------------------------------------------------------------------- The Protocol Handbook ------------------------------------------------------------------- Part 1-By rift 10/14/98 Preface This guide explains the elements of Protocols relating to the Internet. Many client/server applications rely on protocols, for example, Netscape Navigator or Microsoft Internet Explorer. These two applications use the http protocol to send and recieve data between the server and the client. The client sends a request to the http server, listening on port 80. To make it simple, the client sais Ômay I have this file?Õ and the server replies, most likely dumping the page back to the client. The client will then take the data sent back from the server, parse it, and display it for the user on a normal page. Clients The client is the application that communicates with the server. Usually a client will create a virtual-circuit connection with the server, then start communicating. We show an example here, where the client is sending information relating to nickname/ident and the server is acknowledging that it recieved that info. Send 16 bytes. <00000000< NICK hax0r Send 42 bytes. <00000010< USER hax0r 32 . :I am an elite hax0r (Server communicates with the client; recognizes that the requested nick is in use and sends data back in which the irc client will interpret) Receive 60 bytes. >00000000> :irc.hax0r.bm 433 * hax0r :Nickname is already in >00000036> use. Send 16 bytes. <0000003A< NICK hax0r1 (Handshaking stage complete...) Receive 1099 bytes. >0000003C> :irc.hax0r.bm 001 hax0r1: Welcome to IRC. So we have completed the handshaking stage. The server waits for the responses from the client, and once succesfully initiated, the client goes on with its buisness. More advanced handshaking Here we get down to the dirty work. Between the client and server there are packets sent, and in those packets contain flags. The most commonly used flags are: SYN - Initiate a virtual circuit connection with the destination host/server. We use the three way tcp handshaking procedure to connect. Both the SYN and ACK flags are stated in a packet: SYN=1/ACK=0: Opens a connection SYN=1/ACK=1: Open connection acknowledgment request SYN=0/ACK=1: Just plain acknowledgment packet or data packet ACK - ACK is used to state that the acknowledgment number field is valid. RST - RST resets the connection because a. the server returned an error or b. the client created an error its self. FIN - FIN terminates the connection(vcircuit). Both client and server sides must agree on terminating the connection; otherwise an application might unexpectedly drop the connection for no reason. URG - URG is used to send OOB (Out-of-band-data) to the server without waiting for the server to process octets in the stream. Octets are every 8th bit within a byte. NetBIOS produces a problem within URG processing: it cannot handle a sequence of data at any length. This is known as the ÒwinnukeÓ attack - (http://www.rootshell.com/archive-j457nxiqi3gq59dv/199707/winnuke.c.html) Address Classes You've probably heard people saying "Class C Net" or "Class A Net" - These are address classes. Address Classes are used to define the number of nodes on a specific network; the table follows below: Class A - 127 networks, 16,777,214 Nodes. Class B - 16,383 networks, 65,534 Nodes. Class C - 2,097,151 networks, 254 Nodes. The most common network that you will find is the Class C network, which many schools/private buisnesses use. Class A nets are for HUGE companies like AOL, which need more IP Addresses than Bill Clinton needs ugly women. (um that was a bad joke) Protocol Definitions Here I will explain many popular procotols that we use, like FTP or IRC. TCP - Transfer Control Protocol. TCP relies on IP to get the info right; it is also used to make sure none of the packets sent are dropped by mistake. TCP is what delivers your packets: it is obviously needed for most of our advanced client/server applications. Once IP handles where the data is to be sent, TCP goes to work and delivers the data in its form. Here is a basic outline of a TCP packet: ----------------- Source IP Address\ ----------------- \__ Destination IP Address | --------------------/ Protocol / ------------------/ TCP Length / ----------------/ TCP Header / --------------/ Data \_____ ---------------------| Some ports are listed here... 1 tcpmux - TCP Port Service Multiplexer 2 compressnet - Management Utility 3 compressnet - Compression Process 5 rje - Remote Job Entry 7 echo 9 discard 11 systat - Active Users 13 daytime 17 qotd - Quote of the Day 18 msp - Message Send Protocol 19 chargen - Character Generator 20 ftp-data - File Transfer [Default Data] 21 ftp - File Transfer [Control] 23 telnet 24 any private mail system 25 smtp - Simple Mail Transfer 27 nsw-fe - NSW User System FE 29 msg-icp 31 msg-auth - MSG Authentication 33 dsp - Display Support Protocol 35 any private printer server 37 time 38 rap - Route Access Protocol 39 rlp - Resource Location Protocol 41 graphics 42 nameserver - Host Name Server 43 nicname - Who Is 44 mpm-flags - MPM FLAGS Protocol 45 mpm - Message Processing Module [recv] 46 mpm - Message Processing Module [default send] 47 ni-ftp 48 auditd - Digital Audit Daemon 49 login - Login Host Protocol 50 re-mail-ck - Remote Mail Checking Protocol 51 la-maint - IMP Logical Address Maintenance 52 xns-time - XNS Time Protocol 53 domain - Domain Name Server 54 xns-ch - XNS Clearinghouse 55 isi-gl - ISI Graphics Language 56 xns-auth - XNS Authentication 57 any private terminal access 58 xns-mail - XNS Mail 59 any private file service 61 ni-mail 62 acas - ACA Services 64 covia - Communications Integrator (CI) 65 tacacs-ds - TACACS-Database Service 67 bootps - Bootstrap Protocol Server 68 bootpc - Bootstrap Protocol Client 69 tftp - Trivial File Transfer 70 gopher 71 netrjs-1 Remote Job Service 72 netrjs-2 Remote Job Service 73 netrjs-3 Remote Job Service 74 netrjs-4 Remote Job Service 75 any private dial out service 76 deos - Distributed External Object Store 77 any private RJE service 78 vettcp 79 finger 80 www-http - World Wide Web HTTP 81 host2-ns - HOSTS2 Name Server 82 xfer - XFER Utility 83 mit-ml-dev 84 ctf - Common Trace Facility 85 mit-ml-dev 86 mfcobol - Micro Focus Cobol 87 any private terminal link 88 kerberos 89 su-mit-tg - SU/MIT Telnet Gateway 90 dnsix - DNSIX Security Attribute Token Map 91 mit-dov - MIT Dover Spooler 92 npp - Network Printing Protocol 93 dcp - Device Control Protocol 94 objcall - Tivoli Object Dispatcher 95 supdup 96 dixie - DIXIE Protocol Specification 97 swift-rvf - Swift Remote Virtual File Protocol 98 tacnews 99 metagram - Metagram Relay 100 newacct - [unauthorized use] 101 hostname - NIC Host Name Server 102 iso-tsap 103 gppitnp - Genesis Point-To-Point Trans Net 104 acr-nema - ACR-NEMA Digital Imag. & Comm. 300 105 csnet-ns - Mailbox Name Nameserver 106 3com-tsmux 107 rtelnet - Remote Telnet Service 108 snagas - SNA Gateway Access Server 109 pop2 - Post Office Protocol - Version 2 110 pop3 - Post Office Protocol - Version 3 111 sunrpc - SUN Remote Procedure Call 112 mcidas - McIDAS Data Transmission Protocol 113 auth - Authentication Service 114 audionews - Audio News Multicast 115 sftp - Simple File Transfer Protocol 116 ansanotify - ANSA REX Notify 117 uucp-path - UUCP Path Service 118 sqlserv - SQL Services 119 nntp - Network News Transfer Protocol 120 cfdptkt 121 erpc - Encore Expedited Remote Pro.Call 122 smakynet 123 ntp - Network Time Protocol 124 ansatrader - ANSA REX Trader 125 locus-map - Locus PC-Interface Net Map Ser 126 unitary - Unisys Unitary Login 127 locus-con - Locus PC-Interface Conn Server 128 gss-xlicen - GSS X License Verification 129 pwdgen - Password Generator Protocol 130 cisco-fna - cisco FNATIVE 131 cisco-tna - cisco TNATIVE 132 cisco-sys - cisco SYSMAINT 133 statsrv - Statistics Service 135 loc-srv - Location Service 136 profile - PROFILE Naming System 137 netbios-ns - NETBIOS Name Service 138 netbios-dgm - NETBIOS Datagram Service 139 netbios-ssn - NETBIOS Session Service 140 emfis-data - EMFIS Data Service 141 emfis-cntl - EMFIS Control Service 142 bl-idm - Britton-Lee IDM 143 imap2 - Interim Mail Access Protocol v2 144 news 145 uaac 146 iso-tp0 147 iso-ip 148 cronus - CRONUS-SUPPORT 149 aed-512 - AED 512 Emulation Service 150 sql-net 151 hems 152 bftp - Background File Transfer Program 153 sgmp 154 netsc-prod 155 netsc-dev 156 sqlsrv - SQL Service 157 knet-cmp - KNET/VM Command/Message Protocol 158 pcmail-srv - PCMail Server 159 nss-routing 160 sgmp-traps 161 snmp - Simple Network Managment Protocol 162 snmptrap - Simple Network Managment Protocol Trap 163 cmip-man - CMIP/TCP Manager 164 cmip-agent - CMIP/TCP Agent 165 xns-courier - Xerox 166 s-net - Sirius Systems 167 namp 168 rsvd 169 send 170 print-srv - Network PostScript 171 multiplex - Network Innovations Multiplex 172 cl/1 - Network Innocations CL/1 173 xyplex-mux - Xyplex 174 mailq 175 vmnet 176 genrad-mux 177 xdmcp - X Display Manager Control Protocol 178 nextstep - NextStep Window Server 179 bgp - Border Gateway Protocol 180 ris - Intergraph 181 unify 182 audit - Unisys Audit SITP 183 ocbinder 184 ocserver 185 remote-kis 186 kis - KIS Protocol 187 aci - Application Communication Interface 188 mumps - Plus Five's MUMPS 189 qft - Queued File Transport 190 gacp - Gateway Access Protocol 191 prospero - Prospero Directory Service 192 osu-nms - OSU Network Monitoring System 193 srmp - Spider Remote Monitoring Protocol 194 irc - Internet Relay Chat 195 dn6-nlm-aud - DNSIX Network Level Module Audit 196 dn6-nlm-red - DNSIX Session Mgt Module Audit Redir 197 dls - Directory Location Service 198 dls-mon - Directory Location Service Monitor 199 smux 200 src - IBM System Resource Controller 201 at-rtmp - AppleTalk Routing Maintenance 202 at-nbp - AppleTalk Name Binding 203 at-3 - AppleTalk Unused 204 at-echo - AppleTalk Echo 205 at-5 - AppleTalk Unused 206 at-zis - AppleTalk Zone Information 207 at-7 - AppleTalk Unused 208 at-8 - AppleTalk Unused 209 tam - Trivial Mail Authentication Protocol 210 z39.50 211 914c/g - Texas Instruments 914C/G Terminal 212 anet - ATEXSSTR 213 ipx 214 vmpwscs - VM PWSCS 215 softpc - Insignia Solutions 216 atls - Access Technology License Server 217 dbase - dBASE Unix 218 mpp - Netix Message Posting Protocol 219 uarps - Unisys ARPs 220 imap3 - Interactive Mail Access Protocol v3 221 fln-spx - Berkeley rlogind with SPX auth 222 rsh-spx - Berkeley rshd with SPX auth 223 cdc - Certificate Distribution Center 243 sur-meas - Surveet Measurement 245 link 246 dsp3270 - Display Systems Protocol 344 pdap - Prospero Data Access Protocol 345 pawserv - Perf Analysis Workbench 346 zserv - Zebra server 347 fatserv - Fatmen Server 348 csi-sgwp - Cabletron Management Protocol 371 clearcase 372 ulistserv - Unix Listserv 373 legent-1 - Legent Corporation 374 legent-2 - Legent Corporation 375 hassle 376 nip - Amiga Envoy Network Inquiry Proto 377 tnETOS - NEC Corporation 378 dsETOS - NEC Corporation 379 is99c - TIA/EIA/IS-99 modem client 380 is99s - TIA/EIA/IS-99 modem server 381 hp-collector - hp performance data collector 382 hp-managed-node - hp performance data managed node 383 hp-alarm-mgr - hp performance data alarm manager 384 arns - A Remote Network Server System 385 ibm-app - IBM Application 386 asa - ASA Message Router Object Def. 387 aurp - AppleTalk Update-Based Routing Pro. 388 unidata-ldm - Unidata LDM Version 4 389 ldap - Lightweight Directory Acess Protocol 390 uis 391 synotics-relay - SynOptics SNMP Relay Port 392 synotics-broker - SynOptics Port Broker Port 393 dis - Data Interpretation System 394 embl-ndt - EMBL Nucleic Data Transfer 395 NETscout Control Protocol 396 netware-ip - Novell Netware over IP 397 mptn - Multi Protocol Trans. Net. 398 kryptolan 400 work-sol - Worksation Solutions 401 ups - Uninteruptible Power Supply 402 genie - Genie Protocol 403 decap 404 nced 407 timbuktu 408 prm-sm - Prospero Resource Manager Sys. Man. 409 prm-nm - Prospero Resource Manager Node Man. 410 decladebug - DECLadebug Remote Debug Protcol 411 rmt - Remote MT Protocol 412 synoptics-trap - Trap Convetion Port 413 smsp 414 infoseek 415 bnet 416 silverplatter 417 onmux 418 hyper-g 419 ariel1 420 smpte 421 ariel2 422 ariel3 423 opc-job-start - IBM Operations Planning and Control Start 424 opc-job-track - IBM Operations Planning and Control Track 425 icad-el - ICAD 426 smartsdp 427 svrloc - Server Location 428 ocs_cmu 429 ocs_amu 430 utmpsd 431 utmpcd 432 iasd 433 nnsp 434 mobileip-agent 435 mobileip-mn 436 dna-cml 437 comscm 438 dsfgw 439 dasp 440 sgcp 441 decvms-sysmgt 442 cvc_hostd 443 https 444 snpp - Simple Network Paging Protocol 445 microsoft-ds 446 ddm-rdb 447 ddm-dfm 448 ddm-byte 449 as-servermap - AS Server Mapper 450 tserver 497 retrospect - Retrospect Backup software 515 printer - spooler 517 talk 518 ntalk 525 timed - timeserver 526 tempo - newdate 548 AppleShare IP Server 3000 First Class Server 5500 Hotline Server 5501 Hotline Server 8080 http [Most all of the remaining ports are mentioned to be unused or unregistered (Keep in mind that the largest anonymous port in most tcp software is 65535)] IP - Internet Protocol. IP takes care of addressing. You have probably heard of the term ÔIP AddressÕ: this is the Internet Protocol in use. Every Internet Service Provider assigns you an IP address once you log on; for ethernet usage this is much like DHCP. ARP - Address Resolution Protocol. ARP finds out what JoeÕs Hardware address is, or what MaryÕs NICA is. It also resolves IP addresses and many other things such as MAC addresses or Physical hardware addresses. ARP relies on IP to work properly. RARP - RARP, or Reverse Address Resolution Protocol, figures out what the TCP/IP address is via the Network Interface Card. ICMP - Internet Control Message Protocol. ICMP packets are used to determine flaws or problems within two or more hosts. An example: If I ping joe but joe doesnt respond, then it means joeÕs box is down. However if he replies to the ICMP_ECHO_REPLY flag stated in the packet, it would mean his box was actually up. ICMP can also be used to ping flood someone, as you already know. LDAP - Lightweight Directory Access Protocol. LDAP is used (much like FINGER) to look up information on an X.500 directory service. LDAP can be used to retrieve email addresses, phone numbers, and other information that might be useful to someone who has access to a X.500 directory service. BootP - Boot Protocol. BootP lets you boot your OS from a remote machine connected to a network. It is very similar to TFTP in that it uses a different computer to boot/load OSÕs or applications. BootP might be used if you were out of disk space or were having problems with your own Operating System. TFTP - Trivial File Transfer Protocol. TFTP is somewhat like bootp: it lets you download files or install operating systems via DECÕs remote installation service. TFTP is primarily used to load/run applications from a TFTP server, and as stated before is extremely important for network booting. SMTP - Simple Mail Transfer Protocol. SMTP is one of the most widely used protocols today: it handles internet e-mail messaging and supports the tranfer of files from one computer to another. The whole E-mail system is based on SMTP; you need an SMTP server to send/recieve messages. SMTP is peticularly unsafe because it lets you ÔspoofÕ messages from one address to another. In this example, we connect to a host running sendmail on port 25, and enter our message headers. 220 driftwood.nfth.com ESMTP Sendmail 8.8.7/8.8.7; Thu, 15 Oct 1998 20:20:42 -0400 HELO blah 250 driftwood.nfth.com Hello techlib.org [199.227.254.193], pleased to meet you RSET 250 Reset state MAIL FROM: 250 ... Sender ok RCPT TO: 550 recieve@desthost.com>....ok The rest of the part is pretty simple, just do DATA and then QUIT. UDP - User Datagram protocol. UDP is a bare-bones connectionless protocol used peticularly for DNS servers. UDP is different from TCP because it doesnt require any control packets to be sent before a connection is esatblished. Unlike TCP, UDP does not check for errors: this means that if something goes wrong UDP will not correct it. Applications like AOL (bleh) have its own error correction built in, so that MOST of the data sent/recieved can be successfully transfered between computers. UDP is dependent on IP, which is used to reliably ÔdeliverÕ the packets to the upper-layer applications defined in the OSI model(figure 1). To create a datagram socket, use this:(You need alot more than this to actually get the socket working) socket(AF_INET, SOCK_DGRAM, 0) SOCK_DGRAM specifies that the socket type will be datagram, not stream. f1: -International Standards Organization OSI Model- -------------------------------------- Application -------------------------------------- Presentation -------------------------------------- Session -------------------------------------- Transport -------------------------------------- Network -------------------------------------- Data Link -------------------------------------- Physical -------------------------------------- Physical - Hardware, as in modem or NIC. Data Link - Handles error correction from interference produced by the physcal devices such as network-related wiring. The Data Link also helps ÔconstructÕ the packets sent by applications and send them using IP to use the correct address. Network - This layer interacts with the Data Link layer to send the packets to the specified address. Transport - The Transport layer makes sure that no errors occur between the routing of packets constructed by the Data Link. Session - This layer simply handles the connection between two addresses. Presentation - Handles file formatting that is used with various clients. For example, without the Presentation layer you would not be able to send a file in Binary format without knowing that the other computer would be able to run it. Application - This layer handles use of applications that are dependent on the OSI model, like telnet or FTP. -end International Standards Organization OSI Model-