I am currently working on a network & security training, module “OSI Layer 4 – Transport”. Therefore I made a very basic demo of a TCP and UDP connection in order to see the common “SYN, SYN-ACK, ACK” for TCP while none of them for UDP, “Follow TCP/UDP Stream” in Wireshark, and so on. I wanted to show that it’s not that complicated at all. Every common application/service simply uses these data streams to transfer data aka bytes between a client and a server.
That is: Here are the Linux commands for basic lab, a downloadable pcap, and, as always, some Wireshark screenshots:
TCP
Listening with netcat on the server on port 1337:
netcat -6 -l 1337
Verifying the listening port:
netstat -tulpen6
In my case, this looks like:
weberjoh@nb15-lx:~$ netstat -tulpen6 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp6 0 0 :::22 :::* LISTEN 0 21160 - tcp6 0 0 :::1337 :::* LISTEN 1000 1490116 20122/netcat udp6 0 0 fe80::d6be:d9ff:fe4:123 :::* 0 22715 - udp6 0 0 2001:470:765b::b15::123 :::* 0 22713 - udp6 0 0 ::1:123 :::* 0 22711 - udp6 0 0 :::123 :::* 0 22699 -
Now connecting from the client to the server with telnet:
telnet <ip> <port>
In my case, along with some text messages in both directions:
weberjoh@vm24-ns0:~$ telnet 2001:470:765b::b15:22 1337 Trying 2001:470:765b::b15:22... Connected to 2001:470:765b::b15:22. Escape character is '^]'. Hello Hi there Greetings from the client to the server! Thanks. Greetings back from the server to the client. Cheers Goodbye ^] telnet> quit Connection closed.
Wireshark reveals the TCP flags in the Info column for connection establishment and termination. Have a look at the ACKs directly after each sent message, regardless of which direction. Finally, a “Follow TCP Stream” shows the raw data, coloured by the way they were transmitted:
UDP
Basically the same with UDP. Listening on the server on port 2311:
netcat -6 -l -u 2311
Proto type “udp6” is shown with netstat:
weberjoh@nb15-lx:~$ netstat -tulpen6 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp6 0 0 :::22 :::* LISTEN 0 21160 - udp6 0 0 fe80::d6be:d9ff:fe4:123 :::* 0 22715 - udp6 0 0 2001:470:765b::b15::123 :::* 0 22713 - udp6 0 0 ::1:123 :::* 0 22711 - udp6 0 0 :::123 :::* 0 22699 - udp6 0 0 :::2311 :::* 1000 1490184 20131/netcat
Connecting from the client, using netcat (and not telnet, which is not capable of UDP):
netcat -u <ip> <port>
Now my demo, again with some text messages and umlauts:
weberjoh@vm24-ns0:~$ netcat -u 2001:470:765b::b15:22 2311 Hi over UDP Guten Tag auch Oh, you speak German Kann ich auch Sehr schön. Sogar mit Umlauten. ;) Yup. Ciao. Tschö ^C
Wireshark’s glasses. No connection establishment nor termination. No ACKs. Only the raw data in both directions. One single UDP packet per sent text message. Quite easy. “Follow UDP Stream” works as well:
pcap
Have a look at the corresponding pcap, if you like. 7zipped, 1 KB:
Featured image “Slices of rye bread with butter on a wooden board” by Marco Verch Professional Photographer and Speaker is licensed under CC BY 2.0.