-------------------------------------------------------------------
The Protocol Handbook
-------------------------------------------------------------------
Part 1-By rift 10/14/98

Preface

This guide explains the elements of Protocols relating to the Internet. Many client/server applications rely on protocols, for example, Netscape Navigator or Microsoft Internet Explorer.  These two applications use the http protocol to send and recieve data between the server and the client.  The client sends a request to the http server, listening on port 80.  To make it simple, the client sais may I have this file? and the server replies, most likely dumping the page back to the client.  The client will then take the data sent back from the server, parse it, and display it for the user on a normal page.

Clients

The client is the application that communicates with the server.  Usually a client will create a virtual-circuit connection with the server, then start communicating.  We show an example here, where the client is sending information relating to nickname/ident and the server is acknowledging that it recieved that info.

Send 16 bytes.
<00000000< NICK hax0r

Send 42 bytes.
<00000010< USER hax0r 32 . :I am an elite hax0r

(Server communicates with the client; recognizes that the requested nick is in use and sends data back in which the irc client will interpret)

Receive 60 bytes.
>00000000> :irc.hax0r.bm 433 * hax0r :Nickname is already in 
>00000036> use.
  
Send 16 bytes.
<0000003A< NICK hax0r1

(Handshaking stage complete...)
Receive 1099 bytes.
>0000003C> :irc.hax0r.bm 001 hax0r1: Welcome to IRC.

So we have completed the handshaking stage.  The server waits for the responses from the client, and once succesfully initiated, the client goes on with its buisness.

More advanced handshaking

Here we get down to the dirty work.  Between the client and server there are packets sent, and in those packets contain flags.  The most commonly used flags are:

SYN - Initiate a virtual circuit connection with the destination host/server.  We use the three way tcp handshaking procedure to connect. Both the SYN and ACK flags are stated in a packet:

SYN=1/ACK=0: Opens a connection
SYN=1/ACK=1: Open connection acknowledgment request
SYN=0/ACK=1: Just plain acknowledgment packet or data packet

ACK - ACK is used to state that the acknowledgment number field is valid.

RST - RST resets the connection because a. the server returned an error or b. the client created an error its self.

FIN - FIN terminates the connection(vcircuit).  Both client and server sides must agree on terminating the connection; otherwise an application might unexpectedly drop the connection for no reason.

URG - URG is used to send OOB (Out-of-band-data) to the server without waiting for the server to process octets in the stream.  Octets are every 8th bit within a byte. NetBIOS produces a problem within URG processing: it cannot handle a sequence of data at any length.  This is known as the winnuke attack - (http://www.rootshell.com/archive-j457nxiqi3gq59dv/199707/winnuke.c.html) 


Address Classes


You've probably heard people saying "Class C Net" or "Class A Net" - These are address classes.   Address Classes are used to define the number of nodes on a specific network; the table follows below:

Class A - 127 networks, 16,777,214 Nodes.
Class B - 16,383 networks, 65,534 Nodes.
Class C - 2,097,151 networks, 254 Nodes.

The most common network that you will find is the Class C network, which many schools/private buisnesses use.  Class A nets are for HUGE companies like AOL, which need more IP Addresses than Bill Clinton needs ugly women. (um that was a bad joke)


Protocol Definitions

Here I will explain many popular procotols that we use, like FTP or IRC.

TCP - Transfer Control Protocol.  TCP relies on IP to get the info right; it is also used to make sure none of the packets sent are dropped by mistake.  TCP is what delivers your packets: it is obviously needed for most of our advanced client/server applications.  Once IP handles where the data is to be sent, TCP goes to work and delivers the data in its form. Here is a basic outline of a TCP packet:

-----------------
Source IP Address\
-----------------	\__
Destination IP Address |
--------------------/
Protocol										/
------------------/
TCP Length						/
----------------/
TCP Header				 /
--------------/
Data									\_____
---------------------|


Some ports are listed here...

1	tcpmux - TCP Port Service Multiplexer
2	compressnet - Management Utility
3	compressnet - Compression Process
5	rje - Remote Job Entry
7	echo
9	discard
11	systat - Active Users
13	daytime
17	qotd - Quote of the Day
18	msp - Message Send Protocol
19	chargen - Character Generator
20	ftp-data - File Transfer [Default Data]
21	ftp - File Transfer [Control]
23	telnet
24	any private mail system
25	smtp - Simple Mail Transfer
27	nsw-fe - NSW User System FE
29	msg-icp
31	msg-auth - MSG Authentication
33	dsp - Display Support Protocol
35	any private printer server
37	time
38	rap - Route Access Protocol
39	rlp - Resource Location Protocol
41	graphics
42	nameserver - Host Name Server
43	nicname - Who Is
44	mpm-flags - MPM FLAGS Protocol
45	mpm - Message Processing Module [recv]
46	mpm - Message Processing Module [default send]
47	ni-ftp
48	auditd - Digital Audit Daemon
49	login - Login Host Protocol
50	re-mail-ck - Remote Mail Checking Protocol
51	la-maint - IMP Logical Address Maintenance
52	xns-time - XNS Time Protocol
53	domain - Domain Name Server
54	xns-ch - XNS Clearinghouse
55	isi-gl - ISI Graphics Language
56	xns-auth - XNS Authentication
57	any private terminal access
58	xns-mail - XNS Mail
59	any private file service
61	ni-mail
62	acas - ACA Services
64	covia - Communications Integrator (CI)
65	tacacs-ds - TACACS-Database Service
67	bootps - Bootstrap Protocol Server
68	bootpc - Bootstrap Protocol Client
69	tftp - Trivial File Transfer
70	gopher
71	netrjs-1 Remote Job Service
72	netrjs-2 Remote Job Service
73	netrjs-3 Remote Job Service
74	netrjs-4 Remote Job Service
75	any private dial out service
76	deos - Distributed External Object Store
77	any private RJE service
78	vettcp
79	finger
80	www-http - World Wide Web HTTP
81	host2-ns - HOSTS2 Name Server
82	xfer - XFER Utility
83	mit-ml-dev
84	ctf - Common Trace Facility
85	mit-ml-dev
86	mfcobol - Micro Focus Cobol
87	any private terminal link
88	kerberos
89	su-mit-tg - SU/MIT Telnet Gateway
90	dnsix - DNSIX Security Attribute Token Map
91	mit-dov - MIT Dover Spooler
92	npp - Network Printing Protocol
93	dcp - Device Control Protocol
94	objcall - Tivoli Object Dispatcher
95	supdup
96	dixie - DIXIE Protocol Specification
97	swift-rvf - Swift Remote Virtual File Protocol
98	tacnews
99	metagram - Metagram Relay
100	newacct - [unauthorized use]
101	hostname - NIC Host Name Server
102	iso-tsap
103	gppitnp - Genesis Point-To-Point Trans Net
104	acr-nema - ACR-NEMA Digital Imag. & Comm. 300
105	csnet-ns - Mailbox Name Nameserver
106	3com-tsmux
107	rtelnet - Remote Telnet Service
108	snagas - SNA Gateway Access Server
109	pop2 - Post Office Protocol - Version 2
110	pop3 - Post Office Protocol - Version 3
111	sunrpc - SUN Remote Procedure Call
112	mcidas - McIDAS Data Transmission Protocol
113	auth - Authentication Service
114	audionews - Audio News Multicast
115	sftp - Simple File Transfer Protocol
116	ansanotify - ANSA REX Notify
117	uucp-path - UUCP Path Service
118	sqlserv - SQL Services
119	nntp - Network News Transfer Protocol
120	cfdptkt
121	erpc - Encore Expedited Remote Pro.Call
122	smakynet
123	ntp - Network Time Protocol
124	ansatrader - ANSA REX Trader
125	locus-map - Locus PC-Interface Net Map Ser
126	unitary - Unisys Unitary Login
127	locus-con - Locus PC-Interface Conn Server
128	gss-xlicen - GSS X License Verification
129	pwdgen - Password Generator Protocol
130	cisco-fna - cisco FNATIVE
131	cisco-tna - cisco TNATIVE
132	cisco-sys - cisco SYSMAINT
133	statsrv - Statistics Service
135	loc-srv - Location Service
136	profile - PROFILE Naming System
137	netbios-ns - NETBIOS Name Service
138	netbios-dgm - NETBIOS Datagram Service
139	netbios-ssn - NETBIOS Session Service
140	emfis-data - EMFIS Data Service
141	emfis-cntl - EMFIS Control Service
142	bl-idm - Britton-Lee IDM
143	imap2 - Interim Mail Access Protocol v2
144	news
145	uaac
146	iso-tp0
147	iso-ip
148	cronus - CRONUS-SUPPORT
149	aed-512 - AED 512 Emulation Service
150	sql-net
151	hems
152	bftp - Background File Transfer Program
153	sgmp
154	netsc-prod
155	netsc-dev
156	sqlsrv - SQL Service
157	knet-cmp - KNET/VM Command/Message Protocol
158	pcmail-srv - PCMail Server
159	nss-routing
160	sgmp-traps
161	snmp - Simple Network Managment Protocol
162	snmptrap - Simple Network Managment Protocol Trap
163	cmip-man - CMIP/TCP Manager
164	cmip-agent - CMIP/TCP Agent
165	xns-courier - Xerox
166	s-net - Sirius Systems
167	namp
168	rsvd
169	send
170	print-srv - Network PostScript
171	multiplex - Network Innovations Multiplex
172	cl/1 - Network Innocations CL/1
173	xyplex-mux - Xyplex
174	mailq
175	vmnet
176	genrad-mux
177	xdmcp - X Display Manager Control Protocol
178	nextstep - NextStep Window Server
179	bgp - Border Gateway Protocol
180	ris - Intergraph
181	unify
182	audit - Unisys Audit SITP
183	ocbinder
184	ocserver
185	remote-kis
186	kis - KIS Protocol
187	aci - Application Communication Interface
188	mumps - Plus Five's MUMPS
189	qft - Queued File Transport
190	gacp - Gateway Access Protocol
191	prospero - Prospero Directory Service
192	osu-nms - OSU Network Monitoring System
193	srmp - Spider Remote Monitoring Protocol
194	irc - Internet Relay Chat
195	dn6-nlm-aud - DNSIX Network Level Module Audit
196	dn6-nlm-red - DNSIX Session Mgt Module Audit Redir
197	dls - Directory Location Service
198	dls-mon - Directory Location Service Monitor
199	smux
200	src - IBM System Resource Controller
201	at-rtmp - AppleTalk Routing Maintenance
202	at-nbp - AppleTalk Name Binding
203	at-3 - AppleTalk Unused
204	at-echo - AppleTalk Echo
205	at-5 - AppleTalk Unused
206	at-zis - AppleTalk Zone Information
207	at-7 - AppleTalk Unused
208	at-8 - AppleTalk Unused
209	tam - Trivial Mail Authentication Protocol
210	z39.50
211	914c/g - Texas Instruments 914C/G Terminal
212	anet - ATEXSSTR
213	ipx
214	vmpwscs - VM PWSCS
215	softpc - Insignia Solutions
216	atls - Access Technology License Server
217	dbase - dBASE Unix
218	mpp - Netix Message Posting Protocol
219	uarps - Unisys ARPs
220	imap3 - Interactive Mail Access Protocol v3
221	fln-spx - Berkeley rlogind with SPX auth
222	rsh-spx - Berkeley rshd with SPX auth
223	cdc - Certificate Distribution Center
243	sur-meas - Surveet Measurement
245	link
246	dsp3270 - Display Systems Protocol
344	pdap - Prospero Data Access Protocol
345	pawserv - Perf Analysis Workbench
346	zserv - Zebra server
347	fatserv - Fatmen Server
348	csi-sgwp - Cabletron Management Protocol
371	clearcase
372	ulistserv - Unix Listserv
373	legent-1 - Legent Corporation
374	legent-2 - Legent Corporation
375	hassle
376	nip - Amiga Envoy Network Inquiry Proto
377	tnETOS - NEC Corporation
378	dsETOS - NEC Corporation
379	is99c - TIA/EIA/IS-99 modem client
380	is99s - TIA/EIA/IS-99 modem server
381	hp-collector - hp performance data collector
382	hp-managed-node - hp performance data managed node
383	hp-alarm-mgr - hp performance data alarm manager
384	arns - A Remote Network Server System
385	ibm-app - IBM Application
386	asa - ASA Message Router Object Def.
387	aurp - AppleTalk Update-Based Routing Pro.
388	unidata-ldm - Unidata LDM Version 4
389	ldap - Lightweight Directory Acess Protocol
390	uis
391	synotics-relay - SynOptics SNMP Relay Port
392	synotics-broker - SynOptics Port Broker Port
393	dis - Data Interpretation System
394	embl-ndt - EMBL Nucleic Data Transfer
395	NETscout Control Protocol
396	netware-ip - Novell Netware over IP
397	mptn - Multi Protocol Trans. Net.
398	kryptolan
400	work-sol - Worksation Solutions
401	ups - Uninteruptible Power Supply
402	genie - Genie Protocol
403	decap
404	nced
407	timbuktu
408	prm-sm - Prospero Resource Manager Sys. Man.
409	prm-nm - Prospero Resource Manager Node Man.
410	decladebug - DECLadebug Remote Debug Protcol
411	rmt - Remote MT Protocol
412	synoptics-trap - Trap Convetion Port
413	smsp
414	infoseek
415	bnet
416	silverplatter
417	onmux
418	hyper-g
419	ariel1
420	smpte
421	ariel2
422	ariel3
423	opc-job-start - IBM Operations Planning and Control Start
424	opc-job-track - IBM Operations Planning and Control Track
425	icad-el - ICAD
426	smartsdp
427	svrloc - Server Location
428	ocs_cmu
429	ocs_amu
430	utmpsd
431	utmpcd
432	iasd
433	nnsp
434	mobileip-agent
435	mobileip-mn
436	dna-cml
437	comscm
438	dsfgw
439	dasp
440	sgcp
441	decvms-sysmgt
442	cvc_hostd
443	https
444	snpp - Simple Network Paging Protocol
445	microsoft-ds
446	ddm-rdb
447	ddm-dfm
448	ddm-byte
449	as-servermap - AS Server Mapper
450	tserver
497	retrospect - Retrospect Backup software
515	printer - spooler
517	talk
518	ntalk
525	timed - timeserver
526	tempo - newdate
548	AppleShare IP Server
3000	First Class Server
5500	Hotline Server
5501	Hotline Server
8080	http

[Most all of the remaining ports are mentioned to be unused or unregistered (Keep in mind that the largest anonymous port in most tcp software is 65535)]

IP - Internet Protocol.  IP takes care of addressing.  You have probably heard of the term IP Address: this is the Internet Protocol in use.  Every Internet Service Provider assigns you an IP address once you log on; for ethernet usage this is much like DHCP.

ARP - Address Resolution Protocol.  ARP finds out what Joes Hardware address is, or what Marys NICA is. It also resolves IP addresses and many other things such as MAC addresses or Physical hardware addresses. ARP relies on IP to work properly.

RARP - RARP, or Reverse Address Resolution Protocol, figures out what the TCP/IP address is via the Network Interface Card.

ICMP - Internet Control Message Protocol.  ICMP packets are used to determine flaws or problems within two or more hosts.  An example: If I ping joe but joe doesnt respond, then it means joes box is down.  However if he replies to the ICMP_ECHO_REPLY flag stated in the packet, it would mean his box was actually up.  ICMP can also be used to ping flood someone, as you already know.

LDAP - Lightweight Directory Access Protocol.  LDAP is used (much like FINGER) to look up information on an X.500 directory service.  LDAP can be used to retrieve email addresses, phone numbers, and other information that might be useful to someone who has access to a X.500 directory service.

BootP - Boot Protocol.  BootP lets you boot your OS from a remote machine connected to a network.  It is very similar to TFTP in that it uses a different computer to boot/load OSs or applications.  BootP might be used if you were out of disk space or were having problems with your own Operating System.

TFTP - Trivial File Transfer Protocol.  TFTP is somewhat like bootp: it lets you download files or install operating systems via DECs remote installation service.  TFTP is primarily used to load/run applications from a TFTP server, and as stated before is extremely important for network booting.  

SMTP - Simple Mail Transfer Protocol. SMTP is one of the most widely used protocols today: it handles internet e-mail messaging and supports the tranfer of files from one computer to another.  The whole E-mail system is based on SMTP; you need an SMTP server to send/recieve messages.  SMTP is peticularly unsafe because it lets you spoof messages from one address to another.  In this example, we connect to a host running sendmail on port 25, and enter our message headers.

220 driftwood.nfth.com ESMTP Sendmail 8.8.7/8.8.7; Thu, 15 Oct 1998 20:20:42 -0400

HELO blah
250 driftwood.nfth.com Hello techlib.org [199.227.254.193], pleased to meet you

RSET
250 Reset state

MAIL FROM: <owned@nfth.com>
250 <owned@nfth.com>... Sender ok

RCPT TO:<recieve@desthost.com>
550 recieve@desthost.com>....ok

The rest of the part is pretty simple, just do DATA and then QUIT.

UDP - User Datagram protocol.  UDP is a bare-bones connectionless protocol used peticularly for DNS servers.  UDP is different from TCP because it doesnt require any control packets to be sent before a connection is esatblished.  Unlike TCP, UDP does not check for errors: this means that if something goes wrong UDP will not correct it.  Applications like AOL (bleh) have its own error correction built in, so that MOST of the data sent/recieved can be successfully transfered between computers.  UDP is dependent on IP, which is used to reliably deliver the packets to the upper-layer applications defined in the OSI model(figure 1).  To create a datagram socket, use this:(You need alot more than this to actually get the socket working)

socket(AF_INET, SOCK_DGRAM, 0)

SOCK_DGRAM specifies that the socket type will be datagram, not stream.

f1:
-International Standards Organization OSI Model-

--------------------------------------
												Application
--------------------------------------
												Presentation
--------------------------------------
												Session
--------------------------------------
												Transport
--------------------------------------
												Network
--------------------------------------
												Data Link
--------------------------------------
												Physical
--------------------------------------

Physical  - Hardware, as in modem or NIC.

Data Link - Handles error correction from interference produced by the physcal devices such as network-related wiring.  The Data Link also helps construct the packets sent by applications and send them using IP to use the correct address.

Network  - This layer interacts with the Data Link layer to send the packets to the specified address.

Transport - The Transport layer makes sure that no errors occur between the routing of packets constructed by the Data Link.

Session - This layer simply handles the connection between two addresses.

Presentation - Handles file formatting that is used with various clients.  For example, without the Presentation layer you would not be able to send a file in Binary format without knowing that the other computer would be able to run it.

Application - This layer handles use of applications that are dependent on the OSI model, like telnet or FTP.

-end International Standards Organization OSI Model-


