I.

Compare the differences of SMTP,FTP,HTTP,HTPPS

FTP
FTP stands for File Transfer Protocol. It is used to send/receive file from the remote computer.
It is defined in RFC959. FTP establishes two connections between client system and server
system, one for control information and the other for data to be transfered. Control
information carry commands/response. Authentication need to be done initially by way of
validating username and password. Once it is done files can be transferred between two
systems. FTP handles both binary and text format files.

SMTP
SMTP stands for Simple Mail Transfer Protocol. SMTP provides a protocol for two computers to
exchange electronic mail usign a TCP connection. In other words, it is the protocol used by e-
mail servers to forward messages across the TCPIP network. The client computer which usually
initiates the e-mail message uses the SMTP to send the e-mail to the local server delivery. It is
defined in RFC821,RFC822 and RFC974.
As mentioned SMTP communicates with the network via TCPIP protocol stack. SMTP
communication occurs through TCP port 25 on SMTP server.
The communication between client and server in the SMTP process consists of about 4
character commands from client to the server and 3 digit response codes from the server to the
client as mentioned below in the table. SMTP server response codes are very important in case
there is some problem to debug it further from networking point of view.
As we know now that main difference between FTP and SMTP is that with FTP user can send
and receive file to and from the computer, While SMTP is used to deliver the mail to the user's
mail box configured in the e-mail server.

Feature FTP SMTP

TCP port 20 and 21 25
number
RFC RFC959 RFC821, RFC822 and RFC974
reference
documents
Protocol Used to transfer files from remote Used to e-mail send messages between
function computer after connection is computers. This is done either using
established SMTP server or using mail function.
HTTP
Hypertext Transfer Protocol (HTTP) is a protocol used in networking. When you type any web
address in your web browser, your browser acts as a client, and the computer having the
requested information acts as a server. When client requests for any information from the
server, it uses HTTP protocol to do so. The server responds back to the client after the request
completes. The response comes in the form of web page which you see just after typing the
web address and press Enter.

HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a combination of two different protocols. It is
more secure way to access the web. It is combination of Hypertext Transfer Protocol (HTTPS)
and SSL/TLS protocol. It is more secure way to sending request to server from a client, also the
communication is purely encrypted which means no one can know what you are looking for.
This kind of communication is used for accessing those websites where security is required.
Banking websites, payment gateway, emails (Gmail offers HTTPS by default in Chrome
browser), and corporate sector websites are some great examples where HTTPS protocols are
used.
For HTTPS connection, public key trusted and signed certificate is required for the server. These
certificate comes either free or it costs few dollars depends on the signing authority. There is
one other method for distributing certificates. Site admin creates certificates and loads in the
browser of users. Now when user requests information to the web server, his identity can be
verified easily.

HTTP HTTPS
URL begins with http:// URL begins with https://
It uses port 80 for communication It uses port 443 for communication
Unsecured Secured
Operates at Application Layer Operates at Transport Layer
No encryption Encryption is present
No certificates required Certificates required

TCP and UDP

There are two types of Internet Protocol (IP) traffic. They are TCP or Transmission Control
Protocol and UDP or User Datagram Protocol. TCP is connection oriented once a connection is
established, data can be sent bidirectional. UDP is a simpler, connectionless Internet protocol.
Multiple messages are sent as packets in chunks using UDP.

Feature TCP UDP

Acronym for Transmission Control Protocol User Datagram Protocol or
Universal Datagram Protocol
 Connection TCP is a connection-oriented
protocol.
Function As a message makes its way
across the internet from one
computer to another. This is
connection based.
Usage TCP is suited for applications that
require high reliability, and
transmission time is relatively
less critical.
Use by other HTTP, HTTPs, FTP, SMTP, Telnet.
protocols
Ordering of data TCP rearranges data packets in
packets the order specified.
Speed of transfer The speed for TCP is slower than
UDP.
Reliability There is absolute guarantee that
the data transferred remains
intact and arrives in the same
order in which it was sent.
Header Size TCP header size is 20 bytes.
Streaming of data Data is read as a byte stream, no Packets are sent individually and
distinguishing indications are
transmitted to signal message
(segment) boundaries.
Weight TCP is heavy-weight. TCP requires
three packets to set up a socket ordering of messages, no tracking
connection, before any user data
UDP is a connectionless protocol.
UDP is also a protocol used in
message transport or transfer.
This is not connection based
which means that one program
can send a load of packets to
another and that would be the
end of the relationship.
UDP is suitable for applications
that need fast, efficient
transmission, such as games.
UDP's stateless nature is also
useful for servers that answer
small queries from huge numbers
of clients.
DNS, DHCP, TFTP, SNMP, RIP,
VOIP.
UDP has no inherent order as all
packets are independent of each
other. If ordering is required, it
has to be managed by the
application layer.
UDP is faster because error
recovery is not attempted. It is a
"best effort" protocol.
There is no guarantee that the
messages or packets sent would
reach at all.
UDP Header size is 8 bytes.
are checked for integrity only if
they arrive. Packets have definite
boundaries which are honored
upon receipt, meaning a read
operation at the receiver socket
will yield an entire message as it
was originally sent.
UDP is lightweight. There is no
connections, etc. It is a small
 can be sent. TCP handles transport layer designed on top
reliability and congestion control. of IP.
Data Flow Control TCP does Flow Control. TCP UDP does not have an option for
requires three packets to set up a flow control
socket connection, before any
user data can be sent. TCP
handles reliability and congestion
control.
Error Checking TCP does error checking and UDP does error checking but
error recovery. Erroneous simply discards erroneous
packets are retransmitted from packets. Error recovery is not
the source to the destination. attempted.
Fields 1. Sequence Number, 2. AcK 1. Length, 2. Source port, 3.
number, 3. Data offset, 4. Destination port, 4. Check Sum.
Reserved, 5. Control bit, 6.
Window, 7. Urgent Pointer 8.
Options, 9. Padding, 10. Check
Sum, 11. Source port, 12.
Destination port.
Acknowledgement Acknowledgement segments No Acknowledgment
Handshake SYN, SYN-ACK, ACK. No handshake (connectionless
protocol).

II. Capture with WireShark and Analyze

SMTP
To filter SMTP, we text smtp on Wiresharks Display Filter, which is showed below:
 The first : recognizing between client(Source) : 192.168.1.6 and mail server(Destination)
:74.125.204.109
The Client sends EHLO packet to the Server, then, the Server replies by success code
250(failure code 550).
The server performs client verification, verifies client login information, client passwords
are encrypted using the CRAM-MD5 hash algorithm, defines a 8BitMIME (8-bit
extension), success code 250.
The client starts sending mail to the server, the mail content is sent according to the
MIME (Multipurpose Internet Mail Extensions) and as well as the login verification, the
server also verifies the recipient and the sender of the mail, the , return success code
250.
After verifying the sender's recipient information, a packet with the IMF (Internet
Message Format) protocol is sent from the client to the server, and this is the actual
content of the sender, with the sender, recipient, and destination. the date, and the
content of the mail, along with the attached media (MIME standard).
The server receives the mail, and saves it to the mail server.
The server sends the QUIT message to the end of the conversation.
To show more details, click follows RED rectangle.

FTP
Set up FTP on command line.
To filter FTP, we text ftp on Wiresharks Display Filter, which is showed below:

Authentication need to be done initially by way of validating username and password.

The picture shows USER : anomunous and PASS : john2112 to access 124.40.41.226 from
192.168.1.6.
To show more details, click follows RED rectangle.

HTTP
To filter HTTP, we text http on Wiresharks Display Filter, which is showed below:
 We see the GET request from the client (192.168.1.6) sent to the server
(204.79.197.203) requesting the web server query, according to the HTTP/1.1 protocol.
The first pictures line help us detect an error, Moved Permanently , when the client
requests, the server moved file to another location => error
We see a successful web query from the client. The client sends to the server requesting
GET HTTP/1.1 to query the site, and the server replies the 302 Found to the client.
ISP's DNS server is communicating the Server that contains Web to perform
authentication requests through certificates. And when successful verification (code 200
OK), the site is the server side sent via the ISP returned to the client browse.
Then the client and the server continuously exchange packets with each other, ensuring
that the web content is always fresh.

HTTPS
To filter HTTPS, we text ssl certificate on Wiresharks Display Filter, which is showed below:
 Each of the SSL records begins with the same three fields (with possibly different
values). One of these fields is content type and has length of one byte. List all three
fields and their lengths.
Each hexadecimal digit (also called a "nibble") represents four binary digits (bits) so each
pair of hexadecimal digits equals 1 byte.
Destination mac adderess: IntelCor_de:ed:24 (d0:7e:35:de:ed:24) : 6 bytes
Source mac address : HuaweiTe_49:5e:91 (20:f1:7c:49:5e:91) : 6 bytes
Type: IPv4 (0x0800) : 2 bytes
ClientHello Records

Expand the ClientHello record. (If your trace contains multiple ClientHello records,
expand the frame that contains the first one.) What is the value of the content type?
hex: 16 (16+6=22) Handshake.
Does the ClientHello record advertise the cipher suites it supports? If so, in the first
listed suite, what are the public-key algorithm, the symmetric-key algorithm, and the
hash algorithm?
DES(Data Encryption Standard), 3-DES (Triple-DES), DSA (Digital Signature Algorithm),
KEA (Key Exchange Algorithm), MD5 (Message Digest algorithm), RSA, RSA key
exchange, RC2 and RC4, SHA-1 (Secure Hash Algorithm).
ServertHello Records

Look to the ServerHello packet. What cipher suite does it choose?

Cipher Suite: TLSv1.2 Record Layer: Handshake Protocol: Server Hello.
 Does this record include a nonce? If so, how long is it? What is the purpose of the
client and server nonces in SSL?
Yes, 28 bytes. The ClientHello packet also generated a nonces. They are used to make
the session communication between the two nodes unique. It "salts" the
communication to prevent replay attacks. A replay attack happens when data from old
communications is used to "crack" a current communication.
Does this record include a session ID? What is the purpose of the session ID?
Yes, This is to make things efficient, in case the client has any plans of closing the
current connection and reconnect in the near future.

TCP
To filter TCP, we text tcp.port == 80 on Wiresharks Display Filter, which is showed below:

3 ways handshake
A three-way handshake is a method used in a TCP/IP network to create a connection between a
local host/client and server. It is a three-step method that requires both the client and server to
exchange SYN and ACK (acknowledgment) packets before actual data communication begins.
A three-way handshake is also known as a TCP handshake.
A three-way handshake is primarily used to create a TCP socket connection. It works when:
A client node sends a SYN data packet over an IP network to a server on the same or an
external network. The objective of this packet is to ask/infer if the server is open for new
connections.
The target server must have open ports that can accept and initiate new connections. When the
server receives the SYN packet from the client node, it responds and returns a confirmation
receipt the ACK packet or SYN/ACK packet.

The client node receives the SYN/ACK from the server and responds with an ACK packet.

Upon completion of this process, the connection is created and the host and server can
communicate.

UDP
UDP uses a simple transmission model without implicit hand-shaking dialogues for
guaranteeing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service
and datagrams may arrive out of order, appear duplicated, or go missing without notice. UDP
assumes that error checking and correction is either not necessary or performed in the
application, avoiding the overhead of such processing at the network interface level. Unlike
TCP, UDP is compatible with packet broadcasts (sending to all on local network) and
multicasting (send to all subscribers).
To capture UDP traffic:

Start a Wireshark capture.

Open a command prompt.
Type ipconfig /renew and press Enter to renew your DHCP assigned IP address. If you
have a static address, this will not generate any UDP traffic.
Type ipconfig /flushdns and press Enter to clear your DNS name cache.
Type nslookup 8.8.8.8 and press Enter to look up the hostname for IP address 8.8.8.8.
Close the command prompt.
Stop the Wireshark capture.
UDP DHCP Traffic
To view only UDP traffic related to the DHCP renewal, type udp.port == 68 (lower case) in
the Filter box and press Enter.

UDP DNS Traffic

To view only UDP traffic related to the DHCP renewal, type udp.port == 53 (lower case) in
the Filter box and press Enter.