Binary protocols and inspecting protocols

In notebook:
FrontEndMasters Networking and Streams
Created at:

text protocols

So far, we've seen a number of text protocols:

  • http
  • smtp
  • irc

These are nice protocols to implement because you can inspect the data going over the wire visually and type requests using the keyboard.

binary protocols

In binary protocols, you can't just type messages with the keyboard like we've been doing. You've got to write programs that unpack the incoming bytes and pack outgoing bytes according to the specification.


$ nc 22
SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
Protocol mismatch. ☛ tells you that it's NOT a text based protocol

Aside from the initial greeting, the rest of the ssh protocol expects binary.

You need special programs that know how to handle these protocols.

Luckily, the ssh command does the work of speaking the protocol for us:

$ ssh
substack@origin : ~ $ 

inspecting protocols

To inspect protocols, you can capture everything coming out of and into your wireless or ethernet card using:

These would not work with ssh which is encrypted, but with other protocols

  • wireshark for a graphical tool
  • tcpdump for a command-line tool


First install tcpdump:

sudo apt-get install tcpdump

then do:

$ sudo tcpdump -X

to see each packet with a hexadecimal representation in the middle and ascii on the right.

It's useful for debugging. Or to see what exactly a program is doing ("phoning home" etc.)

Some of the dump it prints out is in plain text (http)


To filter the output so that we only see HTTP traffic, we can filter the output to only show traffic on port 80:

$ sudo tcpdump 'tcp port 80' -X

Now we can see the raw html. This is for any computer on the network (wifi). Your computer can see everything that is not encrypted in the wifi network.

also try:

$ sudo tcpdump 'tcp port 80' -A

If you run tcpdump on a wifi connection, you will also see unencrypted traffic from other users.

Please respect their privacy!

But also note that anyone could be sniffing in on your unencrypted traffic, and not just at the level of wifi.

protocol links

Best is to read these rfc files to pick up some interesting info