[Note: MAC and IP addresses, hostnames, username/password have
been modified to conceal true session]
Frames 2 through 4 illustrate
TCP’s Three Way Handshake
Frame 2 (66 bytes on wire, 66 bytes captured)
Arrival Time: May 15, 2003
11:42:30.350489000
Time delta from previous packet:
0.467980000 seconds
Time relative to first packet: 0.467980000
seconds
Frame Number: 2
Packet Length: 66 bytes
Capture Length: 66 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x2df7 (11767)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb4a2 (correct)
Source: 172.18.0.2 (172.18.0.2)
Destination: 172.18.0.3 (172.18.0.3)
Transmission Control
Protocol, Src Port: 3436 (3436), Dst Port: 21 (21), Seq: 2877212145, Ack: 0,
Len: 0
Source port: 3436 (3436)
Destination port: 21 (21)
Sequence number: 2877212145
Header length: 32 bytes
Flags: 0x0002
(SYN)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 60352
Checksum: 0xac39 (correct)
Options: (12 bytes)
Maximum segment size: 1460 bytes
NOP
Window scale: 2 (multiply by 4)
NOP
NOP
SACK permitted
Frame 3 (60 bytes on wire, 60 bytes captured)
Arrival Time: May 15, 2003
11:42:30.350732000
Time delta from previous packet:
0.000243000 seconds
Time relative to first packet: 0.468223000
seconds
Frame Number: 3
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II, Src: 00:90:7e:05:0f:ce,
Dst: 00:a0:cc:33:da:ef
Destination: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Source: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Type: IP (0x0800)
Trailer: 0000
Internet Protocol, Src
Addr: 172.18.0.3 (172.18.0.3), Dst Addr: 172.18.0.2 (172.18.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0xfa34 (64052)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x286d (correct)
Source: 172.18.0.3 (172.18.0.3)
Destination: 172.18.0.2 (172.18.0.2)
Transmission Control
Protocol, Src Port: 21 (21), Dst Port: 3436 (3436), Seq: 1038849425, Ack:
2877212146, Len: 0
Source port: 21 (21)
Destination port: 3436 (3436)
Sequence number: 1038849425
Acknowledgement number: 2877212146
Header length: 24 bytes
Flags: 0x0012
(SYN, ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 16352
Checksum: 0xad9c (correct)
Options: (4 bytes)
Maximum segment size: 1460 bytes
Frame 4 (54 bytes on wire, 54 bytes captured)
Arrival Time: May 15, 2003
11:42:30.350828000
Time delta from previous packet:
0.000096000 seconds
Time relative to first packet: 0.468319000
seconds
Frame Number: 4
Packet Length: 54 bytes
Capture Length: 54 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x2df8 (11768)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb4ad (correct)
Source: 172.18.0.2 (172.18.0.2)
Destination: 172.18.0.3 (172.18.0.3)
Transmission Control
Protocol, Src Port: 3436 (3436), Dst Port: 21 (21), Seq: 2877212146, Ack:
1038849426, Len: 0
Source port: 3436 (3436)
Destination port: 21 (21)
Sequence number: 2877212146
Acknowledgement number: 1038849426
Header length: 20 bytes
Flags: 0x0010
(ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x053a (correct)
Frame 10 through 19 illustrate
how the FTP server application
makes use of TCP’s PUSH operation to force prompts and client user input
Frame 10 (103 bytes on
wire, 103 bytes captured)
Arrival Time: May 15, 2003
11:42:30.431604000
Time delta from previous packet:
0.080776000 seconds
Time relative to first packet: 0.549095000
seconds
Frame Number: 10
Packet Length: 103 bytes
Capture Length: 103 bytes
Ethernet II, Src:
00:90:7e:05:0f:ce, Dst: 00:a0:cc:33:da:ef
Destination: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Source: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.3 (172.18.0.3), Dst Addr: 172.18.0.2 (172.18.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 89
Identification: 0xfa3a (64058)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xe839 (correct)
Source: 172.18.0.3 (172.18.0.3)
Destination: 172.18.0.2 (172.18.0.2)
Transmission Control
Protocol, Src Port: 21 (21), Dst Port: 3436 (3436), Seq: 1038849426, Ack:
2877212146, Len: 49
Source port: 21 (21)
Destination port: 3436 (3436)
Sequence number: 1038849426
Next sequence number: 1038849475
Acknowledgement number: 2877212146
Header length: 20 bytes
Flags: 0x0018
(PSH, ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16352
Checksum: 0x0753 (correct)
File Transfer Protocol
(FTP)
Response code: Service ready for new user (220)
Response arg: server Microsoft FTP Service
(Version 5.0).
Frame 11 (54 bytes on
wire, 54 bytes captured)
Arrival Time: May 15, 2003
11:42:30.614728000
Time delta from previous packet:
0.183124000 seconds
Time relative to first packet: 0.732219000
seconds
Frame Number: 11
Packet Length: 54 bytes
Capture Length: 54 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x2dfe (11774)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb4a7 (correct)
Source: 172.18.0.2 (172.18.0.2)
Destination: 172.18.0.3 (172.18.0.3)
Transmission Control
Protocol, Src Port: 3436 (3436), Dst Port: 21 (21), Seq: 2877212146, Ack:
1038849475, Len: 0
Source port: 3436 (3436)
Destination port: 21 (21)
Sequence number: 2877212146
Acknowledgement number: 1038849475
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65486
Checksum: 0x053a (correct)
Frame 14 (67 bytes on
wire, 67 bytes captured)
Arrival Time: May 15, 2003
11:42:31.980191000
Time delta from previous packet:
1.365463000 seconds
Time relative to first packet: 2.097682000
seconds
Frame Number: 14
Packet Length: 67 bytes
Capture Length: 67 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 53
Identification: 0x2e01 (11777)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb497 (correct)
Source: 172.18.0.2 (172.18.0.2)
Destination: 172.18.0.3 (172.18.0.3)
Transmission Control
Protocol, Src Port: 3436 (3436), Dst Port: 21 (21), Seq: 2877212146, Ack:
1038849475, Len: 13
Source port: 3436 (3436)
Destination port: 21 (21)
Sequence number: 2877212146
Next sequence number: 2877212159
Acknowledgement number: 1038849475
Header length: 20 bytes
Flags: 0x0018
(PSH, ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65486
Checksum: 0x0a1e (correct)
File Transfer Protocol
(FTP)
Request command: USER
Request arg: user12
Frame 15 (89 bytes on
wire, 89 bytes captured)
Arrival Time: May 15, 2003
11:42:31.980983000
Time delta from previous packet:
0.000792000 seconds
Time relative to first packet: 2.098474000
seconds
Frame Number: 15
Packet Length: 89 bytes
Capture Length: 89 bytes
Ethernet II, Src:
00:90:7e:05:0f:ce, Dst: 00:a0:cc:33:da:ef
Destination: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Source: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.3 (172.18.0.3), Dst Addr: 172.18.0.2 (172.18.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 75
Identification: 0xfa3d (64061)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xe844 (correct)
Source: 172.18.0.3 (172.18.0.3)
Destination: 172.18.0.2 (172.18.0.2)
Transmission Control
Protocol, Src Port: 21 (21), Dst Port: 3436 (3436), Seq: 1038849475, Ack:
2877212159, Len: 35
Source port: 21 (21)
Destination port: 3436 (3436)
Sequence number: 1038849475
Next sequence number: 1038849510
Acknowledgement number: 2877212159
Header length: 20 bytes
Flags: 0x0018
(PSH, ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16339
Checksum: 0x7c5b (correct)
File Transfer Protocol
(FTP)
Response code: User name okay, need
password (331)
Response arg: Password required for
user12.
Frame 16 (54 bytes on
wire, 54 bytes captured)
Arrival Time: May 15, 2003
11:42:32.119492000
Time delta from previous packet:
0.138509000 seconds
Time relative to first packet: 2.236983000
seconds
Frame Number: 16
Packet Length: 54 bytes
Capture Length: 54 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x2e02 (11778)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb4a3 (correct)
Source: 172.18.0.2 (172.18.0.2)
Destination: 172.18.0.3 (172.18.0.3)
Transmission Control
Protocol, Src Port: 3436 (3436), Dst Port: 21 (21), Seq: 2877212159, Ack: 1038849510,
Len: 0
Source port: 3436 (3436)
Destination port: 21 (21)
Sequence number: 2877212159
Acknowledgement number: 1038849510
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65451
Checksum: 0x052d (correct)
Frame 17 (69 bytes on
wire, 69 bytes captured)
Arrival Time: May 15, 2003
11:42:33.747551000
Time delta from previous packet:
1.628059000 seconds
Time relative to first packet: 3.865042000
seconds
Frame Number: 17
Packet Length: 69 bytes
Capture Length: 69 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 55
Identification: 0x2e03 (11779)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb493 (correct)
Source: 172.18.0.2 (172.18.0.2)
Destination: 172.18.0.3 (172.18.0.3)
Transmission Control Protocol,
Src Port: 3436 (3436), Dst Port: 21 (21), Seq: 2877212159, Ack: 1038849510,
Len: 15
Source port: 3436 (3436)
Destination port: 21 (21)
Sequence number: 2877212159
Next sequence number: 2877212174
Acknowledgement number: 1038849510
Header length: 20 bytes
Flags: 0x0018
(PSH, ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65451
Checksum: 0x88bc (correct)
File Transfer Protocol
(FTP)
Request command: PASS
Request arg: x&1w@aaz
Frame 18 (79 bytes on
wire, 79 bytes captured)
Arrival Time: May 15, 2003
11:42:33.748679000
Time delta from previous packet:
0.001128000 seconds
Time relative to first packet: 3.866170000
seconds
Frame Number: 18
Packet Length: 79 bytes
Capture Length: 79 bytes
Ethernet II, Src:
00:90:7e:05:0f:ce, Dst: 00:a0:cc:33:da:ef
Destination: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Source: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.3 (172.18.0.3), Dst Addr: 172.18.0.2 (172.18.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 65
Identification: 0xfa40 (64064)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xe84b (correct)
Source: 172.18.0.3 (172.18.0.3)
Destination: 172.18.0.2 (172.18.0.2)
Transmission Control
Protocol, Src Port: 21 (21), Dst Port: 3436 (3436), Seq: 1038849510, Ack:
2877212174, Len: 25
Source port: 21 (21)
Destination port: 3436 (3436)
Sequence number: 1038849510
Next sequence number: 1038849535
Acknowledgement number: 2877212174
Header length: 20 bytes
Flags: 0x0018
(PSH, ACK)
0... .... = Congestion Window Reduced
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16324
Checksum: 0xc74f (correct)
File Transfer Protocol
(FTP)
Response code: User logged in, proceed
(230)
Response arg: Welcome to Server.
\r\n
Frame 19 (54 bytes on
wire, 54 bytes captured)
Arrival Time: May 15, 2003
11:42:33.925289000
Time delta from previous packet:
0.176610000 seconds
Time relative to first packet: 4.042780000
seconds
Frame Number: 19
Packet Length: 54 bytes
Capture Length: 54 bytes
Ethernet II, Src:
00:a0:cc:33:da:ef, Dst: 00:90:7e:05:0f:ce
Destination: 00:90:7e:05:0f:ce
(00:90:7e:05:0f:ce)
Source: 00:a0:cc:33:da:ef
(00:a0:cc:33:da:ef)
Type: IP (0x0800)
Internet Protocol, Src
Addr: 172.18.0.2 (172.18.0.2), Dst Addr: 172.18.0.3 (172.18.0.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP
0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services
Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport
(ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x2e04 (11780)
Fl