DOCSLIB.ORG

Frame 1 (60 Bytes on Wire, 60 Bytes Captured)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Frame 1 (60 Bytes on Wire, 60 Bytes Captured)

Protocol Analysis of an FTP session from shirley.cis.temple.edu

The following is a log of an FTP session between shirley.cis.temple.edu and cs.orst.edu. The characters I typed are in bold.

shirley> ftp cs.orst.edu Connected to cs.orst.edu. 220 lynx FTP server (Version $Revision: 15.15 $ $Date: 89/08/31 10:33:40 $) ready. Name (cs.orst.edu:stafford): anonymous 331 Guest login ok, send ident as password. Password: [email protected] 230 Guest login ok, access restrictions apply. ftp> dir 200 PORT command okay. 150 Opening data connection for /bin/ls -l (129.32.1.64,2595) (0 bytes). total 6 dr-xr-xr-x 2 root root 1024 Oct 15 1990 bin dr-xr-xr-x 2 root root 1024 Jun 13 16:22 etc drwxr-xr-x 24 root sys 1024 Sep 10 19:55 pub 226 Transfer complete. 186 bytes received in 0.05 seconds (3.74 Kbytes/s) ftp> bye 221 Goodbye. shirley>

The messages sent between my FTP client and the FTP server are as follows with the messages sent from Shirley in bold:

220 lynx FTP server (Version $Revision: 15.15 $ $Date: 89/08/31 10:33:40 $) ready. USER anonymous 331 Guest login ok, send ident as password. PASS [email protected] 230 Guest login ok, access restrictions apply. PORT 129,32,1,64,10,31 200 PORT command okay. LIST 150 Opening data connection for /bin/ls -l (129.32.1.64,2591) (0 bytes). total 6 dr-xr-xr-x 2 root root 1024 Oct 15 1990 bin dr-xr-xr-x 2 root root 1024 Jun 13 16:22 etc drwxr-xr-x 24 root sys 1024 Sep 10 19:55 pub 226 Transfer complete. QUIT 221 Goodbye.

The following pages contain a copy of the 42 packets generated on Temple's Ethernet by the session above. The packets were captured using LANWatch network analyzer software from FTP software. It was later converted to TCPDump format and displayed using Ethereal software. The computers involved are:

Internet Name IP Address Ethernet Address Function shirley.ocis.temple.edu 129.32.1.64 00:00:0f:00:7e:d9 My Next prepnet.temple.edu 129.32.16.1 00:00:93:e0:70:55 Temple router charon.psc.edu 128.182.65.6 Temple nameserver cs.orst.edu 129.193.32.1 Oregon CS computer

A total of 42 Ethernet packets were captured. The first 2 Ethernet packets contain ARP packets that Shirley uses to find out the Ethernet address of prepnet.temple.edu. The remaining 40 Ethernet packets contain IP packets.

page 1 Shirley knows that the Temple router, prepnet.temple.edu, has an IP address of 129.32.16.1. However, Shirley does not know the routers Ethernet address (00:00:93:e0:70:55). Packets 1 and 2 are "ARP" protocol packets that Shirley uses to find out the Ethernet address.

1. Shirley to everyone - Will 129.32.16.1 send me their Ethernet address

Frame 1 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 0.000000000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: ff:ff:ff:ff:ff:ff Type: ARP (0x0806) Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender MAC address: 00:00:0f:00:7e:d9 Sender IP address: 129.32.1.64 Target MAC address: ff:ff:ff:ff:ff:ff Target IP address: 129.32.16.1

0000 ff ff ff ff ff ff 00 00 0f 00 7e d9 08 06 00 01 ...... ~..... 0010 08 00 06 04 00 01 00 00 0f 00 7e d9 81 20 01 40 ...... ~.. .@ 0020 ff ff ff ff ff ff 81 20 10 01 02 01 00 00 00 02 ...... 0030 00 00 c0 05 92 00 00 00 00 00 00 00 ......

2. Prepnet to Shirley - My Ethernet address is 00:00:93:e0:70:55

Frame 2 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 0.512969000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: ARP (0x0806) Address Resolution Protocol (reply) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: reply (0x0002) Sender MAC address: 00:00:93:e0:70:55 Sender IP address: 129.32.16.1 Target MAC address: 00:00:0f:00:7e:d9 Target IP address: 129.32.1.64

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 06 00 01 ....~.....pU.... 0010 08 00 06 04 00 02 00 00 93 e0 70 55 81 20 10 01 ...... pU. .. 0020 00 00 0f 00 7e d9 81 20 01 40 02 01 00 00 00 02 ....~.. .@...... 0030 00 00 c0 05 92 00 00 00 00 00 00 00 ......

In order to send packets to cs.orst.edu, Shirley needs to know its IP address. To answer such questions, Shirley uses Temple’s name servers (which at the time were comvax.ocis.temple.edu at address 129.32.1.2 and charon.psc.edu at address 128.182.65.6). However, Comvax happened to be "down" at the time, so Shirley used charon.psc.edu (which happened to be located in Pittsburgh}. Shirley first assumes that "cs.orst.edu" is a Temple computer and, in packet 3, asks Charon about the name "cs.orst.edu.temple.edu". In packet 4, Shirley receives a negative response from Charon. In packet 5. Shirley asks about the name "cs.orst.edu" and receives the answer (and a lot of additional information) in packet 6.

page 2 3. Shirley to Charon - What is the IP address of cs.orst.edu.temple.edu?

Frame 3 (82 bytes on wire, 82 bytes captured) Time since reference or first frame: 1.025940000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.182.65.6 Version: 4 Header length: 20 bytes Total Length: 68 Identification: 0x1139 (4409) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: UDP (0x11) Header checksum: 0x4754 (correct) User Datagram Protocol, Src Port: 4382, Dst Port: 53 Source port: 4382 Destination port: 53 Length: 48 Checksum: 0xcc98 (correct) Domain Name System (query) Transaction ID: 0x00a4 Flags: 0x0100 (Standard query) 0...... = Response: Message is a query .000 0...... = Opcode: Standard query (0) ...... 0...... = Truncated: Message is not truncated ...... 1 ...... = Recursion desired: Do query recursively ...... 0...... = Z: reserved (0) ...... 0 .... = Non-authenticated data OK: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries cs.orst.edu.temple.edu: type A, class inet Name: cs.orst.edu.temple.edu Type: Host address Class: inet

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 44 11 39 00 00 1e 11 47 54 81 20 01 40 80 b6 .D.9....GT. .@.. 0020 41 06 11 1e 00 35 00 30 cc 98 00 a4 01 00 00 01 A....5.0...... 0030 00 00 00 00 00 00 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e 0040 64 75 06 74 65 6d 70 6c 65 03 65 64 75 00 00 01 du.temple.edu... 0050 00 01 ..

page 3 4. Charon to Shirley - No such computer.

Frame 4 (165 bytes on wire, 165 bytes captured) Time since reference or first frame: 1.539229000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.182.65.6, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 151 Identification: 0x2ed9 (11993) Flags: 0x00 Fragment offset: 0 Time to live: 23 Protocol: UDP (0x11) Header checksum: 0x3061 (correct) User Datagram Protocol, Src Port: 53 (53), Dst Port: 4382 (4382) Length: 131 Checksum: 0xd2ca (correct) Domain Name System (response) Transaction ID: 0x00a4 Flags: 0x8583 (Standard query response, No such name) 1...... = Response: Message is a response .000 0...... = Opcode: Standard query (0) .... .1...... = Authoritative: Server is an authority for domain ...... 0...... = Truncated: Message is not truncated ...... 1 ...... = Recursion desired: Do query recursively ...... 1...... = Recursion available: Server can do recursive queries ...... 0...... = Z: reserved (0) ...... 0. .... = Answer authenticated: Not authenticated by the server ...... 0011 = Reply code: No such name (3) Questions: 1 Answer RRs: 0 Authority RRs: 1 Additional RRs: 0 Queries cs.orst.edu.temple.edu: type A, class inet Name: cs.orst.edu.temple.edu Type: Host address Class: inet Authoritative nameservers temple.EDU: type SOA, class inet, mname comvax.ocis.temple.edu Name: temple.EDU Type: Start of zone of authority Class: inet Time to live: 1 hour Data length: 61 Primary name server: comvax.ocis.temple.edu Responsible authority's mailbox: swazuk.fac.cis.temple.edu Serial number: 13 Refresh interval: 1 hour Retry interval: 5 minutes Expiration limit: 8 days, 8 hours Minimum TTL: 1 hour

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 97 2e d9 00 00 17 11 30 61 80 b6 41 06 81 20 ...... 0a..A.. 0020 01 40 00 35 11 1e 00 83 d2 ca 00 a4 85 83 00 01 [email protected]...... 0030 00 00 00 01 00 00 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e 0040 64 75 06 74 65 6d 70 6c 65 03 65 64 75 00 00 01 du.temple.edu... 0050 00 01 06 74 65 6d 70 6c 65 03 45 44 55 00 00 06 ...temple.EDU... 0060 00 01 00 00 0e 10 00 3d 06 63 6f 6d 76 61 78 04 ...... =.comvax. 0070 6f 63 69 73 06 74 65 6d 70 6c 65 03 65 64 75 00 ocis.temple.edu. 0080 06 73 77 61 7a 75 6b 03 66 61 63 03 63 69 73 c0 .swazuk.fac.cis. 0090 4a 00 00 00 0d 00 00 0e 10 00 00 01 2c 00 0a fc J...... ,... 00a0 80 00 00 0e 10 .....

page 4 5. Shirley to Charon - What is the IP address of cs.orst.edu?

Frame 5 (71 bytes on wire, 71 bytes captured) Time since reference or first frame: 2.052561000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.182.65.6 Version: 4 Header length: 20 bytes Total Length: 57 Identification: 0x113b (4411) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: UDP (0x11) Header checksum: 0x475d (correct) User Datagram Protocol, Src Port: 4383 (4383), Dst Port: 53 (53) Length: 37 Checksum: 0xe664 (correct) Domain Name System (query) Transaction ID: 0x00a5 Flags: 0x0100 (Standard query) 0...... = Response: Message is a query .000 0...... = Opcode: Standard query (0) ...... 0...... = Truncated: Message is not truncated ...... 1 ...... = Recursion desired: Do query recursively ...... 0...... = Z: reserved (0) ...... 0 .... = Non-authenticated data OK: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries cs.orst.edu: type A, class inet Name: cs.orst.edu Type: Host address Class: inet

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 39 11 3b 00 00 1e 11 47 5d 81 20 01 40 80 b6 .9.;....G]. .@.. 0020 41 06 11 1f 00 35 00 25 e6 64 00 a5 01 00 00 01 A....5.%.d...... 0030 00 00 00 00 00 00 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e 0040 64 75 00 00 01 00 01 du.....

page 5 6. Charon to Shirley - cs.orst.edu's IP address is 128.193.32.1.

Frame 6 (369 bytes on wire, 369 bytes captured) Time since reference or first frame: 2.566228000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.182.65.6 (128.182.65.6), Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 355 Identification: 0x2eda (11994) Flags: 0x00 Fragment offset: 0 Time to live: 23 Protocol: UDP (0x11) Header checksum: 0x2f94 (correct) User Datagram Protocol, Src Port: 53 (53), Dst Port: 4383 (4383) Source port: 53 (53) Destination port: 4383 (4383) Length: 335 Checksum: 0xef3d (correct) Domain Name System (response) Transaction ID: 0x00a5 Flags: 0x8180 (Standard query response, No error) 1...... = Response: Message is a response .000 0...... = Opcode: Standard query (0) .... .0...... = Authoritative: Server is not an authority for domain ...... 0...... = Truncated: Message is not truncated ...... 1 ...... = Recursion desired: Do query recursively ...... 1...... = Recursion available: Server can do recursive queries ...... 0...... = Z: reserved (0) ...... 0. .... = Answer authenticated: Not authenticated by the server ...... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 7 Additional RRs: 8 Queries cs.orst.edu: type A, class inet Name: cs.orst.edu Type: Host address Class: inet Answers cs.orst.edu: type A, class inet, addr 128.193.32.1 Name: cs.orst.edu Type: Host address Class: inet Time to live: 1 day, 23 hours, 18 minutes, 56 seconds Data length: 4 Addr: 128.193.32.1 Authoritative nameservers cs.orst.EDU: type NS, class inet, ns CS.ORST.EDU Name: cs.orst.EDU Type: Authoritative name server Class: inet Time to live: 2 hours, 39 minutes, 13 seconds Data length: 10 Name server: CS.ORST.EDU cs.orst.EDU: type NS, class inet, ns beasley.UCS.ORST.EDU cs.orst.EDU: type NS, class inet, ns ECE.ORST.EDU ... cs.orst.EDU: type NS, class inet, ns OCE.ORST.EDU ... cs.orst.EDU: type NS, class inet, ns nnsc.NSF.NET ... cs.orst.EDU: type NS, class inet, ns UCS.ORST.EDU ... cs.orst.EDU: type NS, class inet, ns mist.CS.ORST.EDU ...

page 6 Additional records CS.ORST.EDU: type A, class inet, addr 128.193.32.1 Name: CS.ORST.EDU Type: Host address Class: inet Time to live: 1 day, 23 hours, 18 minutes, 56 seconds Data length: 4 Addr: 128.193.32.1 beasley.UCS.ORST.EDU: type A, class inet, addr 128.193.128.3 ECE.ORST.EDU: type A, class inet, addr 128.193.48.1 OCE.ORST.EDU: type A, class inet, addr 128.193.64.1 nnsc.NSF.NET: type A, class inet, addr 192.31.103.6 nnsc.NSF.NET: type A, class inet, addr 128.89.1.178 UCS.ORST.EDU: type A, class inet, addr 128.193.128.3 mist.CS.ORST.EDU: type A, class inet, addr 128.193.32.2

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 01 63 2e da 00 00 17 11 2f 94 80 b6 41 06 81 20 .c...... /...A.. 0020 01 40 00 35 11 1f 01 4f ef 3d 00 a5 81 80 00 01 [email protected].=...... 0030 00 01 00 07 00 08 02 63 73 04 6f 72 73 74 03 65 ...... cs.orst.e 0040 64 75 00 00 01 00 01 c0 0c 00 01 00 01 00 02 99 du...... 0050 60 00 04 80 c1 20 01 02 63 73 04 6f 72 73 74 03 `...... cs.orst. 0060 45 44 55 00 00 02 00 01 00 00 25 51 00 0a 02 43 EDU...... %Q...C 0070 53 04 4f 52 53 54 c0 35 c0 2d 00 02 00 01 00 00 S.ORST.5.-...... 0080 25 51 00 0e 07 62 65 61 73 6c 65 79 03 55 43 53 %Q...beasley.UCS 0090 c0 47 c0 2d 00 02 00 01 00 00 25 51 00 06 03 45 .G.-...... %Q...E 00a0 43 45 c0 47 c0 2d 00 02 00 01 00 00 25 51 00 06 CE.G.-...... %Q.. 00b0 03 4f 43 45 c0 47 c0 2d 00 02 00 01 00 00 25 51 .OCE.G.-...... %Q 00c0 00 0e 04 6e 6e 73 63 03 4e 53 46 03 4e 45 54 00 ...nnsc.NSF.NET. 00d0 c0 2d 00 02 00 01 00 00 25 51 00 02 c0 62 c0 2d .-...... %Q...b.- 00e0 00 02 00 01 00 00 25 51 00 07 04 6d 69 73 74 c0 ...... %Q...mist. 00f0 44 c0 44 00 01 00 01 00 02 99 60 00 04 80 c1 20 D.D...... `.... 0100 01 c0 5a 00 01 00 01 00 00 91 1e 00 04 80 c1 80 ..Z...... 0110 03 c0 74 00 01 00 01 00 02 99 60 00 04 80 c1 30 ..t...... `....0 0120 01 c0 86 00 01 00 01 00 02 99 60 00 04 80 c1 40 ...... `....@ 0130 01 c0 98 00 01 00 01 00 02 a0 ec 00 04 c0 1f 67 ...... g 0140 06 c0 98 00 01 00 01 00 02 a0 ec 00 04 80 59 01 ...... Y. 0150 b2 c0 62 00 01 00 01 00 02 99 60 00 04 80 c1 80 ..b...... `..... 0160 03 c0 c0 00 01 00 01 00 00 83 59 00 04 80 c1 20 ...... Y.... 0170 02 .

Shirley now initiates a TCP session with cs.orst.edu. The IP protocol only provides connectionless datagram service which means that packets may be lost, duplicated, or arrive out of order. (Think of a sequence of post cards using an unreliable PostOffice.) Building on IP, TCP provides "virtual circuit" service which guarantees delivery of a stream of bytes in the correct order without loss or duplication.(Think of a sequence of registered letters.) A TCP session begins with a "three-way handshake". In packet 7, Shirley sends the sequence number it will use for counting bytes (SYN and a2a4c201). In packet 8, cs.orst.edu "ACKs" the packet and sends its own sequence number (ACK, SYN, and 02916e00). In packet 9, Shirley ACKs packet 8 (ACK).

page 7 7. Shirley to CS - I am counting my bytes beginning at a2a4c201 (so my first data byte will be byte a2a4c202).

Frame 7 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 3.079918000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x113d (4413) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6871 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 0 (relative sequence number. actual is a2 a4 c2 01) Acknowledgement number: null (relative ack number)

Header length: 20 bytes Flags: 0x0002 (SYN) Window size: 4096 Checksum: 0x0de7 (correct)

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 3d 00 00 1e 06 68 71 81 20 01 40 80 c1 .(.=....hq. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 01 00 00 00 00 50 02 ...... P. 0030 10 00 0d e7 00 00 02 63 73 04 6f 72 ...... cs.or

0020 20 01 0a 1e 00 15 a2 a4 c2 01 00 00 00 00 50 02 ...... P. 0030 10 00 0d e7 00 00 02 63 73 04 6f 72 ...... cs.or

8. CS to Shirley - OK, and my first byte will be byte number 02916e01

Frame 8 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 3.595819000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8adc (35548) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xffd1 (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Source port: 21 (21) Destination port: 2590 (2590) Sequence number: 0 (relative sequence number, actual is 02 91 6e 00) Acknowledgement number: 1 (relative ack number, actual is a2 a4 c2 02) Header length: 20 bytes Flags: 0x0012 (SYN, ACK) Window size: 0 Checksum: 0xad44 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 7 The RTT to ACK the segment was: 0.515901000 seconds TCP Analysis Flags This is a ZeroWindow segment

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8a dc 00 00 0d 06 ff d1 80 c1 20 01 81 20 .(...... 0020 01 40 00 15 0a 1e 02 91 6e 00 a2 a4 c2 02 50 12 .@...... n.....P. 0030 00 00 ad 44 00 00 40 60 00 00 00 00 ...D..@`....

page 8 9. Shirley to CS - OK (I received your starting sequence number).

Frame 9 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 4.111725000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x113e (4414) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6870 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Source port: 2590 (2590) Destination port: 21 (21) Sequence number: 1 (relative sequence number, actual is a2 a4 c2 02) Acknowledgement number: 1 (relative ack number, actual is 02 91 6e 01) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9d45 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 8 The RTT to ACK the segment was: 0.515906000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 3e 00 00 1e 06 68 70 81 20 01 40 80 c1 .(.>....hp. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 02 02 91 6e 01 50 10 ...... n.P. 0030 10 00 9d 45 00 00 40 60 00 00 00 00 ...E..@`....

10. CS to Shirley - OK, you can now send me up to 4096 bytes of data.

Frame 10 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 4.629187000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8ae1 (35553) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xffcc (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590) Source port: 21 (21) Destination port: 2590 (2590) Sequence number: 1 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9d45 (correct) SEQ/ACK analysis TCP Analysis Flags This is a tcp window update

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8a e1 00 00 0d 06 ff cc 80 c1 20 01 81 20 .(...... 0020 01 40 00 15 0a 1e 02 91 6e 01 a2 a4 c2 02 50 10 .@...... n.....P. 0030 10 00 9d 45 00 00 40 60 00 00 00 00 ...E..@`....

Shirley has initiated its TCP session with port 21 on cs.orst.edu. By convention, the FTP server software listens for incoming connections on port 21. The FTP server initiates the FTP session by sending a "220" welcome message.

page 9 11. CS to Shirley - "220 lynx FTP server ..."

Frame 11 (138 bytes on wire, 138 bytes captured) Time since reference or first frame: 5.147770000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 124 Identification: 0x8ae8 (35560) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff71 (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590) Sequence number: 1 (relative sequence number, actual is 02 91 6e 01) Next sequence number: 85 (relative sequence number, actual 02 91 6e 55) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x0277 (correct) File Transfer Protocol (FTP) 220 lynx FTP server (Version $Revision: 15.15 $ $Date: 89/08/31 10:33:40 $) ready.\r\n Response code: Service ready for new user (220)

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 7c 8a e8 00 00 0d 06 ff 71 80 c1 20 01 81 20 .|...... q.. .. 0020 01 40 00 15 0a 1e 02 91 6e 01 a2 a4 c2 02 50 18 .@...... n.....P. 0030 10 00 02 77 00 00 32 32 30 20 6c 79 6e 78 20 46 ...w..220 lynx F 0040 54 50 20 73 65 72 76 65 72 20 28 56 65 72 73 69 TP server (Versi 0050 6f 6e 20 24 52 65 76 69 73 69 6f 6e 3a 20 31 35 on $Revision: 15 0060 2e 31 35 20 24 20 24 44 61 74 65 3a 20 38 39 2f .15 $ $Date: 89/ 0070 30 38 2f 33 31 20 31 30 3a 33 33 3a 34 30 20 24 08/31 10:33:40 $ 0080 29 20 72 65 61 64 79 2e 0d 0a ) ready...

12. Shirley to CS - OK (I received 84 data bytes)

Frame 12 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 5.667254000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1141 (4417) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x686d (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 1 (relative sequence number) Acknowledgement number: 85 (relative ack number, actual is 02 91 6e 55) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9cf1 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 11 The RTT to ACK the segment was: 0.519484000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 41 00 00 1e 06 68 6d 81 20 01 40 80 c1 .(.A....hm. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 02 02 91 6e 55 50 10 ...... nUP. 0030 10 00 9c f1 00 00 32 32 30 20 6c 79 ...... 220 ly

page 10 13. Shirley to CS - "USER anonymous"

Frame 13 (70 bytes on wire, 70 bytes captured) Time since reference or first frame: 6.219490000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 56 Identification: 0x1143 (4419) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x685b (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21), Len: 16 Sequence number: 1 (relative sequence number) Next sequence number: 17 (relative sequence number) Acknowledgement number: 85 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x14fd (correct) File Transfer Protocol (FTP) USER anonymous\r\n Request command: USER Request arg: anonymous

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 38 11 43 00 00 1e 06 68 5b 81 20 01 40 80 c1 .8.C....h[. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 02 02 91 6e 55 50 18 ...... nUP. 0030 10 00 14 fd 00 00 55 53 45 52 20 61 6e 6f 6e 79 ...... USER anony 0040 6d 6f 75 73 0d 0a mous..

14. CS to Shirley - "331 Guest login ok, ..."

Frame 14 (99 bytes on wire, 99 bytes captured) Time since reference or first frame: 6.773634000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 85 Identification: 0x8b46 (35654) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff3a (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Len: 45 Sequence number: 85 (relative sequence number) Next sequence number: 130 (relative sequence number) Acknowledgement number: 17 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xcb86 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 13 The RTT to ACK the segment was: 0.554144000 seconds File Transfer Protocol (FTP) 331 Guest login ok, send ident as password.\r\n Response code: User name okay, need password (331)

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 55 8b 46 00 00 0d 06 ff 3a 80 c1 20 01 81 20 .U.F.....:.. .. 0020 01 40 00 15 0a 1e 02 91 6e 55 a2 a4 c2 12 50 18 .@...... nU....P. 0030 10 00 cb 86 00 00 33 33 31 20 47 75 65 73 74 20 ...... 331 Guest 0040 6c 6f 67 69 6e 20 6f 6b 2c 20 73 65 6e 64 20 69 login ok, send i 0050 64 65 6e 74 20 61 73 20 70 61 73 73 77 6f 72 64 dent as password 0060 2e 0d 0a ...

page 11 15. Shirley to CS - OK

Frame 15 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 7.328435000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1144 (4420) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x686a (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 17 (relative sequence number) Acknowledgement number: 130 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9cb4 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 14 The RTT to ACK the segment was: 0.554801000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 44 00 00 1e 06 68 6a 81 20 01 40 80 c1 .(.D....hj. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 12 02 91 6e 82 50 10 ...... n.P. 0030 10 00 9c b4 00 00 33 33 31 20 47 75 ...... 331 Gu

16. Shirley to CS - "PASS [email protected]"

Frame 16 (88 bytes on wire, 88 bytes captured) Time since reference or first frame: 7.935616000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 74 Identification: 0x1147 (4423) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6845 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21), Len: 34 Sequence number: 17 (relative sequence number) Next sequence number: 51 (relative sequence number) Acknowledgement number: 130 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x7979 (correct) File Transfer Protocol (FTP) PASS [email protected]\r\n Request command: PASS Request arg: [email protected]

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 4a 11 47 00 00 1e 06 68 45 81 20 01 40 80 c1 .J.G....hE. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 12 02 91 6e 82 50 18 ...... n.P. 0030 10 00 79 79 00 00 50 41 53 53 20 73 74 61 66 66 ..yy..PASS staff 0040 6f 72 64 40 73 68 69 72 6c 65 79 2e 74 65 6d 70 [email protected] 0050 6c 65 2e 65 64 75 0d 0a le.edu..

page 12 17. CS to Shirley - OK

Frame 17 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 8.544460000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8b72 (35698) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff3b (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590) Sequence number: 130 (relative sequence number) Acknowledgement number: 51 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9c92 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 16 The RTT to ACK the segment was: 0.608844000 seconds

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b 72 00 00 0d 06 ff 3b 80 c1 20 01 81 20 .(.r.....;.. .. 0020 01 40 00 15 0a 1e 02 91 6e 82 a2 a4 c2 34 50 10 .@...... n....4P. 0030 10 00 9c 92 00 00 40 60 1c 1d 1e 1f ...... @`....

18. CS to Shirley - "230 Guest login ok, ..."

Frame 18 (102 bytes on wire, 102 bytes captured) Time since reference or first frame: 9.153324000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 88 Identification: 0x8b73 (35699) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff0a (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Len: 48 Sequence number: 130 (relative sequence number) Next sequence number: 178 (relative sequence number) Acknowledgement number: 51 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xf073 (correct) File Transfer Protocol (FTP) 230 Guest login ok, access restrictions apply.\r\n Response code: User logged in, proceed (230) Response arg: Guest login ok, access restrictions apply.

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 58 8b 73 00 00 0d 06 ff 0a 80 c1 20 01 81 20 .X.s...... 0020 01 40 00 15 0a 1e 02 91 6e 82 a2 a4 c2 34 50 18 .@...... n....4P. 0030 10 00 f0 73 00 00 32 33 30 20 47 75 65 73 74 20 ...s..230 Guest 0040 6c 6f 67 69 6e 20 6f 6b 2c 20 61 63 63 65 73 73 login ok, access 0050 20 72 65 73 74 72 69 63 74 69 6f 6e 73 20 61 70 restrictions ap 0060 70 6c 79 2e 0d 0a ply...

page 13 19. Shirley to CS - OK

Frame 19 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 9.763293000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1148 (4424) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6866 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 51 (relative sequence number) Acknowledgement number: 178 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9c62 (correct) SEQ/ACK analysis ACK to frame: 18. The RTT to ACK the segment was: 0.609969000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 48 00 00 1e 06 68 66 81 20 01 40 80 c1 .(.H....hf. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 34 02 91 6e b2 50 10 ...... 4..n.P. 0030 10 00 9c 62 00 00 32 33 30 20 47 75 ...b..230 Gu

The conversation being monitored is between port 2590 on 129.32.1.64 (Shirley)and port 21 (the ftp server) on 128.193.32.1 (cs.orst.edu). At any point in time, these four numbers uniquely identify a TCP conversation (like a pair of telephone numbers). This conversation is called the "command channel". The FTP protocol specifies that a second conversation should be used to transmit data (the data channel). In this case, the data channel is between port 2591 on 129.32.1.64 (Shirley) and port 20 (the ftp data port) on 128.193.32.1 (cs.orst.edu).

20. Shirley to CS - Use port 10*256+31=2591 when you send data

Frame 20 (78 bytes on wire, 78 bytes captured) Time since reference or first frame: 10.385885000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 64 Identification: 0x114b (4427) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x684b (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Len: 24 Sequence number: 51 (relative sequence number) Next sequence number: 75 (relative sequence number) Acknowledgement number: 178 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x44dc (correct) File Transfer Protocol (FTP) PORT 129,32,1,64,10,31\r\n Request command: PORT Request arg: 129,32,1,64,10,31 Active IP address: 129.32.1.64 Active port: 2591

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 40 11 4b 00 00 1e 06 68 4b 81 20 01 40 80 c1 [email protected]. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 34 02 91 6e b2 50 18 ...... 4..n.P. 0030 10 00 44 dc 00 00 50 4f 52 54 20 31 32 39 2c 33 ..D...PORT 129,3 0040 32 2c 31 2c 36 34 2c 31 30 2c 33 31 0d 0a 2,1,64,10,31..

page 14 21. Shirley to CS - REPEAT, use port 10*256+31=2591 when you send data

Frame 21 (78 bytes on wire, 78 bytes captured) Time since reference or first frame: 11.015871000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 64 Identification: 0x114c (4428) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x684a (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21), Len: 24 Sequence number: 51 (relative sequence number) Next sequence number: 75 (relative sequence number) Acknowledgement number: 178 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x44dc (correct) SEQ/ACK analysis....This frame is a (suspected) retransmission File Transfer Protocol (FTP) PORT 129,32,1,64,10,31\r\n Request command: PORT Request arg: 129,32,1,64,10,31 Active IP address: 129.32.1.64 Active port: 2591

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 40 11 4c 00 00 1e 06 68 4a 81 20 01 40 80 c1 [email protected]. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 34 02 91 6e b2 50 18 ...... 4..n.P. 0030 10 00 44 dc 00 00 50 4f 52 54 20 31 32 39 2c 33 ..D...PORT 129,3 0040 32 2c 31 2c 36 34 2c 31 30 2c 33 31 0d 0a 2,1,64,10,31..

22. CS to Shirley - "200 PORT command okay."

Frame 22 (78 bytes on wire, 78 bytes captured) Time since reference or first frame: 11.648187000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 64 Identification: 0x8b95 (35733) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff00 (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Len: 24 Sequence number: 178 (relative sequence number) Next sequence number: 202 (relative sequence number) Acknowledgement number: 75 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x1997 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 20 The RTT to ACK the segment was: 1.262302000 seconds File Transfer Protocol (FTP) 200 PORT command okay.\r\n Response code: Command okay (200) Response arg: PORT command okay.

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 40 8b 95 00 00 0d 06 ff 00 80 c1 20 01 81 20 .@...... 0020 01 40 00 15 0a 1e 02 91 6e b2 a2 a4 c2 4c 50 18 .@...... n....LP. 0030 10 00 19 97 00 00 32 30 30 20 50 4f 52 54 20 63 ...... 200 PORT c 0040 6f 6d 6d 61 6e 64 20 6f 6b 61 79 2e 0d 0a ommand okay... page 15 23. Shirley to CS - "LIST"

Frame 23 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 12.280517000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 46 Identification: 0x114d (4429) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x685b (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21), Len: 6 Sequence number: 75 (relative sequence number) Next sequence number: 81 (relative sequence number) Acknowledgement number: 202 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xef7c (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 22 The RTT to ACK the segment was: 0.632330000 seconds File Transfer Protocol (FTP) LIST\r\n Request command: LIST

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 2e 11 4d 00 00 1e 06 68 5b 81 20 01 40 80 c1 ...M....h[. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 4c 02 91 6e ca 50 18 ...... L..n.P. 0030 10 00 ef 7c 00 00 4c 49 53 54 0d 0a ...|..LIST..

24. CS to Shirley - "150 Opening data connection to your port 2591"

Frame 24 (128 bytes on wire, 128 bytes captured) Time since reference or first frame: 12.915281000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 114 Identification: 0x8b9d (35741) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xfec6 (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Len: 74 Sequence number: 202 (relative sequence number) Next sequence number: 276 (relative sequence number) Acknowledgement number: 81 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0x2139 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 23 The RTT to ACK the segment was: 0.634764000 seconds File Transfer Protocol (FTP) 150 Opening data connection for /bin/ls -l (129.32.1.64,2591) (0 bytes).\r\n Response code: File status okay; about to open data connection (150)

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 72 8b 9d 00 00 0d 06 fe c6 80 c1 20 01 81 20 .r...... 0020 01 40 00 15 0a 1e 02 91 6e ca a2 a4 c2 52 50 18 .@...... n....RP. 0030 10 00 21 39 00 00 31 35 30 20 4f 70 65 6e 69 6e ..!9..150 Openin 0040 67 20 64 61 74 61 20 63 6f 6e 6e 65 63 74 69 6f g data connectio 0050 6e 20 66 6f 72 20 2f 62 69 6e 2f 6c 73 20 2d 6c n for /bin/ls -l 0060 20 28 31 32 39 2e 33 32 2e 31 2e 36 34 2c 32 35 (129.32.1.64,25 0070 39 31 29 20 28 30 20 62 79 74 65 73 29 2e 0d 0a 91) (0 bytes)... page 16 25. CS to Shirley (on data channel) - My sequence numbers begin at 02bc6600

Frame 25 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 13.550080000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8b9e (35742) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff0f (correct) Transmission Control Protocol, Src Port: 20 (20), Dst Port: 2591 (2591) Sequence number: 0 (relative sequence number, actual 02 bc 66 00) Acknowledgement number: null (relative ack number) Header length: 20 bytes Flags: 0x0002 (SYN) Window size: 4096 Checksum: 0x09d1 (correct)

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b 9e 00 00 0d 06 ff 0f 80 c1 20 01 81 20 .(...... 0020 01 40 00 14 0a 1f 02 bc 66 00 00 00 00 00 50 02 .@...... f.....P. 0030 10 00 09 d1 00 00 40 60 52 54 20 31 ...... @`RT 1

26. Shirley to CS on data channel - OK, and mine begin at a2cbd201

Frame 26 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 14.184886000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x114e (4430) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6860 (correct) Transmission Control Protocol, Src Port: 2591 (2591), Dst Port: 20 (20) Sequence number: 0 (relative sequence number, actual 02 bc 66 01) Acknowledgement number: 1 (relative ack number, actual 02 bc 66 01) Header length: 20 bytes Flags: 0x0012 (SYN, ACK) Window size: 4096 Checksum: 0x94f2 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 25 The RTT to ACK the segment was: 0.634806000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 4e 00 00 1e 06 68 60 81 20 01 40 80 c1 .(.N....h`. .@.. 0020 20 01 0a 1f 00 14 a2 cb d2 01 02 bc 66 01 50 12 ...... f.P. 0030 10 00 94 f2 00 00 40 60 52 54 20 31 ...... @`RT 1

page 17 27. Shirley to CS on command channel - OK (the ACK of packet 24)

Frame 27 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 14.820757000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x114f (4431) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x685f (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 81 (relative sequence number) Acknowledgement number: 276 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9be2 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 24 The RTT to ACK the segment was: 1.905476000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 4f 00 00 1e 06 68 5f 81 20 01 40 80 c1 .(.O....h_. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 52 02 91 6f 14 50 10 ...... R..o.P. 0030 10 00 9b e2 00 00 40 60 52 54 20 31 ...... @`RT 1

28. CS to Shirley on data channel- OK

Frame 28 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 15.457881000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8ba4 (35748) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff09 (correct) Transmission Control Protocol, Src Port: 20 (20), Dst Port: 2591 (2591) Sequence number: 1 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x94f3 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 26 The RTT to ACK the segment was: 1.272995000 seconds

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b a4 00 00 0d 06 ff 09 80 c1 20 01 81 20 .(...... 0020 01 40 00 14 0a 1f 02 bc 66 01 a2 cb d2 02 50 10 .@...... f.....P. 0030 10 00 94 f3 00 00 40 60 0a 12 40 60 ...... @`..@`

page 18 29. CS to Shirley on data channel - TCP good-bye (1/3 of 3-way handshake) (this means that CS WILL SEND MO MORE DATA!)

Frame 29 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 16.095450000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8ba6 (35750) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff07 (correct) Transmission Control Protocol, Src Port: 20 (20), Dst Port: 2591 (2591) Sequence number: 187 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) Window size: 4096 Checksum: 0x9438 (correct) SEQ/ACK analysis TCP Analysis Flags - A segment before this frame was lost

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b a6 00 00 0d 06 ff 07 80 c1 20 01 81 20 .(...... 0020 01 40 00 14 0a 1f 02 bc 66 bb a2 cb d2 02 50 11 .@...... f.....P. 0030 10 00 94 38 00 00 40 60 52 54 20 31 ...8..@`RT 1

30. CS to Shirley on data channel - Here is the data you requested!

Frame 30 (240 bytes on wire, 240 bytes captured) Time since reference or first frame: 16.733268000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 226 Identification: 0x8ba5 (35749) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xfe4e (correct) Transmission Control Protocol, Src Port: 20 (20), Dst Port: 2591 (2591), Len: 186 Sequence number: 1 (relative sequence number) Next sequence number: 187 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xfce4 (correct) SEQ/ACK analysis TCP Analysis Flags - This frame is a (suspected) retransmission FTP Data FTP Data: total 6\r\n dr-xr-xr-x 2 root root 1024 Oct 15 1990 bin\r\n dr-xr-xr-x 2 root root 1024 Jun 13 16:22 etc\r\n drwxr-xr-x 24 root sys 1024 Sep 10 19:55 pub\r\n

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 e2 8b a5 00 00 0d 06 fe 4e 80 c1 20 01 81 20 ...... N.. .. 0020 01 40 00 14 0a 1f 02 bc 66 01 a2 cb d2 02 50 18 .@...... f.....P. 0030 10 00 fc e4 00 00 74 6f 74 61 6c 20 36 0d 0a 64 ...... total 6..d 0040 72 2d 78 72 2d 78 72 2d 78 20 20 20 32 20 72 6f r-xr-xr-x 2 ro 0050 6f 74 20 20 20 20 20 72 6f 6f 74 20 20 20 20 20 ot root 0060 20 20 20 31 30 32 34 20 4f 63 74 20 31 35 20 20 1024 Oct 15 0070 31 39 39 30 20 62 69 6e 0d 0a 64 72 2d 78 72 2d 1990 bin..dr-xr- 0080 78 72 2d 78 20 20 20 32 20 72 6f 6f 74 20 20 20 xr-x 2 root page 19 0090 20 20 72 6f 6f 74 20 20 20 20 20 20 20 20 31 30 root 10 00a0 32 34 20 4a 75 6e 20 31 33 20 31 36 3a 32 32 20 24 Jun 13 16:22 00b0 65 74 63 0d 0a 64 72 77 78 72 2d 78 72 2d 78 20 etc..drwxr-xr-x 00c0 20 32 34 20 72 6f 6f 74 20 20 20 20 20 73 79 73 24 root sys 00d0 20 20 20 20 20 20 20 20 20 31 30 32 34 20 53 65 1024 Se 00e0 70 20 31 30 20 31 39 3a 35 35 20 70 75 62 0d 0a p 10 19:55 pub..

31. Shirley to CS on data channel - OK

Frame 31 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 17.371090000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1150 (4432) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x685e (correct) Transmission Control Protocol, Src Port: 2591 (2591), Dst Port: 20 (20) Sequence number: 1 (relative sequence number) Acknowledgement number: 188 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 3910 Checksum: 0x94f2 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 29 The RTT to ACK the segment was: 1.275640000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 50 00 00 1e 06 68 5e 81 20 01 40 80 c1 .(.P....h^. .@.. 0020 20 01 0a 1f 00 14 a2 cb d2 02 02 bc 66 bc 50 10 ...... f.P. 0030 0f 46 94 f2 00 00 02 63 73 04 6f 72 .F.....cs.or

32. Shirley to CS on data channel - TCP good-bye (2/3 of 3-way handshake)

Frame 32 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 18.008928000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1151 (4433) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x685d (correct) Transmission Control Protocol, Src Port: 2591 (2591), Dst Port: 20 (20) Sequence number: 1 (relative sequence number) Acknowledgement number: 188 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) Window size: 4096 Checksum: 0x9437 (correct)

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 51 00 00 1e 06 68 5d 81 20 01 40 80 c1 .(.Q....h]. .@.. 0020 20 01 0a 1f 00 14 a2 cb d2 02 02 bc 66 bc 50 11 ...... f.P. 0030 10 00 94 37 00 00 74 6f 74 61 6c 20 ...7..total

page 20 33. CS to Shirley on the command channel - "226 Transfer complete."

Frame 33 (78 bytes on wire, 78 bytes captured) Time since reference or first frame: 18.646816000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 64 Identification: 0x8ba7 (35751) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xfeee (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Len: 24 Sequence number: 276 (relative sequence number) Next sequence number: 300 (relative sequence number) Acknowledgement number: 81 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xcccc (correct) File Transfer Protocol (FTP) 226 Transfer complete.\r\n Response code: Closing data connection (226) Response arg: Transfer complete.

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 40 8b a7 00 00 0d 06 fe ee 80 c1 20 01 81 20 .@...... 0020 01 40 00 15 0a 1e 02 91 6f 14 a2 a4 c2 52 50 18 .@...... o....RP. 0030 10 00 cc cc 00 00 32 32 36 20 54 72 61 6e 73 66 ...... 226 Transf 0040 65 72 20 63 6f 6d 70 6c 65 74 65 2e 0d 0a er complete...

34. Shirley to CS on the command channel - OK

Frame 34 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 19.285042000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1152 (4434) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x685c (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 81 (relative sequence number) Acknowledgement number: 300 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9bca (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 33 The RTT to ACK the segment was: 0.638226000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 52 00 00 1e 06 68 5c 81 20 01 40 80 c1 .(.R....h\. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 52 02 91 6f 2c 50 10 ...... R..o,P. 0030 10 00 9b ca 00 00 32 32 36 20 54 72 ...... 226 Tr

page 21 35. CS to Shirley on data channel - TCP good-bye (3/3 of 3-way handshake) (The data channel is now closed)

Frame 35 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 19.924969000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8baa (35754) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xff03 (correct) Transmission Control Protocol, Src Port: 20 (20), Dst Port: 2591 (2591) Sequence number: 188 (relative sequence number) Acknowledgement number: 2 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9437 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 32 The RTT to ACK the segment was: 1.916041000 seconds

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b aa 00 00 0d 06 ff 03 80 c1 20 01 81 20 .(...... 0020 01 40 00 14 0a 1f 02 bc 66 bc a2 cb d2 03 50 10 .@...... f.....P. 0030 10 00 94 37 00 00 40 60 0a 12 40 60 ...7..@`..@`

36. Shirley to CS - "QUIT" (Close the FTP conversation before the TCP connection)

Frame 36 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 20.576911000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 46 Identification: 0x1154 (4436) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6854 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21), Len: 6 Sequence number: 81 (relative sequence number) Next sequence number: 87 (relative sequence number) Acknowledgement number: 300 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xf408 (correct) File Transfer Protocol (FTP) QUIT\r\n Request command: QUIT

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 2e 11 54 00 00 1e 06 68 54 81 20 01 40 80 c1 ...T....hT. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 52 02 91 6f 2c 50 18 ...... R..o,P. 0030 10 00 f4 08 00 00 51 55 49 54 0d 0a ...... QUIT..

page 22 37. CS to Shirley - "221 Goodbye."

Frame 37 (68 bytes on wire, 68 bytes captured) Time since reference or first frame: 21.230262000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 54 Identification: 0x8bc9 (35785) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xfed6 (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590), Len: 14 Sequence number: 300 (relative sequence number) Next sequence number: 314 (relative sequence number) Acknowledgement number: 87 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) Window size: 4096 Checksum: 0xacd6 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 36 The RTT to ACK the segment was: 0.653351000 seconds File Transfer Protocol (FTP) 221 Goodbye.\r\n Response code: Service closing control connection (221) Response arg: Goodbye.

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 36 8b c9 00 00 0d 06 fe d6 80 c1 20 01 81 20 .6...... 0020 01 40 00 15 0a 1e 02 91 6f 2c a2 a4 c2 58 50 18 .@...... o,...XP. 0030 10 00 ac d6 00 00 32 32 31 20 47 6f 6f 64 62 79 ...... 221 Goodby 0040 65 2e 0d 0a e...

38. CS to Shirley - TCP good-bye (1/3 of 3-way handshake)

Frame 38 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 21.883619000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8bca (35786) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xfee3 (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590) Sequence number: 314 (relative sequence number) Acknowledgement number: 87 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) Window size: 4096 Checksum: 0x9bb5 (correct)

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b ca 00 00 0d 06 fe e3 80 c1 20 01 81 20 .(...... 0020 01 40 00 15 0a 1e 02 91 6f 3a a2 a4 c2 58 50 11 .@...... o:...XP. 0030 10 00 9b b5 00 00 40 60 0a 12 40 60 ...... @`..@`

page 23 39. Shirley to CS - OK (ACK of data in 37)

Frame 39 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 22.536983000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1155 (4437) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6859 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 87 (relative sequence number) Acknowledgement number: 315 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9bb5 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 38 The RTT to ACK the segment was: 0.653364000 seconds

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 55 00 00 1e 06 68 59 81 20 01 40 80 c1 .(.U....hY. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 58 02 91 6f 3b 50 10 ...... X..o;P. 0030 10 00 9b b5 00 00 40 60 0a 12 40 60 ...... @`..@`

40. Shirley to CS - TCP good-bye (2/3 of 3-way handshake)

Frame 40 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 23.190711000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1156 (4438) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6858 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Sequence number: 87 (relative sequence number) Acknowledgement number: 315 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) Window size: 4096 Checksum: 0x9bb4 (correct)

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 56 00 00 1e 06 68 58 81 20 01 40 80 c1 .(.V....hX. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 58 02 91 6f 3b 50 11 ...... X..o;P. 0030 10 00 9b b4 00 00 40 60 0a 12 40 60 ...... @`..@`

page 24 41. Shirley to CS - DUPLICATE TCP good-bye (2/3 of 3-way handshake)

Frame 41 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 23.852093000 seconds Ethernet II, Src: 00:00:0f:00:7e:d9, Dst: 00:00:93:e0:70:55 Type: IP (0x0800) Internet Protocol, Src Addr: 129.32.1.64, Dst Addr: 128.193.32.1 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x1157 (4439) Flags: 0x00 Fragment offset: 0 Time to live: 30 Protocol: TCP (0x06) Header checksum: 0x6857 (correct) Transmission Control Protocol, Src Port: 2590 (2590), Dst Port: 21 (21) Source port: 2590 (2590) Destination port: 21 (21) Sequence number: 87 (relative sequence number) Acknowledgement number: 315 (relative ack number) Header length: 20 bytes Flags: 0x0011 (FIN, ACK) Window size: 4096 Checksum: 0x9bb4 (correct) SEQ/ACK analysis TCP Analysis Flags This frame is a (suspected) retransmission

0000 00 00 93 e0 70 55 00 00 0f 00 7e d9 08 00 45 00 ....pU....~...E. 0010 00 28 11 57 00 00 1e 06 68 57 81 20 01 40 80 c1 .(.W....hW. .@.. 0020 20 01 0a 1e 00 15 a2 a4 c2 58 02 91 6f 3b 50 11 ...... X..o;P. 0030 10 00 9b b4 00 00 70 69 63 61 73 73 ...... picass

42. CS to Shirley - TCP good-bye (3/3 of 3-way handshake)

Frame 42 (60 bytes on wire, 60 bytes captured) Time since reference or first frame: 24.515046000 seconds Ethernet II, Src: 00:00:93:e0:70:55, Dst: 00:00:0f:00:7e:d9 Type: IP (0x0800) Internet Protocol, Src Addr: 128.193.32.1, Dst Addr: 129.32.1.64 Version: 4 Header length: 20 bytes Total Length: 40 Identification: 0x8bee (35822) Flags: 0x00 Fragment offset: 0 Time to live: 13 Protocol: TCP (0x06) Header checksum: 0xfebf (correct) Transmission Control Protocol, Src Port: 21 (21), Dst Port: 2590 (2590) Sequence number: 315 (relative sequence number) Acknowledgement number: 88 (relative ack number) Header length: 20 bytes Flags: 0x0010 (ACK) Window size: 4096 Checksum: 0x9bb4 (correct) SEQ/ACK analysis This is an ACK to the segment in frame: 40 The RTT to ACK the segment was: 1.324335000 seconds

0000 00 00 0f 00 7e d9 00 00 93 e0 70 55 08 00 45 00 ....~.....pU..E. 0010 00 28 8b ee 00 00 0d 06 fe bf 80 c1 20 01 81 20 .(...... 0020 01 40 00 15 0a 1e 02 91 6f 3b a2 a4 c2 59 50 10 .@...... o;...YP. 0030 10 00 9b b4 00 00 40 60 02 18 00 00 ...... @`....

page 25

Load more

Recommended publications