Small Servers PCAP

For some reason, I came across a blog post by Gian Paolo called Small servers. This reminded me of some fairly old network protocols (that no one uses as far as I know) that are not in my Ultimate PCAP yet. Hence I took some minutes, captured them, and took some Wireshark screenshots. They are: echo, discard, daytime, chargen, and time. Mostly via TCP and UDP, and, as you would have expected, IPv6 and legacy IP.

I’m aware that this is not of interest to most of you. :) But for the sake of completeness, and because I love adding new protocols to the Ultimate PCAP, I added them though.

I used an old Cisco 2811 router with IOS version 15.1(4)M12a for this:

The registered transport protocol port numbers and the transport layer protocols implemented on Cisco routers are:


For the daytime to work with UDP, I queried my Meinberg LANTIME M200 at (AAAA) and (A) respectively. Furthermore, I also queried the “time” protocol, port number 37, against the Meinberg since it is not implemented by Ciscos small-servers.

Some Nmap scans, just for reference:

Calling Them: Basically Telnet

To be honest, all of those protocols basically rely on mere TCP or UDP, just like HTTP or SMTP or all the other plaintext protocols out there. That is: telnet and netcat for these scenarios here. Now for all those 5 protocols, I did 4x calls each, namely TCP for IPv6 and legacy IP, as well as UDP for IPv6 and legacy IP. I referenced the protocols by either their name or their numerical number: (Reminder: Exiting telnet with ^] which is “Strg +” on a german keyboard.)


The complete story is this:

Note that the “time” protocol is the only one which does not display ASCII characters in the telnet session, but kind of junk. ;) This is due to its format: “The server then sends the time as a 32-bit unsigned integer in binary format and in network byte order, representing the number of seconds since 00:00 (midnight) 1 January, 1900 GMT.”

Under the Magnifying Glass: Wireshark

Let’s have a brief look at those protocols with Wireshark.

Remember when using display filters within Wireshark: Using the protocol name itself such as echo only displays the mere protocol-specific packets, but not the stuff around it like the TCP handshake and so on. If you would like to see the whole thing, you must use something like tcp.port eq 7 .


The Echo protocol simply sends back everything it has received. Specified in RFC 862. Fun fact: The whole RFC is only ONE PAGE!!!

As you can see in the screenshot, I’ve done it via TCP and UDP, both for IPv6 and legacy IP. A good time to point to the “Follow TCP Stream” or “Follow UDP Stream” again:


Uh, as of now (November 2022), Wireshark does not yet recognize the “Discard” protocol at port 9. I added a feature request here. Use this display filter to find it nevertheless: tcp.port eq 9 or udp.port eq 9

The Discard service, RFC 863, simply discards everything it has received. For TCP, everything is ACKed at least (no data is sent back, though), while for UDP you won’t see any packets from the server. However, seems like my router did not listen on the Discard port 9 for UDP on IPv6, since an ICMPv6 destination unreachable -> port unreachable came back:


“A daytime service simply sends the current date and time as a character string without regard to the input”, RFC 867. Different implementations send different structures of pure ASCII letters:


The Character Generator Protocol “simply sends data without regard to the input”, RFC 864. My Cisco router only replied by TCP though. Good example to “Follow TCP Stream” again:


Finally, the Time protocol on port 37, RFC 868, returns the number of seconds since 01.01.1900. Wireshark decodes it:

The End

And yes, at the very end, I disabled those small-servers again on the Cisco router:

Photo by Kris-Mikael Krister on Unsplash.

2 thoughts on “Small Servers PCAP

  1. Kudos for constant progress on PCAPs.
    Tiny servers reminds my early tcp/ip years and other loved tools like gopher or nttp.
    Keep that momentum!

Leave a Reply

Your email address will not be published. Required fields are marked *