- 浏览: 50276 次
- 性别:
- 来自: 湖南
最新评论
You may already know that when FTP (File Transfer Protocol)
commands cross the wire, they use port 21 by default. You may also know
that port 20 is assigned to FTP data. Unfortunately, most FTP data
sessions do not actually use port 20.
So you have just taken a trace of an FTP session and noticed that a PORT command crossed the wire. When you looked at the decode, you saw the strangest command sequence:
PORT 10,2,0,2,4,31
[We have several FTP trace files online at
http://www.packet-level.com/traceFiles.htm.]
What does this mean? First let us take a look at the purpose of the PORT command. Then we will decipher the numbers following the command.
THE PORT COMMAND
FTP communications use two port number values - one for commands (port 21 by default) and one for data transfer (this is where the PORT command comes into play).
The PORT command is sent by an FTP client to establish a secondary connection (address and port) for data to travel over. In some FTP implementations port 20 is used for data, but that is the exception rather than the rules. Typically in a trace you will see data crossing over a dynamic port number (IANA states that this range should be between 49152 through 65535, but most likely you'll see your application using something just above 1024 - the area that used to be the dynamic port number area).
Figure 1 shows the summary of an FTP communication. Packet 16 contains the PORT command. [This trace file is online at http://www.packet-level.com/traceFiles.htm.]
Figure 1: The PORT command and parameters are visible in Sniffer's summary column.
An FTP client issues a PORT to the FTP server and defines what port the client will be listening on for the data channel connection. Upon receipt of the PORT command, the server establishes a new TCP connection to the client using that TCP port value.
You may see numerous PORT commands issued during a single FTP session - a new data channel must be established to transfer directory listings and perform file GET and PUT operations.
The Freaky Numbers
After the PORT command, you will see a series of six numbers - these numbers indicate the IP address and port number to use in establishing a data transfer connection. The first four numbers (10,2,0,2 in our example above) indicate the client IP address. The second numbers, 4,15 indicate the client port number.
4,15? Strange. When you look at your trace, you would notice that the server establishes a connection on the client port 1039 (D=1039 in packet 19 in Figure 1). How did we get from 4,15 to 1039? Here we go. To interpret and translate the value 4,15 into a port number the receiver must do some decimal to hex translations - here is an example:
first number (4) translate to hex (0x04)
second number (15) translate to hex (0x0F)
Now take the entire set of hex bytes (0x040F) and translate the bytes from hex to decimal (1055). Figure 2 displays the conversion value in Hex Workshop's Base Converter applet. (Hex Workshop and Base Converter are available online at www.bpsoft.com.) Voila!
Figure 2: Hex value 040F is equivalent to decimal value 1039.
Most folks get snagged when they try to translate both decimal values as a single set (415 = 0x019F) - that just will not work. You must split the values and convert individually to hex before combining and converting to decimal.
Now you know - when you see another PORT command on the wire, you should be able to guess what port the data transfer process will use.
View All Articles by Laura Chappell
So you have just taken a trace of an FTP session and noticed that a PORT command crossed the wire. When you looked at the decode, you saw the strangest command sequence:
PORT 10,2,0,2,4,31
[We have several FTP trace files online at
http://www.packet-level.com/traceFiles.htm.]
What does this mean? First let us take a look at the purpose of the PORT command. Then we will decipher the numbers following the command.
THE PORT COMMAND
FTP communications use two port number values - one for commands (port 21 by default) and one for data transfer (this is where the PORT command comes into play).
The PORT command is sent by an FTP client to establish a secondary connection (address and port) for data to travel over. In some FTP implementations port 20 is used for data, but that is the exception rather than the rules. Typically in a trace you will see data crossing over a dynamic port number (IANA states that this range should be between 49152 through 65535, but most likely you'll see your application using something just above 1024 - the area that used to be the dynamic port number area).
Figure 1 shows the summary of an FTP communication. Packet 16 contains the PORT command. [This trace file is online at http://www.packet-level.com/traceFiles.htm.]
Figure 1: The PORT command and parameters are visible in Sniffer's summary column.
An FTP client issues a PORT to the FTP server and defines what port the client will be listening on for the data channel connection. Upon receipt of the PORT command, the server establishes a new TCP connection to the client using that TCP port value.
You may see numerous PORT commands issued during a single FTP session - a new data channel must be established to transfer directory listings and perform file GET and PUT operations.
The Freaky Numbers
After the PORT command, you will see a series of six numbers - these numbers indicate the IP address and port number to use in establishing a data transfer connection. The first four numbers (10,2,0,2 in our example above) indicate the client IP address. The second numbers, 4,15 indicate the client port number.
4,15? Strange. When you look at your trace, you would notice that the server establishes a connection on the client port 1039 (D=1039 in packet 19 in Figure 1). How did we get from 4,15 to 1039? Here we go. To interpret and translate the value 4,15 into a port number the receiver must do some decimal to hex translations - here is an example:
first number (4) translate to hex (0x04)
second number (15) translate to hex (0x0F)
Now take the entire set of hex bytes (0x040F) and translate the bytes from hex to decimal (1055). Figure 2 displays the conversion value in Hex Workshop's Base Converter applet. (Hex Workshop and Base Converter are available online at www.bpsoft.com.) Voila!
Figure 2: Hex value 040F is equivalent to decimal value 1039.
Most folks get snagged when they try to translate both decimal values as a single set (415 = 0x019F) - that just will not work. You must split the values and convert individually to hex before combining and converting to decimal.
Now you know - when you see another PORT command on the wire, you should be able to guess what port the data transfer process will use.
View All Articles by Laura Chappell
About the Author:
Laura Chappell is the Sr. Protocol Analyst for the Protocol Analysis
Institute. Laura focuses on researching, writing and lecturing on
network analysis and security. In 2003, over 60 of Laura's courses
become available via internet/CD and a series of "White Hat Toolbox:
Security Tools, Tricks and Traces" are releasing at
http://www.packet-level.com. Laura can be reached at
lchappell@packet-level.com.
Traceback: http://www.securitypronews.com/it/networksystems/spn-21-20030917UnderstandingtheFTPPORTCommand.html
发表评论
-
项目开发日志杂记
2009-05-04 13:05 925开发日志 0:32 2008-9-18 1、中文 ... -
笔记本维护故障一则
2007-03-18 23:40 671唉呀,今天真的是羞死 ... -
多Web服务器的80端口访问
2007-03-23 11:42 1416写这篇文章,源自于自己的一个需求。这几天一校园WEB站点因为域 ... -
[转]Windows系统文件详细解说
2007-04-02 23:38 579详细的介绍了WINDOWS系统文件的用途,我想各位保存一份以后 ... -
关于Windows文件共享服务的一些问题
2007-04-02 23:44 2473[问题引出]:我刚安装windows2003时,Compute ... -
MS Project 2003的一个问题
2007-04-03 18:04 1000[问题引出]:刚装完MS Project 2003,一运行就出 ... -
IBM xSeries服务器安装内存一则
2007-04-04 00:55 768部门进购IBM xSeries 225服务器已经达三年之久了, ... -
JAVA与蓝牙起步(Getting Started with Java and Bluetooth)
2007-04-26 00:39 1464栈初始化在你做任何事之前,你需要初始化你的栈。记住,栈是一个用 ... -
Windows 2000下的远程桌面工具
2007-04-28 18:10 967在Windows XP之后的系统中都会在“系统”属性中可以设置 ... -
最近在看的书
2007-06-25 03:17 6111、JSP网络开发技术与整合应用 ... -
想看的书---<<开发自己的搜索引擎---Lucene 2.0 + Heritrix>>
2007-06-26 21:47 1686开发自己的搜索引擎---Lucene 2.0 + Heritr ... -
数据挖掘相关
2007-06-27 08:43 709什么是规则?就是一个条件和一个结果的和:If con ... -
不要用浏览器来测试
2007-07-03 11:02 883进行B/S系统编程,大概浏览器就是最直接的测试程序是否正确的方 ... -
Big-Endian And Little-Endian
2007-07-07 11:32 819今天老师给我们复习单片机,出了一个题目,就这个字节存储顺序搞得 ... -
MySQL的中文问题
2007-07-08 21:12 690唉,看到网上这么多的关于MySQL中文编码的问题。今天自己碰到 ... -
[转]RAW FileSystem Recovery
2007-07-11 09:09 958To know ho ... -
关于人工神经网络中的M-P模型的一点疑问
2007-08-08 22:31 887人工神经网络M-P模型构成一个逻辑非模型,从书中抄下来的,如下 ... -
JOONE(Java Object-Oriented Network Engine)使用初探
2007-09-30 16:03 12321 /**/ ... -
OpenGL in VC++
2008-01-19 00:30 957首先看一个简单的例子: 1 #include <wind ... -
VC++中的ON_COMMAND_RANGE宏
2008-01-26 13:51 1714VC++中的ON_COMMAND_RANGE宏 ...
相关推荐
Understanding the GPS - An Introduction to the Global Positioning System
SIP: Understanding the Session Initiation Protocol, Fourth Edition 英文原版,第4版
Understanding the Linux Kernel 3rd Edition (English Version)
Understanding The Linux Kernel 完美组合 Understanding The Linux Kernel 完美组合 Understanding The Linux Kernel 完美组合
Understanding the difficulty of training deep feedforward neural networks
Understanding the Linux Kernel pdf
The third edition of Understanding the Linux Kernel takes you on a guided tour of the most significant data structures, algorithms, and programming tricks used in the kernel. Probing beyond ...
It then provides a detailed description of the VM architecture with the aid of numerous diagrams and call graphs, which is suitable for people who need a clear understanding of how the VM functions....
blockchain_your comprehensive guide to understanding the decentralized future(2016)
Understanding The Linux Kernel 3rd.pdf 深入理解LINUX内核,第三版
Understanding theWarburg effect the metabolic requirements of cell proliferation
Understanding the Discrete Element Method
Understanding the Linux Kernel 3rd 英文原版,详细介绍了内核的参数,原理,理论很详细,可以加深对操作系统的理解
Understanding the Overheads of Launching CUDA Kernels.pdf
Understanding the Linux Kernel provides a guided tour of the code that forms the core of all Linux operating systems. Beyond the functioning of the code, the book explains the theoretical ...
Understanding the Basis of the Kalman Filter(卡曼滤波基本知识)
Understanding The Linux Virtual Memory Manager.rar
Understanding the Linux Kernel provides a guided tour of the code that forms the core of all Linux operating systems. Beyond the functioning of the code, the book explains the theoretical ...
understanding the wto
Understanding The GPS