Protocol Analysis using Lanwatch (by Dr. Robert Stafford) The following is a log of an FTP session between shirley.cis.temple.edu and cs.orst.edu. The characters I typed are underlined. shirley> ftp cs.orst.edu --------------- Connected to cs.orst.edu. 220 lynx FTP server (Version $Revision: 15.15 $ $Date: 89/08/31 10:33:40 $) ready. Name (cs.orst.edu:stafford): anonymous --------- 331 Guest login ok, send ident as password. Password: stafford@shirley.temple.edu --------------------------- 230 Guest login ok, access restrictions apply. ftp> dir --- 200 PORT command okay. 150 Opening data connection for /bin/ls -l (129.32.1.64,2595) (0 bytes). total 6 dr-xr-xr-x 2 root root 1024 Oct 15 1990 bin dr-xr-xr-x 2 root root 1024 Jun 13 16:22 etc drwxr-xr-x 24 root sys 1024 Sep 10 19:55 pub 226 Transfer complete. 186 bytes received in 0.05 seconds (3.74 Kbytes/s) ftp> bye --- 221 Goodbye. shirley> The following pages contain a trace of the 42 packets generated on Temple's Ethernet by the session above. The packets were captured using LANWatch network analyzer software from FTP software. The computers involved are: Internet Name IP Address Ethernet Address Function shirley.ocis.temple.edu 129.32.1.64 00:00:0f:00:7e:d9 My Next prepnet.temple.edu 129.32.16.1 00:00:93:e0:70:55 Temple router charon.psc.edu 128.182.65.6 Temple nameserver cs.orst.edu 129.193.32.1 Oregon CS computer A total of 42 Ethernet packets were captured. The first 2 Ethernet packets contain ARP packets that shirley uses to find out the Ethernet address of prepnet.temple.edu. The remaining 40 Ethernet packets contain IP packets. Shirley knows that the Temple router, prepnet.temple.edu, has an IP address of 129.32.16.1. However, shirley does not know the routers ethernet address (00:00:93:e0:70:55). Packets 1 and 2 are "arp" protocol packets that shirley uses to find out the ethernet address. Packet 1 - shirley to everyone - will 129.32.16.1 send me their Ethernet addr. Receive time: 81.901 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> * ) type: ARP(0x0806) ARP: rqst(1): hdwr: 1 prot: IP(0x0800) hln: 6 pln: 4 Prot. Addrs: 129.32.1.64 -> 129.32.16.1 Hrdw. Addrs: 00000f007ed9 -> * 0000: ff ff ff ff ff ff 00 00 - 0f 00 7e d9 08 06 00 01 | ~ | 0010: 08 00 06 04 00 01 00 00 - 0f 00 7e d9 81 20 01 40 | ~ | 0020: ff ff ff ff ff ff 81 20 - 10 01 02 01 00 00 00 02 | | 0030: 00 00 c0 05 92 00 00 00 - 00 00 00 00 | | Packet 2 - prepnet to shirley - my ethernet address is 00:00:93:e0:70:55 Receive time: 81.902 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: ARP(0x0806) ARP: rply(2): hdwr: 1 prot: IP(0x0800) hln: 6 pln: 4 Prot. Addrs: 129.32.16.1 -> 129.32.1.64 Hrdw. Addrs: Prote e07055 -> 00000f007ed9 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 06 00 01 | ~ pU | 0010: 08 00 06 04 00 02 00 00 - 93 e0 70 55 81 20 10 01 | pU | 0020: 00 00 0f 00 7e d9 81 20 - 01 40 02 01 00 00 00 02 | ~ @ | 0030: 00 00 c0 05 92 00 00 00 - 00 00 00 00 | | In order to send packets to cs.orst.edu, shirley needs to know its IP address. Shirley normally uses our local nameserver, comvax.ocis.temple.edu at address 129.32.1.2, to answer such questions. However, comvax happened to be "down" at the time, so shirley asked our backup nameserver, charon.psc.edu, in Pittsburgy. Shirley first assumes that "cs.orst.edu" is at temple and, in packet 3, asks charon about the name "cs.orst.edu.temple.edu". In packet 4, receives a negative response from charon. In packet 5. shirley asks about the name "cs.orst.edu" and receives the answer (and a lot of additional information) in packet 6. Packet 3 - shirley to charon - what is the IP address of cs.orst.edu.temple.edu Receive time: 81.903 packet length: 82 received length: 82 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.182.65.6 hl: 5 ver: 4 tos: 0 len: 68 id: 0x1139 fragoff: 0 flags: 00 ttl: 30 prot: UDP(17) xsum: 0x5447 UDP: 4382 -> domain(53) len: 48 xsum: 0xcc98 Domain: opcode: Query (0) Flags: (0100) Queries: 1, answers: 0, name servers: 0, authoritative answers: 0 Query Number 0: Name: cs.orst.edu.temple.edu Type: Address (1) 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 44 11 39 00 00 1e 11 - 47 54 81 20 01 40 80 b6 | D 9 GT @ | 0020: 41 06 11 1e 00 35 00 30 - cc 98 00 a4 01 00 00 01 | 5 0 | 0030: 00 00 00 00 00 00 02 63 - 73 04 6f 72 73 74 03 65 | cs orst e| 0040: 64 75 06 74 65 6d 70 6c - 65 03 65 64 75 00 00 01 |du temple edu | 0050: 00 01 | | Packet 4 - charon to shirley to charon - no such computer Receive time: 81.953 packet length: 165 received length: 165 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.182.65.6 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 151 id: 0x2ed9 fragoff: 0 flags: 00 ttl: 23 prot: UDP(17) xsum: 0x6130 UDP: domain(53) -> 4382 len: 131 xsum: 0xd2ca Domain: opcode: Query (0) Response: Name error (3) Flags: (8580) Queries: 1, answers: 0, name servers: 1, authoritative answers: 0 Query Number 0: Name: cs.orst.edu.temple.edu Type: Address (1) Class: Internet address (1) 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 97 2e d9 00 00 17 11 - 30 61 80 b6 41 06 81 20 | . 0a A | 0020: 01 40 00 35 11 1e 00 83 - d2 ca 00 a4 85 83 00 01 | @ 5 | 0030: 00 00 00 01 00 00 02 63 - 73 04 6f 72 73 74 03 65 | cs orst e| 0040: 64 75 06 74 65 6d 70 6c - 65 03 65 64 75 00 00 01 |du temple edu | 0050: 00 01 06 74 65 6d 70 6c - 65 03 45 44 55 00 00 06 | temple EDU | 0060: 00 01 00 00 0e 10 00 3d - 06 63 6f 6d 76 61 78 04 | = comvax | 0070: 6f 63 69 73 06 74 65 6d - 70 6c 65 03 65 64 75 00 |ocis temple edu | 0080: 06 73 77 61 7a 75 6b 03 - 66 61 63 03 63 69 73 c0 | swazuk fac cis | 0090: 4a 00 00 00 0d 00 00 0e - 10 00 00 01 2c 00 0a fc |J , | 00a0: 80 00 00 0e 10 | | Packet 5 - shirley to charon - "what is the IP address of cs.orst.edu" Receive time: 81.960 packet length: 71 received length: 71 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.182.65.6 hl: 5 ver: 4 tos: 0 len: 57 id: 0x113b fragoff: 0 flags: 00 ttl: 30 prot: UDP(17) xsum: 0x5d47 UDP: 4383 -> domain(53) len: 37 xsum: 0xe664 Domain: opcode: Query (0) Flags: (0100) Queries: 1, answers: 0, name servers: 0, authoritative answers: 0 Query Number 0: Name: cs.orst.edu Type: Address (1) 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~Y E | 0010: 00 39 11 3b 00 00 1e 11 - 47 5d 81 20 01 40 80 b6 | 9 ; G] @ | 0020: 41 06 11 1f 00 35 00 25 - e6 64 00 a5 01 00 00 01 |A 5 % d | 0030: 00 00 00 00 00 00 02 63 - 73 04 6f 72 73 74 03 65 | cs orst e| 0040: 64 75 00 00 01 00 01 |du | Packet 6 - charon to shirley to - 128.193.32.1 is the address of cs.orst.edu Receive time: 82.014 packet length: 369 received length: 369 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.182.65.6 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 355 id: 0x2eda fragoff: 0 flags: 00 ttl: 23 prot: UDP(17) xsum: 0x942f UDP: domain(53) -> 4383 len: 335 xsum: 0xef3d Domain: opcode: Query (0) Response: No error (0) Flags: (8180) Queries: 1, answers: 1, name servers: 7, authoritative answers: 8 Query Number 0: Name: cs.orst.edu Type: Address (1) Class: Internet address (1) Answer Number 0: Name: cs.orst.edu Type: Address (1) Class: Internet address (1) TTL: 170336 Data (4 bytes): IP address: 128.193.32.1 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 01 63 2e da 00 00 17 11 - 2f 94 80 b6 41 06 81 20 | c. / A | 0020: 01 40 00 35 11 1f 01 4f - ef 3d 00 a5 81 80 00 01 | @ 5 O = | 0030: 00 01 00 07 00 08 02 63 - 73 04 6f 72 73 74 03 65 | cs orst e| 0040: 64 75 00 00 01 00 01 c0 - 0c 00 01 00 01 00 02 99 |du | 0050: 60 00 04 80 c1 20 01 02 - 63 73 04 6f 72 73 74 03 |` cs.orst | 0060: 45 44 55 00 00 02 00 01 - 00 00 25 51 00 0a 02 43 |EDU %Q C| 0070: 53 04 4f 52 53 54 c0 35 - c0 2d 00 02 00 01 00 00 |S ORST 5 - | 0080: 25 51 00 0e 07 62 65 61 - 73 6c 65 79 03 55 43 53 |%Q beasley UCS| 0090: c0 47 c0 2d 00 02 00 01 - 00 00 25 51 00 06 03 45 | G - %Q E| 00a0: 43 45 c0 47 c0 2d 00 02 - 00 01 00 00 25 51 00 06 |CE G - %Q | 00b0: 03 4f 43 45 c0 47 c0 2d - 00 02 00 01 00 00 25 51 | OCE G - %Q| 00c0: 00 0e 04 6e 6e 73 63 03 - 4e 53 46 03 4e 45 54 00 | nnsc NSF NET | 00d0: c0 2d 00 02 00 01 00 00 - 25 51 00 02 c0 62 c0 2d | - %Q b -| 00e0: 00 02 00 01 00 00 25 51 - 00 07 04 6d 69 73 74 c0 | %Q mist | 00f0: 44 c0 44 00 01 00 01 00 - 02 99 60 00 04 80 c1 20 |D D ` | 0100: 01 c0 5a 00 01 00 01 00 - 00 91 1e 00 04 80 c1 80 | Z | 0110: 03 c0 74 00 01 00 01 00 - 02 99 60 00 04 80 c1 30 | t ` 0| 0120: 01 c0 86 00 01 00 01 00 - 02 99 60 00 04 80 c1 40 | ` @| 0130: 01 c0 98 00 01 00 01 00 - 02 a0 ec 00 04 c0 1f 67 | g| 0140: 06 c0 98 00 01 00 01 00 - 02 a0 ec 00 04 80 59 01 | l | 0150: b2 c0 62 00 01 00 01 00 - 02 99 60 00 04 80 c1 80 | b ` | 0160: 03 c0 c0 00 01 00 01 00 - 00 83 59 00 04 80 c1 20 | Y | 0170: 02 | | Shirley now initiates a TCP session with cs.orst.edu. The IP protocol only provides "datagram" service which means that packets may be lost, duplicated, or arrive out of order. (Think of a letter with an unreliable Post Office.) Building on IP, TCP provides "virtual circuit" service which guarantees delivery of a stream of bytes in the correct order without loss or duplication. (Think of a registered letter.) A TCP session begins with a "three-way handshake". Shirley sends the sequence number it will use for counting bytes (SYN and a2a4c201 in packet 7), cs "acks" the packet and sends its own sequece number (ACK, SYN, and 02916e00 in packet 8) and shirley acks packet 8 (ACK in packet 9) Packet 7 - shirley to cs - I am calling the first byte I send byte a2a4c202 Receive time: 82.017 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x113d fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x7168 TCP: 2590 -> ftp(21) seq: a2a4c201 ack: ---- win: 4096 hl: 5 xsum: 0xe70d urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~Y E | 0010: 00 28 11 3d 00 00 1e 06 - 68 71 81 20 01 40 80 c1 | ( = hq @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 01 00 00 00 00 50 02 | P | 0030: 10 00 0d e7 00 00 02 63 - 73 04 6f 72 | cs or| Packet 8 - cs to charon - OK, and my first byte will be byte number 02916e01 Receive time: 82.370 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8adc fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xd1ff TCP: ftp(21) -> 2590 seq: 02916e00 ack: a2a4c202 win: 0 hl: 5 xsum: 0x44ad urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8a dc 00 00 0d 06 - ff d1 80 c1 20 01 81 20 | ( | 0020: 01 40 00 15 0a 1e 02 91 - 6e 00 a2 a4 c2 02 50 12 | @ n P | 0030: 00 00 ad 44 00 00 40 60 - 00 00 00 00 | D @` | Packet 9 - shirley to cs - ok Receive time: 82.371 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x113e fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x7068 TCP: 2590 -> ftp(21) seq: a2a4c202 ack: 02916e01 win: 4096 hl: 5 xsum: 0x459d urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 3e 00 00 1e 06 - 68 70 81 20 01 40 80 c1 | ( > hp @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 02 02 91 6e 01 50 10 | n P | 0030: 10 00 9d 45 00 00 40 60 - 00 00 00 00 | E @` | Packet 10 - cs to shirley - ok Receive time: 82.620 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8ae1 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xccff TCP: ftp(21) -> 2590 seq: 02916e01 ack: a2a4c202 win: 4096 hl: 5 xsum: 0x459d urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8a e1 00 00 0d 06 - ff cc 80 c1 20 01 81 20 | ( | 0020: 01 40 00 15 0a 1e 02 91 - 6e 01 a2 a4 c2 02 50 10 | @ n P | 0030: 10 00 9d 45 00 00 40 60 - 00 00 00 00 | E @` | Shirley initiated its TCP session with port 21 on cs.orst.edu. By convention, the FTP server software listens for incomming connections on port 21. The FTP server initiates an FTP session with shirley. Packet 11 - cs to shirley - "220 lynx FTP server ..." Receive time: 82.798 packet length: 138 received length: 138 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 124 id: 0x8ae8 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x71ff TCP: ftp(21) -> 2590 seq: 02916e01 ack: a2a4c202 win: 4096 hl: 5 xsum: 0x7702 urg: 0 flags: data (60/84): 220 lynx FTP server (Version $Revision: 15.15 $ $Date: 89/08 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 7c 8a e8 00 00 0d 06 - ff 71 80 c1 20 01 81 20 | | q | 0020: 01 40 00 15 0a 1e 02 91 - 6e 01 a2 a4 c2 02 50 18 | @ n P | 0030: 10 00 02 77 00 00 32 32 - 30 20 6c 79 6e 78 20 46 | w 220 lynx F| 0040: 54 50 20 73 65 72 76 65 - 72 20 28 56 65 72 73 69 |TP server (Versi| 0050: 6f 6e 20 24 52 65 76 69 - 73 69 6f 6e 3a 20 31 35 |on $Revision: 15| 0060: 2e 31 35 20 24 20 24 44 - 61 74 65 3a 20 38 39 2f |.15 $ $Date: 89/| 0070: 30 38 2f 33 31 20 31 30 - 3a 33 33 3a 34 30 20 24 |08/31 10:33:40 $| 0080: 29 20 72 65 61 64 79 2e - 0d 0a |) ready. | Packet 12 - shirley to cs - ok Receive time: 82.942 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1141 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x6d68 TCP: 2590 -> ftp(21) seq: a2a4c202 ack: 02916e55 win: 4096 hl: 5 xsum: 0xf19c urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~Y E | 0010: 00 28 11 41 00 00 1e 06 - 68 6d 81 20 01 40 80 c1 | ( A hm @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 02 02 91 6e 55 50 10 | nUP | 0030: 10 00 9c f1 00 00 32 32 - 30 20 6c 79 | 220 ly| Packet 13 - shirley to cs - "USER anonymous" Receive time: 88.172 packet length: 70 received length: 70 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 56 id: 0x1143 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5b68 TCP: 2590 -> ftp(21) seq: a2a4c202 ack: 02916e55 win: 4096 hl: 5 xsum: 0xfd14 urg: 0 flags: data (16/16): USER anonymous 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 38 11 43 00 00 1e 06 - 68 5b 81 20 01 40 80 c1 | 8 C h[ @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 02 02 91 6e 55 50 18 | nUP | 0030: 10 00 14 fd 00 00 55 53 - 45 52 20 61 6e 6f 6e 79 | USER anony| 0040: 6d 6f 75 73 0d 0a |mous | Packet 14 - cs to shirley - "331 Guest login ok, ..." Receive time: 88.476 packet length: 99 received length: 99 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 85 id: 0x8b46 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x3aff TCP: ftp(21) -> 2590 seq: 02916e55 ack: a2a4c212 win: 4096 hl: 5 xsum: 0x86cb urg: 0 flags: data (45/45): 331 Guest login ok, send ident as password. 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 55 8b 46 00 00 0d 06 - ff 3a 80 c1 20 01 81 20 | U F : | 0020: 01 40 00 15 0a 1e 02 91 - 6e 55 a2 a4 c2 12 50 18 | @ nU P | 0030: 10 00 cb 86 00 00 33 33 - 31 20 47 75 65 73 74 20 | 331 Guest | 0040: 6c 6f 67 69 6e 20 6f 6b - 2c 20 73 65 6e 64 20 69 |login ok, send i| 0050: 64 65 6e 74 20 61 73 20 - 70 61 73 73 77 6f 72 64 |dent as password| 0060: 2e 0d 0a |. | Packet 15 - shirley to cs - ok Receive time: 88.581 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1144 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x6a68 TCP: 2590 -> ftp(21) seq: a2a4c212 ack: 02916e82 win: 4096 hl: 5 xsum: 0xb49c urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~Y E | 0010: 00 28 11 44 00 00 1e 06 - 68 6a 81 20 01 40 80 c1 | ( D hj @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 12 02 91 6e 82 50 10 | n P | 0030: 10 00 9c b4 00 00 33 33 - 31 20 47 75 | 331 Gu| Packet 16 - shirley to cs - "PASS stafford@shirley.temple.edu" Receive time: 96.944 packet length: 88 received length: 88 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 74 id: 0x1147 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x4568 TCP: 2590 -> ftp(21) seq: a2a4c212 ack: 02916e82 win: 4096 hl: 5 xsum: 0x7979 urg: 0 flags: data (34/34): PASS stafford@shirley.temple.edu 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 4a 11 47 00 00 1e 06 - 68 45 81 20 01 40 80 c1 | J G hE @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 12 02 91 6e 82 50 18 | n P | 0030: 10 00 79 79 00 00 50 41 - 53 53 20 73 74 61 66 66 | yy PASS staff| 0040: 6f 72 64 40 73 68 69 72 - 6c 65 79 2e 74 65 6d 70 |ord@shirley.temp| 0050: 6c 65 2e 65 64 75 0d 0a |le.edu | Packet 17 - cs to shirley - ok Receive time: 97.210 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8b72 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x3bff TCP: ftp(21) -> 2590 seq: 02916e82 ack: a2a4c234 win: 4096 hl: 5 xsum: 0x929c urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b 72 00 00 0d 06 - ff 3b 80 c1 20 01 81 20 | ( r ; | 0020: 01 40 00 15 0a 1e 02 91 - 6e 82 a2 a4 c2 34 50 10 | @ n 4P | 0030: 10 00 9c 92 00 00 40 60 - 1c 1d 1e 1f | @` | Packet 18 - cs to shirley - "230 Guest login ok, ..." Receive time: 97.213 packet length: 102 received length: 102 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 88 id: 0x8b73 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x0aff TCP: ftp(21) -> 2590 seq: 02916e82 ack: a2a4c234 win: 4096 hl: 5 xsum: 0x73f0 urg: 0 flags: data (48/48): 230 Guest login ok, access restrictions apply. 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 58 8b 73 00 00 0d 06 - ff 0a 80 c1 20 01 81 20 | X s | 0020: 01 40 00 15 0a 1e 02 91 - 6e 82 a2 a4 c2 34 50 18 | @ n 4P | 0030: 10 00 f0 73 00 00 32 33 - 30 20 47 75 65 73 74 20 | s 230 Guest | 0040: 6c 6f 67 69 6e 20 6f 6b - 2c 20 61 63 63 65 73 73 |login ok, access| 0050: 20 72 65 73 74 72 69 63 - 74 69 6f 6e 73 20 61 70 | restrictions ap| 0060: 70 6c 79 2e 0d 0a |ply. | Packet 19 - shirley to cs - ok Receive time: 97.389 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1148 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x6668 TCP: 2590 -> ftp(21) seq: a2a4c234 ack: 02916eb2 win: 4096 hl: 5 xsum: 0x629c urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 48 00 00 1e 06 - 68 66 81 20 01 40 80 c1 | ( H hf @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 34 02 91 6e b2 50 10 | 4 n P | 0030: 10 00 9c 62 00 00 32 33 - 30 20 47 75 | b 230 Gu| The conversation being monitored is between port 2590 on 129.32.1.64 (shirley) and port 21 (the ftp server) on 128.193.32.1 (cs.orst.edu). At any point in time, these 4 numbers uniquely identify a conversation (like a pair of telephone numbers). This conversation is called the "command channel". The FTP protocol specifies that a second conversation should be used to transmit data (the data channel). In this case, the data channel is between port 2591 on 129.32.1.64 (shirley) and port 20 (the ftp data port) on 128.193.32.1 (cs.orst.edu). Packet 20 - shirley to cs - use port 10*256+31=2591 when you send data Receive time: 99.405 packet length: 78 received length: 78 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 64 id: 0x114b fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x4b68 TCP: 2590 -> ftp(21) seq: a2a4c234 ack: 02916eb2 win: 4096 hl: 5 xsum: 0xdc44 urg: 0 flags: data (24/24): PORT 129,32,1,64,10,31 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 40 11 4b 00 00 1e 06 - 68 4b 81 20 01 40 80 c1 | @ K hK @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 34 02 91 6e b2 50 18 | 4 n P | 0030: 10 00 44 dc 00 00 50 4f - 52 54 20 31 32 39 2c 33 | D PORT 129,3| 0040: 32 2c 31 2c 36 34 2c 31 - 30 2c 33 31 0d 0a |2,1,64,10,31 | Packet 21 - shirley to cs - REPEAT, use port 10*256+31=2591 when you send data Receive time: 100.585 packet length: 78 received length: 78 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 64 id: 0x114c fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x4a68 TCP: 2590 -> ftp(21) seq: a2a4c234 ack: 02916eb2 win: 4096 hl: 5 xsum: 0xdc44 urg: 0 flags: data (24/24): PORT 129,32,1,64,10,31 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 40 11 4c 00 00 1e 06 - 68 4a 81 20 01 40 80 c1 | @ L hJ @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 34 02 91 6e b2 50 18 | 4 n P | 0030: 10 00 44 dc 00 00 50 4f - 52 54 20 31 32 39 2c 33 | D PORT 129,3| 0040: 32 2c 31 2c 36 34 2c 31 - 30 2c 33 31 0d 0a |2,1,64,10,31 | Packet 22 - cs to shirley - "200 PORT command okay." Receive time: 100.958 packet length: 78 received length: 78 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 64 id: 0x8b95 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x00ff TCP: ftp(21) -> 2590 seq: 02916eb2 ack: a2a4c24c win: 4096 hl: 5 xsum: 0x9719 urg: 0 flags: data (24/24): 200 PORT command okay. 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 40 8b 95 00 00 0d 06 - ff 00 80 c1 20 01 81 20 | @ | 0020: 01 40 00 15 0a 1e 02 91 - 6e b2 a2 a4 c2 4c 50 18 | @ n LP | 0030: 10 00 19 97 00 00 32 30 - 30 20 50 4f 52 54 20 63 | 200 PORT c| 0040: 6f 6d 6d 61 6e 64 20 6f - 6b 61 79 2e 0d 0a |ommand okay. | Packet 23 - shirley to cs - "LIST" Receive time: 100.960 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 46 id: 0x114d fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5b68 TCP: 2590 -> ftp(21) seq: a2a4c24c ack: 02916eca win: 4096 hl: 5 xsum: 0x7cef urg: 0 flags: data (6/6): LIST 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 2e 11 4d 00 00 1e 06 - 68 5b 81 20 01 40 80 c1 | . M h[ @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 4c 02 91 6e ca 50 18 | L n P | 0030: 10 00 ef 7c 00 00 4c 49 - 53 54 0d 0a | | LIST | Packet 24 - cs to shirley - "150 Opening data connection to your port 2591" Receive time: 101.348 packet length: 128 received length: 128 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 114 id: 0x8b9d fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xc6fe TCP: ftp(21) -> 2590 seq: 02916eca ack: a2a4c252 win: 4096 hl: 5 xsum: 0x3921 urg: 0 flags: data (60/74): 150 Opening data connection for /bin/ls -l (129.32.1.64,2591 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 72 8b 9d 00 00 0d 06 - fe c6 80 c1 20 01 81 20 | r | 0020: 01 40 00 15 0a 1e 02 91 - 6e ca a2 a4 c2 52 50 18 | @ n RP | 0030: 10 00 21 39 00 00 31 35 - 30 20 4f 70 65 6e 69 6e | !9 150 Openin| 0040: 67 20 64 61 74 61 20 63 - 6f 6e 6e 65 63 74 69 6f |g data connectio| 0050: 6e 20 66 6f 72 20 2f 62 - 69 6e 2f 6c 73 20 2d 6c |n for /bin/ls -l| 0060: 20 28 31 32 39 2e 33 32 - 2e 31 2e 36 34 2c 32 35 | (129.32.1.64,25| 0070: 39 31 29 20 28 30 20 62 - 79 74 65 73 29 2e 0d 0a |91) (0 bytes). | Packets 25, 26, and 28 represent the three-way handshake to open a second conversation (the data channel) to transfer the requested data. This is a separate conversation with its own sequence and acknowledgement numbers. Packet 25 - cs to shirley (on data channel) - My seq numbers begin at 02bc6600 Receive time: 101.354 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8b9e fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x0fff TCP: ftp-data(20) -> 2591 seq: 02bc6600 ack: ---- win: 4096 hl: 5 xsum: 0xd109 urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b 9e 00 00 0d 06 - ff 0f 80 c1 20 01 81 20 | ( | 0020: 01 40 00 14 0a 1f 02 bc - 66 00 00 00 00 00 50 02 | @ f P | 0030: 10 00 09 d1 00 00 40 60 - 52 54 20 31 | @`RT 1| Packet 26 - shirley to cs on data channel - OK, and mine begin at a2cbd201 Receive time: 101.355 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x114e fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x6068 TCP: 2591 -> ftp-data(20) seq: a2cbd201 ack: 02bc6601 win: 4096 hl: 5 xsum: 0xf294 urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 4e 00 00 1e 06 - 68 60 81 20 01 40 80 c1 | ( N h` @ | 0020: 20 01 0a 1f 00 14 a2 cb - d2 01 02 bc 66 01 50 12 | f P | 0030: 10 00 94 f2 00 00 40 60 - 52 54 20 31 | @`RT 1| Packet 27 - shirley to cs - OK (NOTE - this is the ack of packet 24!) Receive time: 101.525 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x114f fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5f68 TCP: 2590 -> ftp(21) seq: a2a4c252 ack: 02916f14 win: 4096 hl: 5 xsum: 0xe29b urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 4f 00 00 1e 06 - 68 5f 81 20 01 40 80 c1 | ( O h_ @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 52 02 91 6f 14 50 10 | R o P | 0030: 10 00 9b e2 00 00 40 60 - 52 54 20 31 | @`RT 1| Packet 28 - cs to shirley on data channel- ok Receive time: 101.725 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8ba4 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x09ff TCP: ftp-data(20) -> 2591 seq: 02bc6601 ack: a2cbd202 win: 4096 hl: 5 xsum: 0xf394 urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b a4 00 00 0d 06 - ff 09 80 c1 20 01 81 20 | ( | 0020: 01 40 00 14 0a 1f 02 bc - 66 01 a2 cb d2 02 50 10 | @ f P | 0030: 10 00 94 f3 00 00 40 60 - 0a 12 40 60 | @` @`| Packet 29 - cs to shirley on data channel - TCP goodby (1/3 of 3-way handshake) Receive time: 101.796 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8ba6 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x07ff TCP: ftp-data(20) -> 2591 seq: 02bc66bb ack: a2cbd202 win: 4096 hl: 5 xsum: 0x3894 urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b a6 00 00 0d 06 - ff 07 80 c1 20 01 81 20 | ( | 0020: 01 40 00 14 0a 1f 02 bc - 66 bb a2 cb d2 02 50 11 | @ f P | 0030: 10 00 94 38 00 00 40 60 - 52 54 20 31 | 8 @`RT 1| Packets 29 and 30 have been delivered out of order (check the sequence number)! Packet 30 - cs to shirley on data channel - (the directory information) Receive time: 101.836 packet length: 240 received length: 240 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 226 id: 0x8ba5 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x4efe TCP: ftp-data(20) -> 2591 seq: 02bc6601 ack: a2cbd202 win: 4096 hl: 5 xsum: 0xe4fc urg: 0 flags: data (60/186): total 6 dr-xr-xr-x 2 root root 1024 Oct 15 19 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 e2 8b a5 00 00 0d 06 - fe 4e 80 c1 20 01 81 20 | N | 0020: 01 40 00 14 0a 1f 02 bc - 66 01 a2 cb d2 02 50 18 | @ f P | 0030: 10 00 fc e4 00 00 74 6f - 74 61 6c 20 36 0d 0a 64 | total 6 d| 0040: 72 2d 78 72 2d 78 72 2d - 78 20 20 20 32 20 72 6f |r-xr-xr-x 2 ro| 0050: 6f 74 20 20 20 20 20 72 - 6f 6f 74 20 20 20 20 20 |ot root | 0060: 20 20 20 31 30 32 34 20 - 4f 63 74 20 31 35 20 20 | 1024 Oct 15 | 0070: 31 39 39 30 20 62 69 6e - 0d 0a 64 72 2d 78 72 2d |1990 bin dr-xr-| 0080: 78 72 2d 78 20 20 20 32 - 20 72 6f 6f 74 20 20 20 |xr-x 2 root | 0090: 20 20 72 6f 6f 74 20 20 - 20 20 20 20 20 20 31 30 | root 10| 00a0: 32 34 20 4a 75 6e 20 31 - 33 20 31 36 3a 32 32 20 |24 Jun 13 16:22 | 00b0: 65 74 63 0d 0a 64 72 77 - 78 72 2d 78 72 2d 78 20 |etc drwxr-xr-x | 00c0: 20 32 34 20 72 6f 6f 74 - 20 20 20 20 20 73 79 73 | 24 root sys| 00d0: 20 20 20 20 20 20 20 20 - 20 31 30 32 34 20 53 65 | 1024 Se| 00e0: 70 20 31 30 20 31 39 3a - 35 35 20 70 75 62 0d 0a |p 10 19:55 pub | Packet 31 - shirley to cs on data channel - ok Receive time: 101.837 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1150 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5e68 TCP: 2591 -> ftp-data(20) seq: a2cbd202 ack: 02bc66bc win: 3910 hl: 5 xsum: 0xf294 urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 50 00 00 1e 06 - 68 5e 81 20 01 40 80 c1 | ( P h^ @ | 0020: 20 01 0a 1f 00 14 a2 cb - d2 02 02 bc 66 bc 50 10 | f P | 0030: 0f 46 94 f2 00 00 02 63 - 73 04 6f 72 | F cs or| Packet 32 - shirley to cs on data channel - TCP goodby (2/3 of 3-way handshake) Receive time: 101.839 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1151 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5d68 TCP: 2591 -> ftp-data(20) seq: a2cbd202 ack: 02bc66bc win: 4096 hl: 5 xsum: 0x3794 urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 51 00 00 1e 06 - 68 5d 81 20 01 40 80 c1 | ( Q h] @ | 0020: 20 01 0a 1f 00 14 a2 cb - d2 02 02 bc 66 bc 50 11 | f P | 0030: 10 00 94 37 00 00 74 6f - 74 61 6c 20 | 7 total | Packet 33 - cs to shirley - "226 Transfer complete." Receive time: 101.847 packet length: 78 received length: 78 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 64 id: 0x8ba7 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xeefe TCP: ftp(21) -> 2590 seq: 02916f14 ack: a2a4c252 win: 4096 hl: 5 xsum: 0xcccc urg: 0 flags: data (24/24): 226 Transfer complete. 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 40 8b a7 00 00 0d 06 - fe ee 80 c1 20 01 81 20 | @ | 0020: 01 40 00 15 0a 1e 02 91 - 6f 14 a2 a4 c2 52 50 18 | @ o RP | 0030: 10 00 cc cc 00 00 32 32 - 36 20 54 72 61 6e 73 66 | 226 Transf| 0040: 65 72 20 63 6f 6d 70 6c - 65 74 65 2e 0d 0a |er complete. | Packet 34 - shirley to cs - ok Receive time: 101.901 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1152 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5c68 TCP: 2590 -> ftp(21) seq: a2a4c252 ack: 02916f2c win: 4096 hl: 5 xsum: 0xca9b urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 52 00 00 1e 06 - 68 5c 81 20 01 40 80 c1 | ( R h\ @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 52 02 91 6f 2c 50 10 | R o,P | 0030: 10 00 9b ca 00 00 32 32 - 36 20 54 72 | 226 Tr| Packet 35 - cs to shirley on data channel - TCP goodby (3/3 of 3-way handshake) Receive time: 102.173 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8baa fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0x03ff TCP: ftp-data(20) -> 2591 seq: 02bc66bc ack: a2cbd203 win: 4096 hl: 5 xsum: 0x3794 urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b aa 00 00 0d 06 - ff 03 80 c1 20 01 81 20 | ( | 0020: 01 40 00 14 0a 1f 02 bc - 66 bc a2 cb d2 03 50 10 | @ f P | 0030: 10 00 94 37 00 00 40 60 - 0a 12 40 60 | 7 @` @`| Packet 36 - shirley to cs - "QUIT" (Must close FTP conversation first) Receive time: 104.091 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 46 id: 0x1154 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5468 TCP: 2590 -> ftp(21) seq: a2a4c252 ack: 02916f2c win: 4096 hl: 5 xsum: 0x08f4 urg: 0 flags: data (6/6): QUIT 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 2e 11 54 00 00 1e 06 - 68 54 81 20 01 40 80 c1 | . T hT @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 52 02 91 6f 2c 50 18 | R o,P | 0030: 10 00 f4 08 00 00 51 55 - 49 54 0d 0a | QUIT | Packet 37 - cs to shirley - "221 Goodbye." Receive time: 104.316 packet length: 68 received length: 68 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 54 id: 0x8bc9 fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xd6fe TCP: ftp(21) -> 2590 seq: 02916f2c ack: a2a4c258 win: 4096 hl: 5 xsum: 0xd6ac urg: 0 flags: data (14/14): 221 Goodbye. 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 36 8b c9 00 00 0d 06 - fe d6 80 c1 20 01 81 20 | 6 | 0020: 01 40 00 15 0a 1e 02 91 - 6f 2c a2 a4 c2 58 50 18 | @ o, XP | 0030: 10 00 ac d6 00 00 32 32 - 31 20 47 6f 6f 64 62 79 | 221 Goodby| 0040: 65 2e 0d 0a |e. | Packet 38 - cs to shirley - TCP goodby (1/3 of 3-way handshake) Receive time: 104.317 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8bca fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xe3fe TCP: ftp(21) -> 2590 seq: 02916f3a ack: a2a4c258 win: 4096 hl: 5 xsum: 0xb59b urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b ca 00 00 0d 06 - fe e3 80 c1 20 01 81 20 | ( | 0020: 01 40 00 15 0a 1e 02 91 - 6f 3a a2 a4 c2 58 50 11 | @ o: XP | 0030: 10 00 9b b5 00 00 40 60 - 0a 12 40 60 | @` @`| Packet 39 - shirley to cs - ok Receive time: 104.318 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1155 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5968 TCP: 2590 -> ftp(21) seq: a2a4c258 ack: 02916f3b win: 4096 hl: 5 xsum: 0xb59b urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 55 00 00 1e 06 - 68 59 81 20 01 40 80 c1 | ( U hY @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 58 02 91 6f 3b 50 10 | X o;P | 0030: 10 00 9b b5 00 00 40 60 - 0a 12 40 60 | @` @`| Packet 40 - shirley to cs - TCP goodby (2/3 of 3-way handshake) Receive time: 104.376 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1156 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5868 TCP: 2590 -> ftp(21) seq: a2a4c258 ack: 02916f3b win: 4096 hl: 5 xsum: 0xb49b urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 56 00 00 1e 06 - 68 58 81 20 01 40 80 c1 | ( V hX @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 58 02 91 6f 3b 50 11 | X o;P | 0030: 10 00 9b b4 00 00 40 60 - 0a 12 40 60 | @` @`| Packet 41 - shirley to cs - DUPLICATE TCP goodby (2/3 of 3-way handshake) Receive time: 105.598 packet length: 60 received length: 60 Ethernet: (00000f007ed9 -> Prote e07055) type: IP(0x0800) Internet: 129.32.1.64 -> 128.193.32.1 hl: 5 ver: 4 tos: 0 len: 40 id: 0x1157 fragoff: 0 flags: 00 ttl: 30 prot: TCP(6) xsum: 0x5768 TCP: 2590 -> ftp(21) seq: a2a4c258 ack: 02916f3b win: 4096 hl: 5 xsum: 0xb49b urg: 0 flags: 0000: 00 00 93 e0 70 55 00 00 - 0f 00 7e d9 08 00 45 00 | pU ~ E | 0010: 00 28 11 57 00 00 1e 06 - 68 57 81 20 01 40 80 c1 | ( W hW @ | 0020: 20 01 0a 1e 00 15 a2 a4 - c2 58 02 91 6f 3b 50 11 | X o;P | 0030: 10 00 9b b4 00 00 70 69 - 63 61 73 73 | picass| Packet 42 - cs to shirley - TCP goodby (3/3 of 3-way handshake) Receive time: 105.849 packet length: 60 received length: 60 Ethernet: (Prote e07055 -> 00000f007ed9) type: IP(0x0800) Internet: 128.193.32.1 -> 129.32.1.64 hl: 5 ver: 4 tos: 0 len: 40 id: 0x8bee fragoff: 0 flags: 00 ttl: 13 prot: TCP(6) xsum: 0xbffe TCP: ftp(21) -> 2590 seq: 02916f3b ack: a2a4c259 win: 4096 hl: 5 xsum: 0xb49b urg: 0 flags: 0000: 00 00 0f 00 7e d9 00 00 - 93 e0 70 55 08 00 45 00 | ~ pU E | 0010: 00 28 8b ee 00 00 0d 06 - fe bf 80 c1 20 01 81 20 | ( | 0020: 01 40 00 15 0a 1e 02 91 - 6f 3b a2 a4 c2 59 50 10 | @ o; YP | 0030: 10 00 9b b4 00 00 40 60 - 02 18 00 00 | @` |