Internet Relay Chat (IRC) protocol with Wireshark - Security Boulevard

Internet Relay Chat (IRC) protocol with Wireshark

Introduction to the IRC protocol

Internet Relay Chat (IRC) uses a client-server model to provide a chatroom. A single IRC server is set up, and users connect to the server via IRC clients. The protocol allows users to set usernames on the server and engage in private chats or group chats via different IRC channels.

IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the service on this port requires running it with root-level permissions, which is inadvisable. As a result, the well-known port for IRC is 6667, which is a high-number port that does not require elevated privileges. However, an IRC server can also be configured to run on other ports as well.

IRC is a simple but powerful protocol for text-based chat. However, its usage has declined over time as alternatives (like Slack) have become popular. While the presence of IRC on the traffic does not necessarily indicate an attack, it might be worth investigating since IRC is commonly used for communication by botnets.

The IRC protocol in Wireshark

IRC traffic can be filtered in Wireshark using the irc command. However, this cannot be used during live capture (like many protocol-based filters), so it is recommended to filter based on IRC ports (like 6667 instead).

As shown in the image above, IRC is a text-based protocol. A client can send a certain command (like NICK) along with a set of optional parameters. The server will then respond with a response code and optional data regarding the status of the request or containing the information that the user wanted.

By default, IRC is a plaintext protocol, meaning that anyone with access to an organization’s network traffic could read the data flowing over IRC. However, it is possible to run IRC while encrypted (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/xkRDXLMlrqY/