The Top 15 Network Protocols and Ports Explained // FTP, SSH, DNS, DHCP, HTTP, SMTP, TCP/IP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
that you're going to have to know about and  that's going to be ftp okay so just to quiz you   what is the port number for ftp do you remember  it well hopefully that was your answer port 21.   so let's go ahead and now get some hands-on with  ftp in this trace file now you're going to notice   throughout this video sometimes i'm going to set  a filter in wireshark for the name of the protocol   and sometimes i'm going to set it for the  port number itself but what's the difference   well let's actually learn this right out the gate  we're going to be filtering for ftp so if i come   in here and i go to display filter and i just  type in ftp check out the number of packets that   i have i've got 33 packets that are displayed  notice what i don't have i don't have anything   that says tcp here so i don't have any of the  handshake i don't have any of the acknowledgements   or any of the resets or anything like that i  just have whatever packets actually carried   ftp data but if i want to see some of those other  supporting packets especially the ones that show   me the handshakes and such that's where i need  to go in and i need to do tcp port equals equals   21. so now check out how many packets we have we  have 101 packets so when we filter on port number   we're taking a look at it from the tcp perspective  including any payload if we filter from a protocol   we're only focusing in on that protocol not on the  tcp overhead information that's why personally a   lot of times when i'm doing analysis i'll use  the port number to set the filter instead of   the actual name of the protocol now something  that you're going to need to know about ftp is   historically ftp has used at least two ports one  was a control port where it established a login   and an initial connection like we see here on port  21 but then data would be exchanged on a different   port sometimes that's port 20 or a different  port that's designated within the control traffic   so that's fuel for another conversation but  we want to remember is usually it's port 21   and then if not poor another port to actually move  the data so let's go ahead and take a look at ftp   and how it works so here we can see ftp is a tcp  based protocol we can see the tcp handshake here   syn synack and notice that ftp is clear text  that's why it's kind of fun to play with we can   see here here's a user login and then the server  comes back and says okay go ahead and give me that   password and look at our password is clear text  password you're also going to see in this trace   file that there's a lot of the different request  methods that we have so go ahead and explore some   of those on your own might get you a little bit  more hands-on with ftp now you're going to notice   at the bottom of the ftp conversation you're  going to see basically what looks like a port scan   and you should that's exactly what it was uh here  one station was testing this other station with a   lot of different sins and just seeing those  resets as a part of a scan okay so but the   actual protocol itself we can see here is up at  the top now something you're going to notice as   i'm going through this is that my time column is  listed as the time of day and that's what i would   suggest for you instead of starting at zero and  going through it like a stopwatch instead let's   go ahead and go up to view time display format and  we're just going to do time of day now why are we   doing this because to create this trace file i had  to merge a lot of different other pcaps together   to get all of these protocols in one place for you  and they came from a lot of different time periods   so to make that easier let's just use time of day  and that will simplify our analysis not get all   tied up with the time all right so now that we  talked about ftp let's talk about the next one   ssh secure shell now what is the port number for  ssh do you remember well hopefully that's the one   that you got all right port 22. let's go ahead and  talk about port 22 as we're setting a filter for   it so let's go back to our trace file let's set  up a filter for port 22 and let's see what we got   here now we can see that there's a few sends we  see a reset there that was also part of that scan   but also below that we can see that we have a  little bit of ssh conversation now there's a   not a whole lot of ssh in this trace file and  you're going to find that if you ever capture   ssh with wireshark it's encrypted right so um and  we want it to be right when we're interacting with   a network device or for ssh into a server we want  to make sure that that's encrypted traffic we're   going to talk about why that is in just a moment  but as we can see here we establish our handshake   we go to send synapk and then the server actually  comes back and it just gives us a version here   we're just doing a version request for it so let's  come down and see what kind of ssh we're dealing   with if we open up ssh we can see this is ssh  2.0 open ssh and then debian made in boontu1 so   that just gives us an idea of what type of ssh  server that we're talking to now just remember   about ssh that's how we're going to remote into  a device to do some control and configuration   okay so let's just remember that ssh poor 22.  all right let's move on to the next one okay   telnet that's often one that you're going to see  come up on a certification exam certainly one   that we want to know if we're into networking  what's the port number hopefully that's what   you got port 23. now there's a reason why  you don't see a whole lot of telnet anymore   let's find out what that is okay let's go ahead  and go up to tcp port and we're going to come back   and just say port 23. so here's some telnet stuff  we have in this trace file you can see i got 104   packets now telnet uses tcp as a layer 4 transport  protocol so we can see that there's our handshake   and here we got telnet data telnet data  now here's what's kind of fun about telnet   if we take a look at our ascii characters  or we take a look at the clear text view   we're going to start to see that there's some data  in here so if you come down to packet 338 you can   start to see some clear text stuff come through  in fact one way that we can analyze telnet   with wireshark is just to click through and to  take a look at everything one packet at a time   or what we can do is we can do a follow tcp  stream so let's do that if we right click any   telnet packet that's in this first part of our  conversation we can come down to follow and we're   going to do tcp stream basically what this does is  wireshark takes the raw data out of each of these   telnet packets or any whatever tcp protocol we're  using it takes the payload and it assembles it   in one place and then it allows us to manipulate  how we view it now right now we're showing this   data as ascii characters okay so if we wanted  to we could say raw so do i just want to see the   actual hexadecimal values that made up this  flow well that's not very useful for me i'm   going to go back to ascii so here i can see all  of this was sent over clear text this is really   what a clear text protocol is now in this all i  did was i just telnet it into a metasploitable   server and my purpose here was just to get some  data going that we could take a look at now notice   the login telnet echos things so we can see in  red that's the client sending data to the server   the blue is the server coming back to the  client okay so notice that the client sends m   s f a d m i n okay so msf admin and then in blue  right away the server is actually echoing back   every character if i send m it echoes back him  if i send s it echoes back s to make this easier   for me what i can do is i can come down an  entire conversation if i just want to see   from the client to the server then i can just  take a look at this one direction and this is   where i can see msf admin all together without the  echoes and then exit so here we can see the login   and then the password and then just exit very  simply now this is also interesting to look at   if you ever telnet into a network device you can  see whatever you show on your screen with telnet   you can also see that within the packets  as well and really due to the clear text   nature of how telnet works is really the  reason why we don't use it as much anymore   anymore now we're going to be using more ssh  because it's going to be encrypted all right so   that was telnet so let's go and get on to the next  one all right smtp what's the port number for smtp   all right very good port 25. all right so  there's three major mail protocols and this   is one of them smtp also in a minute we're going  to take a look at pop or post office protocol and   we're also going to take a look at imap those are  your big three okay so something that you want to   remember about smtp as opposed to the other email  protocols is that you're going to use smtp to send   emails okay from an email client to that email  server we're sending the email you retrieve it   with the other protocols that we're going to  talk about in a little bit but let's get back   to our port so we're going to come up here to our  display filter let's go ahead and type in tcp.port   equals equals 25 and that's going to show us our  smtp traffic now smtp can either be encrypted or   unencrypted we actually have examples of this or  both of them here in this pcapp if we take a look   at the first one here we can see that we have tcp  connections in sync ack so here we see that the   server comes back and it's telling us its version  and we can come down to smtp it shows us the type   of server that it is we can come down here we  see that the client is saying hello now to make   this a little bit easier to read if we just right  click here we can come down to follow tcp stream   all right so here with our follow tcp stream we  can actually see all this data in one place just   like we could with telnet now we can actually read  this email now this is just a test email that was   being sent out it's just something to take a look  at and we can see that the email address that it's   being sent to after the email is sent afterward  we can see okay the message was accepted we'll go   ahead and quit and we're going to sign off we've  come down here to close also in our trace file   let's go ahead and back out from our stream filter  we're going to come back and just do another tcp   port equals equals 25 and so if you scroll  down a little bit further if you come down to   packet number 1407 around there we see another  connection over report 25. so let's go ahead and   see what happens here this time i'm just going  to right click i'm just going to say instead of   follow tcp stream let's come to conversation  filter tcp that's going to filter in just   that one conversation this time we set up our tcp  handshake we go ahead and establish ourselves with   the server say hello but notice what happens  the server comes back in packet number 1413 if   we expand out the response we can see that the  server says hey start tls client says cool start   tls let's go ahead and start up a transport layer  security conversation okay so this is where we see   client hello server hello and that will  establish a secure connection between the   client and the server now the rest of this  is going to be encrypted so this time if we   right click we say follow tcp stream  we can see the initial smtp information   after that this is what the email looks like a lot  different than before we don't see that clear text   ascii characters readable stuff this is actually  encrypted so remember the smtp overport 25 can   either be encrypted or it's possible to use tls  over port 25. so what should we look for with smtp   well a couple of the port numbers that you want to  keep your eyes open for is going to be 587 and 25   25. there are some other ones but those are going  to be the big ones now that is going to be secure   smtp and that's going to be non-clear text  readable on the wire with wireshark all right so   let's go on to our next protocol how about this  one dns okay so what's the port number for dns   53 there we go now this is going to be a little  bit of a shift for us let's see why let's go ahead   and go to our trace file and let's pop in port  53. now here i can see i have some scan traffic   we went ahead and tried to establish a connection  over port 53 but notice that i don't have any dns   information here this is all just tcp handshake  info that's one reason why i like to have tcp   segment length on my wireshark profile because  then i can see whether there's a payload that's   actually being carried by this frame in this case  this is all just headers it's all overhead right   so syn synack reset those kinds of things but no  actual data well what's wrong here well first of   all dns while it can support tcp the majority of  the time you're going to be running dns over udp   okay so let's go ahead and change this from tcp  port 53 let's go ahead and back this up instead   we're going to do udp all right port 53 and here  we have one dns call now notice when wireshark   recognizes dns when it actually sees that payload  there it's able to go oh this isn't just udp   this is dns this is great so when it sees that  actual application using it that's why instead   of seeing udp here we're actually going to see  the application itself and that's going to be   dns all right so here we can see a request for dns  go 34 milliseconds later we see a dns response so   dns there's a lot of different ways we can use it  but if you just keep it very simple it's the phone   book of the internet when you go out to a web  browser and you type in a name dns is resolving   that name to an ip address that you can then go  connect to but how do we find out about dns how do   we know what our dns server is well that brings us  to our next protocol that we want to make sure we   know and that is dhcp dynamic host configuration  protocol all right so what port or ports does it   use well in this case we actually have to know  about two of them okay so just remember this 67   what's the other one 68. all right basically  one's a client one's a server and let's take   a look at that in wireshark so this time in  wireshark instead of denoting a port number   what i'm going to do is i'm going to come back  here i'm just going to say dhcp all right so   here we have the four packets that make up a dhcp  conversation and this is when we first come on to   the network we don't know who we are yet we don't  yet have an ip address we don't know who our dns   server is we don't have our gateway or what our  sudden it is we're just coming up we're waking up   and we're just joining this network and we need  some help right all we know is our mac address   so with dhcp we're able to find first of all  that's why it says discover that's the first   packet there we're able to find who out there  is offering dhcp that dhcp server responds and   says oh you're new here you want an address so  here you go dynamic host configuration protocol   that's what we're using notice for a second  the port numbers if you take a look at udp   so the server is going to be using 67 port 67 the  client usually uses port 68. okay and again that's   udp 67 and 68. now wireshark recognizes that  so we can go a little deeper into dhcp without   going too far for the purposes of this video  but here we have the client address that was   sent in the discover and now the server is coming  back and saying oh great okay here's an address   for you here's a subnet mask here's a lease time  here's dhcp and usually in many cases you also get   a dns in there as well and in some cases you'll  even get more instructions if you're a phone of   who to download your configuration from and so on  all right so four packets discover offer request   acknowledge that's the flow for dhcp it's udp  based and there's two ports what are those again   67 and 68. next let's just keep on going in the  60s right we had 67 68 let's go and go to port 69   and that is what's the name let's do it reverse  here okay we know the 469 what's the name tftp good job if you got that all right so port 69  tftp okay so let's take that closer look at tftp   trivial file transfer protocol let's get into  wireshark now if we go to the beginning of our   conversation here at the beginning of this  trace file here we can see we have a read   request so basically this protocol is used for  moving files but unlike ftp it just does it in   a more simple way okay so there's a lot going on  here but let's just go ahead and keep this simple   right here the client is just saying  hey give me this file rfc1350.txt   now notice that this is over udp right so this  is a udp exchange this isn't over tcp that's   why we don't have a three-way handshake  that's why we don't have to set up this   connection or conversation really this is just  best effort go get that file and let's see what   happens so first we ask for that file and notice  right after this at least in this conversation   we're no longer using port number 69 here  now we're using these higher numbered ports   and we can see that this is data actually starting  to come across and wireshark is recognizing it as   tftp now like its cousin ftp tftp as well can  have a control port or a control conversation   and that's what we see in port 69 and then it  can actually move the data over a different   port between client and server okay next very  popular one one you're definitely going to be   tested on or need to know and that is http okay  so let's talk about this what port number is http   okay good job hopefully that's one that you got  port 80. let's go ahead and peek at what we have   in the pcap so we're just going to do tcp this  time flipping back to tcp for a little bit tcp   port equals equals 80. and here we got some http  stuff now this is a fun protocol to take a look on   the wire because http is still going to be clear  text we can still read what's actually happening   we can see the gets we can see the responses and  what i'd like you to do is come down here if you   take a look at the get that you see let's go and  jump over that scan traffic up there we're going   to take a look at that first get hopefully you  see it within a few packets you're going to right   click it you're going to go to conversation filter  tcp okay so here we can see we have a cincinnati   and then we can see a retransmission and  so on what i'd like you to do instead of   worrying about too much about that tcp setup what  we're going to do is come down here just to get   and we can see that we're just asking a question  of that server hey get http 1.0 get slash give me   your root page all right and we can see that in  clear text down below now the server acknowledges   and then right away it comes back with ok so this  is where we can see some more clear text stuff   so this is telling us the type of server that's  running oh and we have one of those interesting   pictures that we can see on the command line  let's go and investigate this and see what   kind of server it was if we right click and go to  follow tcp stream what we're going to see here is   again that metasploitable 2 so what type of server  is it running uh here we can see that it's running   apache 2.2.8 and powered by php and so on now that  banner that we just grabbed and we can see that   clear text from the wire itself so http hypertext  transfer protocol that's used for moving that web   data for getting web pages and even for sending  and receiving files but anymore you're not going   to see as much port 80 especially going out to  the web because it's not secure we can see the   data right there on the wire all right our next  protocol now let's shift this up a bit i'm going   to give you a port number and you tell me the  protocol itself so here's the port number 110   what do we got pop post office protocol now pop  has gone through a lot of versions and iterations   now back in the 1980s is when the rfcs came out  for the post office protocol and it started with   pop one pop two and now really if we see it  anymore it's gonna be pop three so pop three   is over port 110 but let's go ahead and check it  out on the wire okay so i'm going to come in here   now pop3 is going to be moving important data  around right it's an email based protocol post   office protocol so let's go ahead and take a look  at tcp we're going to do port and let's check out   port 110 so here i can see pop3 the client  is going out and establishing a connection   and we can see the response come back from that  server and we see dovecot ready and so on there's   several things that we can see here in clear text  that's interesting to note let's go ahead and take   a closer look let's right-click we're going to go  to follow tcp stream and here is where we can see   some of the login and authentication information  if we come down here we can actually see some of   the message information this is actually an email  that we can see here in clear text uh oh right so   we can see that pop3 over port 110 is not going to  be secure we can see it in clear text so what has   the industry done about this well remember this  one as well when you think pop3 also remember port   995. now 995 is going to use like we see here at  the bottom of our screen here we can actually see   it just spelled out for us pop3 over port  995 is actually going to use tls transport   layer security so that's going to be encrypted  so pop3 unencrypted port 110 pop3 encrypted   is going to be 995. now while we're here let's go  ahead and talk about another email protocol imap   all right and you can see it here in our follow  tcp stream what are the port numbers for imap well   if we're not going to be using it securely then  that's going to be port 143 however anymore   if we do see it it's going to be over port 993  that's going to be the secure tls version of imap   okay so one other protocol that might  show up on your test and that is   what is this network time  protocol ntp now the port number   easy as counting to one two three port 123. let's  see it in action now wireshark can recognize ntp   as an application so let's go ahead and pop that  in uh ntp if we come down here we can see this is   over udp and in both directions we have port  123. now what's the point of ntp well it's a   mechanism for devices to be able to check in  with an authority to be able to accurately   set their time and that's for synchronization we  want to make sure that everybody is on the same   page when it comes to timing and that's what  ntp is used for so remember that udp port 123.   all right keeping with udp let's go ahead and  take a look at one more this time i'm going to   show you the port number okay udp 161. what's the  application or what's the protocol that uses it   snmp so especially in the networking world  we want to make sure that we understand this   one so let's take a look at it now i just  said that's udp based so let's go ahead and   let's just do it from a port perspective udp port  equals equals one six one all right okay snmp   simple network management protocol all right this  is a get response get response type protocol but   what does it do well just like the name implies  it allows us to simply get management information   off of our network or infrastructure so instead  of logging into a switch and saying hey how many   errors are on port 2. that's something that  an snmp tool can do it can query the network   and ask snmp questions and get responses back  so we can have all of that in a central location   really it just allows us to monitor the network  from a central point now there's other ways   that we can use snmp but that's the big one okay  let's go to the next protocol how about this one   ldap lightweight directory access protocol what's  the port number good job 3.89 that's what we're   going to use so let's go ahead and take a look  at it in wireshark okay simply what does ldap do   it's authentication and directory services it's a  way of accessing information and authenticating to   the system now it's open it's vendor neutral it  can be used in a lot of different environments   but let's go ahead and take a look at it on that  port 389. all right i went ahead and set the   filter for ldap or for port tcp port 389 and we  can see that it's tcp based so just to keep this   at a high level without app we're just doing  our buying request here's just a simple login   great success wonderful come on in let's go ahead  and look lurk around see what you want to get   and here we're taking a look at the whole subtree  and then we go ahead and shut down our connection   so a simple ldap check-in and that's what we're  doing here in this p-cap so really we're just   knocking on the door here we're not doing a whole  lot with ldap there's a whole lot that we could   say about it but just remember that lightweight  directory access protocol okay another one another   protocol you're absolutely going to be tested  on and that is https what's the port number tcp   443 all right good now just so you remember as  well it's also possible that we could have udp 443   now that's going to be http 3 over quick now  if you're watching this on a chrome browser or   even firefox and your network is allowing it the  firewalls are allowing it through it's possible   you're even watching this video over udp443  okay so what's it look like on the wire let's   take a look let's go ahead and go into our display  filter this time we're going to type in tcp.port   equals equals four four three okay so we can  see here that we have uh cincinnati and so on   so let's come down here to this conversation  now we're just coming down to the client hello   and notice here if you take a look at that client  hello down here i'm just gonna right click and   i'm going to say conversation filter tcp just to  focus in on that one conversation right away the   nice thing at least at this point in time if i go  to the client hello in tls i can come down and i   can see clear text wireshark that's about the only  cleartext stuff that you're going to get though   just at the very beginning what the client is just  saying to the server hey i want to talk to the   wireshark server on you that way a server can  host multiple different sites i want to talk to   the wireshark one and then that server can come  back with a server hello now everything after   this is going to be encrypted especially if we're  using tls 1.2 or 1.3 and of course quick which   is over udp now more information about how those  protocols work on other videos but our point here   http secure web is going to be over tcp 443 or  when it's using quick it's going to be udp 443   all right one last protocol we're going  to talk about smb what's the port number   445 okay nice job now what does smb do server  message block it's basically moving files   okay especially in a windows environment  if we're connecting to a shared drive on   a network and we're uploading and downloading  files a lot of times that's going to be over   port 445 smb so let's see how it looks if we come  in here i'm just going to remove this filter just   going to do tcp dot port equals equals 445. all  right so we have some smb stuff let's go and   take a look at this first conversation let's right  click just going to go to conversation filter tcp   just take a look at this very first one now  smb has a lot of versions okay so here we're   just tinkering around with uh smb version two what  version are you running on your network all right   so really we log into a system we manipulate files  and then we're able to download or upload files to   another system on our network that's the point of  smb so if you're going into network engineering or   you're studying for a cyber security certification  or any network certification for that matter these   are the common protocols that you're gonna have  to remember hopefully you found this more useful   than just going through a bunch of flash cards  you can go ahead and take this video watch it   through a few times and hopefully it helps you to  remember those common protocols and port numbers   that you're gonna need to know thanks for sticking  around with me and i'll see you on another video
Info
Channel: Chris Greer
Views: 18,400
Rating: undefined out of 5
Keywords: intro to wireshark, wireshark, chris greer, free wireshark training, wireshark for beginners, wireshark tutorial, packet analysis, TCP/IP, ccna, comptia network+, CEH certification, penetration testing, pentest+, security+, CEH, ethical hacking, network ports, TCP ports, http, https, telnet, ssh, network protocols and ports, ccna training, smtp protocol, http explained, cisco ccna
Id: n7kYogsTkVo
Channel Id: undefined
Length: 28min 4sec (1684 seconds)
Published: Tue Mar 01 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.