- 浏览: 52553 次
- 性别:
- 来自: 湖南
最新评论
You may already know that when FTP (File Transfer Protocol)
commands cross the wire, they use port 21 by default. You may also know
that port 20 is assigned to FTP data. Unfortunately, most FTP data
sessions do not actually use port 20.
So you have just taken a trace of an FTP session and noticed that a PORT command crossed the wire. When you looked at the decode, you saw the strangest command sequence:
PORT 10,2,0,2,4,31
[We have several FTP trace files online at
http://www.packet-level.com/traceFiles.htm.]
What does this mean? First let us take a look at the purpose of the PORT command. Then we will decipher the numbers following the command.
THE PORT COMMAND
FTP communications use two port number values - one for commands (port 21 by default) and one for data transfer (this is where the PORT command comes into play).
The PORT command is sent by an FTP client to establish a secondary connection (address and port) for data to travel over. In some FTP implementations port 20 is used for data, but that is the exception rather than the rules. Typically in a trace you will see data crossing over a dynamic port number (IANA states that this range should be between 49152 through 65535, but most likely you'll see your application using something just above 1024 - the area that used to be the dynamic port number area).
Figure 1 shows the summary of an FTP communication. Packet 16 contains the PORT command. [This trace file is online at http://www.packet-level.com/traceFiles.htm.]
Figure 1: The PORT command and parameters are visible in Sniffer's summary column.
An FTP client issues a PORT to the FTP server and defines what port the client will be listening on for the data channel connection. Upon receipt of the PORT command, the server establishes a new TCP connection to the client using that TCP port value.
You may see numerous PORT commands issued during a single FTP session - a new data channel must be established to transfer directory listings and perform file GET and PUT operations.
The Freaky Numbers
After the PORT command, you will see a series of six numbers - these numbers indicate the IP address and port number to use in establishing a data transfer connection. The first four numbers (10,2,0,2 in our example above) indicate the client IP address. The second numbers, 4,15 indicate the client port number.
4,15? Strange. When you look at your trace, you would notice that the server establishes a connection on the client port 1039 (D=1039 in packet 19 in Figure 1). How did we get from 4,15 to 1039? Here we go. To interpret and translate the value 4,15 into a port number the receiver must do some decimal to hex translations - here is an example:
first number (4) translate to hex (0x04)
second number (15) translate to hex (0x0F)
Now take the entire set of hex bytes (0x040F) and translate the bytes from hex to decimal (1055). Figure 2 displays the conversion value in Hex Workshop's Base Converter applet. (Hex Workshop and Base Converter are available online at www.bpsoft.com.) Voila!
Figure 2: Hex value 040F is equivalent to decimal value 1039.
Most folks get snagged when they try to translate both decimal values as a single set (415 = 0x019F) - that just will not work. You must split the values and convert individually to hex before combining and converting to decimal.
Now you know - when you see another PORT command on the wire, you should be able to guess what port the data transfer process will use.
View All Articles by Laura Chappell
So you have just taken a trace of an FTP session and noticed that a PORT command crossed the wire. When you looked at the decode, you saw the strangest command sequence:
PORT 10,2,0,2,4,31
[We have several FTP trace files online at
http://www.packet-level.com/traceFiles.htm.]
What does this mean? First let us take a look at the purpose of the PORT command. Then we will decipher the numbers following the command.
THE PORT COMMAND
FTP communications use two port number values - one for commands (port 21 by default) and one for data transfer (this is where the PORT command comes into play).
The PORT command is sent by an FTP client to establish a secondary connection (address and port) for data to travel over. In some FTP implementations port 20 is used for data, but that is the exception rather than the rules. Typically in a trace you will see data crossing over a dynamic port number (IANA states that this range should be between 49152 through 65535, but most likely you'll see your application using something just above 1024 - the area that used to be the dynamic port number area).
Figure 1 shows the summary of an FTP communication. Packet 16 contains the PORT command. [This trace file is online at http://www.packet-level.com/traceFiles.htm.]
Figure 1: The PORT command and parameters are visible in Sniffer's summary column.
An FTP client issues a PORT to the FTP server and defines what port the client will be listening on for the data channel connection. Upon receipt of the PORT command, the server establishes a new TCP connection to the client using that TCP port value.
You may see numerous PORT commands issued during a single FTP session - a new data channel must be established to transfer directory listings and perform file GET and PUT operations.
The Freaky Numbers
After the PORT command, you will see a series of six numbers - these numbers indicate the IP address and port number to use in establishing a data transfer connection. The first four numbers (10,2,0,2 in our example above) indicate the client IP address. The second numbers, 4,15 indicate the client port number.
4,15? Strange. When you look at your trace, you would notice that the server establishes a connection on the client port 1039 (D=1039 in packet 19 in Figure 1). How did we get from 4,15 to 1039? Here we go. To interpret and translate the value 4,15 into a port number the receiver must do some decimal to hex translations - here is an example:
first number (4) translate to hex (0x04)
second number (15) translate to hex (0x0F)
Now take the entire set of hex bytes (0x040F) and translate the bytes from hex to decimal (1055). Figure 2 displays the conversion value in Hex Workshop's Base Converter applet. (Hex Workshop and Base Converter are available online at www.bpsoft.com.) Voila!
Figure 2: Hex value 040F is equivalent to decimal value 1039.
Most folks get snagged when they try to translate both decimal values as a single set (415 = 0x019F) - that just will not work. You must split the values and convert individually to hex before combining and converting to decimal.
Now you know - when you see another PORT command on the wire, you should be able to guess what port the data transfer process will use.
View All Articles by Laura Chappell
About the Author:
Laura Chappell is the Sr. Protocol Analyst for the Protocol Analysis
Institute. Laura focuses on researching, writing and lecturing on
network analysis and security. In 2003, over 60 of Laura's courses
become available via internet/CD and a series of "White Hat Toolbox:
Security Tools, Tricks and Traces" are releasing at
http://www.packet-level.com. Laura can be reached at
lchappell@packet-level.com.
Traceback: http://www.securitypronews.com/it/networksystems/spn-21-20030917UnderstandingtheFTPPORTCommand.html
发表评论
-
项目开发日志杂记
2009-05-04 13:05 966开发日志 0:32 2008-9-18 1、中文 ... -
笔记本维护故障一则
2007-03-18 23:40 706唉呀,今天真的是羞死 ... -
多Web服务器的80端口访问
2007-03-23 11:42 1466写这篇文章,源自于自己的一个需求。这几天一校园WEB站点因为域 ... -
[转]Windows系统文件详细解说
2007-04-02 23:38 620详细的介绍了WINDOWS系统文件的用途,我想各位保存一份以后 ... -
关于Windows文件共享服务的一些问题
2007-04-02 23:44 2513[问题引出]:我刚安装windows2003时,Compute ... -
MS Project 2003的一个问题
2007-04-03 18:04 1047[问题引出]:刚装完MS Project 2003,一运行就出 ... -
IBM xSeries服务器安装内存一则
2007-04-04 00:55 816部门进购IBM xSeries 225服务器已经达三年之久了, ... -
JAVA与蓝牙起步(Getting Started with Java and Bluetooth)
2007-04-26 00:39 1506栈初始化在你做任何事之前,你需要初始化你的栈。记住,栈是一个用 ... -
Windows 2000下的远程桌面工具
2007-04-28 18:10 1031在Windows XP之后的系统中都会在“系统”属性中可以设置 ... -
最近在看的书
2007-06-25 03:17 6531、JSP网络开发技术与整合应用 ... -
想看的书---<<开发自己的搜索引擎---Lucene 2.0 + Heritrix>>
2007-06-26 21:47 1728开发自己的搜索引擎---Lucene 2.0 + Heritr ... -
数据挖掘相关
2007-06-27 08:43 751什么是规则?就是一个条件和一个结果的和:If con ... -
不要用浏览器来测试
2007-07-03 11:02 918进行B/S系统编程,大概浏览器就是最直接的测试程序是否正确的方 ... -
Big-Endian And Little-Endian
2007-07-07 11:32 875今天老师给我们复习单片机,出了一个题目,就这个字节存储顺序搞得 ... -
MySQL的中文问题
2007-07-08 21:12 721唉,看到网上这么多的关于MySQL中文编码的问题。今天自己碰到 ... -
[转]RAW FileSystem Recovery
2007-07-11 09:09 993To know ho ... -
关于人工神经网络中的M-P模型的一点疑问
2007-08-08 22:31 932人工神经网络M-P模型构成一个逻辑非模型,从书中抄下来的,如下 ... -
JOONE(Java Object-Oriented Network Engine)使用初探
2007-09-30 16:03 12691 /**/ ... -
OpenGL in VC++
2008-01-19 00:30 1002首先看一个简单的例子: 1 #include <wind ... -
VC++中的ON_COMMAND_RANGE宏
2008-01-26 13:51 1777VC++中的ON_COMMAND_RANGE宏 ...
相关推荐
SIP: Understanding the Session Initiation Protocol, Fourth Edition 英文原版,第4版
4. 《UnderStanding The Linux Kernel 3rd Edition V413HAV.pdf》:这正是标题中提到的《理解Linux内核》第三版,书中详尽介绍了Linux 2.6.x版本内核的设计和实现,包括调度程序、内存管理、文件系统、网络协议栈等...
Understanding The Linux Kernel 完美组合 Understanding The Linux Kernel 完美组合 Understanding The Linux Kernel 完美组合
该压缩包中的文件"OReilly.Understanding.the.Linux.Kernel.3rd.Edition.Nov.2005.HAPPY.NEW.YEAR.chm"是这本书的电子版,采用CHM(Compiled HTML Help)格式,便于在电脑上离线阅读。CHM文件是一种包含HTML页面和...
全球定位系统(GPS)是现代科技中的一个关键组成部分,它为全球用户提供准确、实时的位置、时间和速度信息。本文将深入浅出地介绍GPS的基本原理、组成、工作方式以及其在地理信息系统(GIS)中的应用。...
本文《Understanding the difficulty of training deep feedforward neural networks》旨在探讨深度前馈神经网络(Deep Feedforward Neural Networks, DNNs)训练过程中的难点。文章强调了在2006年之前,深度多层...
blockchain_your comprehensive guide to understanding the decentralized future(2016)
Understanding the Linux Kernel provides a guided tour of the code that forms the core of all Linux operating systems. Beyond the functioning of the code, the book explains the theoretical ...
Understanding The GPS
Understanding The Linux Kerne 3rd Understanding The Linux Kerne Understanding The Linux Kerne Understanding The Linux Kerne
SIP Understanding the Session Initiation Protocol
Understanding the Linux Kernel, 3rd Edition - By Daniel P. Bovet, Marco Cesati.mobi
O'Reily出版的又一部经典。Linux作为最为成功的开源操作系统,其精巧的内核设计也一直为操作系统开发者津津乐道。如果你想彻底地理解Linux工作原理,你不得不仔细地研究Linux内核,那么这本书就是极佳的参考资料。
理解瓦尔堡效应:细胞增殖的代谢需求 在生物学与医学领域,瓦尔堡效应(Warburg effect)是细胞代谢研究中的一个关键概念。这一现象最初由德国生物化学家奥托·海因里希·瓦尔堡在1920年代发现并命名,它揭示了肿瘤...
《Understanding the Linux Kernel (3rd Edition)》是一本深入探讨Linux内核工作原理的经典教材,由Daniel P. Bovet和Marco Cesati共同撰写。本书详细分析了Linux内核中最关键的数据结构、算法和编程技巧。作者们...
### 深入理解Linux内核(第三版) #### 一、引言 《深入理解Linux内核》(第三版)是由Daniel P. Bovet和Marco Cesati编著的一本经典著作,由O'Reilly出版社于2005年11月出版。该书的ISBN号为0-596-00565-2,全书...