port:2547 (2547)
Message Length: 0c
Length:12
Checksum: 8a 32
CHECKSUM:0X8A32 [Validation disabled]
Data for TFTP messages
(4) Tftp–i 172.18.3.188 PUT f2.txt The first UDP message:
0d1d00450017bc7b
SOURCE Port: 0d 1d
Source port:3357 (3357)
Destination Port: 00 45
Destination port:69 (69)
Message Length: 00 17
Length:23
Checksum: BC 7b
checksum:0xbc7b [Validation disabled]
Data for TFTP messages
(5) Tftp–i 172.18.3.188 PUT F2.txt's second UDP message:
0b410d1d000c8806
SOURCE Port: 0b 41
Source port:2881 (2881)
Destination Port: 0d 1d
Destination port:3357 (3357)
Message Length: 0c
Length:12
Checksum: 88 06
checksum:0x8806 [Validation disabled]
Data for TFTP messages
(6) Tftp–i 172.18.3.188 PUT f2.txt The third UDP message:
0d1d0b4100138b61
SOURCE Port: 0d 1d
Source port:3357 (3357)
Destination Port: 0b 41
Destination port:2881 (2881)
Message Length: 00 13
Length:19
Checksum: 8b 61
checksum:0x8b61 [Validation disabled]
Data for TFTP messages
(7) The fourth UDP message tftp–i 172.18.3.188 PUT f2.txt:
0b410d1d000c8805
SOURCE Port: 0b 41
Source port:2881 (2881)
Destination Port: 0d 1d
Destination port:3357 (3357)
Message Length: 0c
Length:12
Checksum: 88 05
checksum:0x8805 [Validation disabled]
Data for TFTP messages
What is the difference between a UDP message and a TCP message:
UDP packets are shorter than TCP messages and do not establish a connection, TCP is a reliable transport protocol, UDP is an unreliable transport protocol. UDP is faster than TCP and is suitable for a number of high-speed, precision-demanding connections.
Transport layer protocol TCP and UDP analysis