Skip to content

SOCKS5 Protocol Analysis with PCAPs

Overview

This is a runthrough of the SOCKS5 protocol through packet captures demonstrating different commands, authentication methods, and real-world use cases. The goal is just to become familiar with the protocol and be able to understand/identify when it is being used and what that ends up looking like in a pcap. RFC 1928 goes into the nitty gritty, but let's be honest, having some visuals ends up being a lot more helpful in making sense of things.

About These Captures

All PCAP files in this collection show complete, packet flows with detailed header breakdowns, but were fabricated and not derived from actual traffic. They're designed for learning, testing, and protocol analysis.

Network Topology

Client: 192.168.1.100 (MAC: 00:11:22:33:44:55)
  │
  │ Port: Dynamic (54321-54325)
  ↓
Proxy:  192.168.1.200 (MAC: aa:bb:cc:dd:ee:ff)
  │
  │ SOCKS Port: 1080
  ↓
Destination Servers (various)

Available PCAP Files

File Scenario Key Features
socks5_no_auth_http.pcap CONNECT + HTTP No authentication, IPv4, HTTP plaintext
socks5_userpass_auth.pcap CONNECT + HTTPS Username/password auth, domain name, TLS
socks5_bind.pcap BIND command Incoming connections, FTP data channel
socks5_udp_associate.pcap UDP relay DNS queries, UDP encapsulation
socks5_ssh.pcap CONNECT + SSH SSH protocol tunneling, encryption

SOCKS5 Protocol Basics

Handshake Flow

sequenceDiagram
    participant C as Client
    participant P as Proxy
    participant S as Server

    C->>P: 1. Greeting (methods)
    P->>C: 2. Method Selection

    opt Authentication Required
        C->>P: 3. Auth Credentials
        P->>C: 4. Auth Response
    end

    C->>P: 5. Connection Request
    P->>S: 6. Establish Connection
    S->>P: 7. Connection ACK
    P->>C: 8. Reply (success/failure)

    Note over C,S: Tunnel Established
    C->>P: Application Data
    P->>S: Application Data
    S->>P: Application Data
    P->>C: Application Data

Command Types

SOCKS5 Commands

  • CONNECT (0x01): Establish TCP stream to destination
  • BIND (0x02): Listen for incoming TCP connection
  • UDP ASSOCIATE (0x03): Relay UDP datagrams

Scenario 1: No Authentication + HTTP

File: socks5_no_auth_http.pcap

Description

Demonstrates the simplest SOCKS5 flow: client connects to example.com (93.184.216.34:80) without authentication and sends an HTTP GET request.

Packet Flow

Phase 1: TCP Handshake (Packets 1-3)

Client → Proxy:1080 [SYN]
Proxy → Client       [SYN-ACK]
Client → Proxy       [ACK]

Phase 2: SOCKS5 Negotiation

Packet 4: Client Greeting

Direction: Client  Proxy
TCP Payload:

05 01 00
Byte Value Meaning
0 05 SOCKS version 5
1 01 Number of authentication methods
2 00 Method: No authentication required

Packet 6: Method Selection

Direction: Proxy  Client
TCP Payload:

05 00
Byte Value Meaning
0 05 SOCKS version 5
1 00 Selected method (no auth)

Packet 8: Connection Request

Direction: Client  Proxy
TCP Payload:

05 01 00 01 5D B8 D8 22 00 50
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 01 CONNECT command
2 1 00 Reserved
3 1 01 Address type (IPv4)
4-7 4 5D B8 D8 22 93.184.216.34 (example.com)
8-9 2 00 50 Port 80 (HTTP)

wiresharkPacket8 The real destination IP address is conveyed in this CONNECT packet as the Remote Host. This is what Wireshark uses to fill in SOCKS layer details in packet 12 even though packet 12 does not contain actually contain the Remote Host IP address.

Packet 10: Reply

Direction: Proxy  Client
TCP Payload:

05 00 00 01 5D B8 D8 22 00 50
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 00 Success
2 1 00 Reserved
3 1 01 Address type (IPv4)
4-7 4 5D B8 D8 22 Bound address
8-9 2 00 50 Bound port

Tunnel Established

After this packet, the SOCKS tunnel is established. All subsequent traffic is transparent relay.

Phase 3: Application Protocol (HTTP)

Packet 12: HTTP GET Request

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: */*

No SOCKS Headers

Notice there are no SOCKS protocol headers in this packet. The proxy transparently relays the HTTP request. If you are viewing in Wireshark, it will add a SOCKS layer to the Packet Details pane to be helpful, but as mentioned earlier, the bytes are not actually present in the packet.

wiresharkSOCKSGETrequest

Packet 14: HTTP Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 13

Hello World!

Key Observations

  • SOCKS negotiation completes in 4 packets (greeting, method, request, reply)
  • Total overhead: ~20 bytes
  • Application protocol is completely transparent
  • No encryption - HTTP is readable in plaintext

When you follow the TCP Stream for the session, you notice immediately that it does not look like a vanilla http GET request. SOCKShandshake

Scenario 2: Username/Password Authentication

File: socks5_userpass_auth.pcap

Description

Shows SOCKS5 with username/password authentication connecting to example.com:443 (HTTPS), followed by TLS handshake.

Authentication Credentials

Username: alice
Password: secret123

Extended Packet Flow

Packet 4: Client Greeting

05 01 02
Byte Value Meaning
0 05 SOCKS version 5
1 01 Number of methods
2 02 Method: Username/Password

Packet 6: Method Selection

05 02
Byte Value Meaning
0 05 SOCKS version 5
1 02 Selected method (username/password)

Packet 8: Authentication Request

01 05 61 6C 69 63 65 09 73 65 63 72 65 74 31 32 33
Offset Bytes Value Meaning
0 1 01 Auth protocol version
1 1 05 Username length (5 bytes)
2-6 5 61 6C 69 63 65 "alice" (ASCII)
7 1 09 Password length (9 bytes)
8-16 9 73 65 63 72 65 74 31 32 33 "secret123" (ASCII)

Security Warning

Username and password are transmitted in cleartext. Always use SOCKS over an encrypted channel (SSH, TLS) when using password authentication.

Packet 10: Authentication Response

01 00
Byte Value Meaning
0 01 Auth version
1 00 Success (non-zero = failure)

Packet 12: Connection Request with Domain Name

05 01 00 03 0B 65 78 61 6D 70 6C 65 2E 63 6F 6D 01 BB
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 01 CONNECT command
2 1 00 Reserved
3 1 03 Address type (Domain name)
4 1 0B Domain length (11 bytes)
5-15 11 65...6D "example.com"
16-17 2 01 BB Port 443 (HTTPS)

DNS Privacy

When using domain names, DNS resolution happens at the proxy, preventing DNS leaks to local network observers.

Packet 16: TLS Client Hello

ClientHello

16 03 01 00 50 01 00 00 4C 03 03 [32 random bytes]...
Offset Bytes Meaning
0 1 TLS Handshake record type (0x16)
1-2 2 TLS version (3.1 = TLS 1.0)
3-4 2 Record length
5 1 Handshake type (0x01 = Client Hello)
... ... Client random, cipher suites, extensions

Key Observations

  • Authentication adds 2 extra packets to handshake
  • Credentials sent in plaintext within SOCKS connection
  • Domain name resolution delegated to proxy
  • TLS encrypts application data after handshake

Scenario 3: BIND Command

File: socks5_bind.pcap

Description

Demonstrates the BIND command, used for protocols requiring the server to connect back to the client (e.g., FTP data connections).

Note: BIND is not common nowadays

- Most protocols switched to client-initiated models (FTP PASV, HTTP, etc.)
- NAT traversal techniques (STUN/TURN/ICE) handle P2P better
- WebRTC and modern real-time protocols have better solutions
- It's complex to implement and maintain

Modern equivalent: NAT traversal techniques or relay servers (like TURN) handle this better for contemporary protocols. BIND exists mainly for legacy protocol compatibility.

BIND Flow

sequenceDiagram
    participant C as Client
    participant P as Proxy
    participant S as Server

    C->>P: BIND Request
    P->>C: First Reply (listening address)
    Note over P: Proxy listens on<br/>192.168.1.200:5000

    Note over C: Client tells server to<br/>connect to 192.168.1.200:5000

    S->>P: Connection from 10.0.0.50:21
    P->>C: Second Reply (connection established)

    Note over C,S: Data flows through tunnel

Critical Packets

Packet 8: BIND Request

05 02 00 01 00 00 00 00 00 00
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 02 BIND command
2 1 00 Reserved
3 1 01 IPv4
4-7 4 00 00 00 00 0.0.0.0 (any address)
8-9 2 00 00 Port 0 (any port)

Packet 10: First Reply (Bound Address)

05 00 00 01 C0 A8 01 C8 13 88
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 00 Success
2 1 00 Reserved
3 1 01 IPv4
4-7 4 C0 A8 01 C8 192.168.1.200 (proxy IP)
8-9 2 13 88 Port 5000

What Happens Next

The proxy is now listening on 192.168.1.200:5000. The client can tell the remote server (e.g., FTP server) to connect to this address.

Packet 12: Second Reply (Connection Established)

05 00 00 01 0A 00 00 32 00 15
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 00 Success
2 1 00 Reserved
3 1 01 IPv4
4-7 4 0A 00 00 32 10.0.0.50 (server that connected)
8-9 2 00 15 Port 21 (FTP)

Tunnel Ready

The server has connected to the proxy's listening socket. The tunnel is now established for bidirectional data transfer.

Use Cases

  • FTP PORT mode data connections
  • IRC DCC file transfers
  • Peer-to-peer protocols
  • Any protocol requiring reverse connections

Scenario 4: UDP ASSOCIATE

File: socks5_udp_associate.pcap

Description

Shows UDP relay through SOCKS5, using DNS as an example. UDP ASSOCIATE requires a TCP control connection to remain open.

UDP Encapsulation

Every UDP packet sent through SOCKS5 includes a header:

+----+------+------+----------+----------+----------+
|RSV | FRAG | ATYP | DST.ADDR | DST.PORT |   DATA   |
+----+------+------+----------+----------+----------+
| 2  |  1   |  1   | Variable |    2     | Variable |
+----+------+------+----------+----------+----------+

Critical Packets

Packet 8: UDP ASSOCIATE Request

05 03 00 01 C0 A8 01 64 23 28
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 03 UDP ASSOCIATE command
2 1 00 Reserved
3 1 01 IPv4
4-7 4 C0 A8 01 64 192.168.1.100 (client's UDP addr)
8-9 2 23 28 Port 9000 (client's UDP port)

Packet 10: UDP ASSOCIATE Reply

05 00 00 01 C0 A8 01 C8 1F 40
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 00 Success
2 1 00 Reserved
3 1 01 IPv4
4-7 4 C0 A8 01 C8 192.168.1.200 (proxy's UDP relay)
8-9 2 1F 40 Port 8000 (proxy's UDP port)

UDP Communication

Client should now send UDP packets to 192.168.1.200:8000 with SOCKS5 UDP headers.

Packet 12: Encapsulated UDP Packet (DNS Query)

00 00 00 01 08 08 08 08 00 35 [DNS query data]
Offset Bytes Value Meaning
0-1 2 00 00 Reserved
2 1 00 Fragment (0 = no fragmentation)
3 1 01 IPv4
4-7 4 08 08 08 08 8.8.8.8 (Google DNS)
8-9 2 00 35 Port 53 (DNS)
10+ var ... DNS query for google.com

Key Observations

  • TCP connection must stay open for UDP association lifetime
  • Every UDP packet includes 10-byte SOCKS5 header (for IPv4)
  • Fragment field supports UDP fragmentation
  • Closing TCP terminates UDP association

udpassociate

Scenario 5: SSH Through SOCKS

File: socks5_ssh.pcap

Description

Demonstrates SSH protocol tunneled through SOCKS5 to server 10.20.30.40:22.

SSH Protocol Flow

Packet 8: CONNECT Request

05 01 00 01 0A 14 1E 28 00 16
Offset Bytes Value Meaning
0 1 05 SOCKS version 5
1 1 01 CONNECT command
2 1 00 Reserved
3 1 01 IPv4
4-7 4 0A 14 1E 28 10.20.30.40 (SSH server)
8-9 2 00 16 Port 22 (SSH)

Packet 12: SSH Server Banner

SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5\r\n

Protocol Detection

The string "SSH-2.0" immediately identifies this as SSH traffic, regardless of the SOCKS tunnel.

Packet 14: SSH Client Banner

SSH-2.0-OpenSSH_9.0\r\n

Packet 16: SSH Key Exchange Init

00 00 01 14 0A 14 [key exchange data]
Offset Bytes Meaning
0-3 4 Packet length (276 bytes)
4 1 Padding length
5 1 SSH_MSG_KEXINIT (0x14)
6+ var Cookie, algorithms, etc.

Packet 17: Encrypted SSH Traffic

00 00 00 40 [encrypted data]

Encryption

After key exchange, all SSH session data is encrypted. Commands, authentication, and terminal I/O are not visible.

Key Observations

  • SOCKS completely transparent to SSH
  • SSH banner exchange in cleartext
  • Port 22 strong indicator of SSH
  • Post-handshake encryption hides all content
  • SSH operates identically through SOCKS vs direct connection

Protocol Reference

SOCKS5 Version Field

Value Version
04 SOCKS4
05 SOCKS5

Command Field

Value Command Description
01 CONNECT TCP stream connection
02 BIND TCP listening socket
03 UDP ASSOCIATE UDP datagram relay

Address Type (ATYP)

Value Type Length
01 IPv4 4 bytes
03 Domain name 1 byte (length) + N bytes
04 IPv6 16 bytes

Reply Status Codes

Code Status Meaning
00 Succeeded Request successful
01 General failure SOCKS server failure
02 Not allowed Connection not allowed by ruleset
03 Network unreachable Network unreachable
04 Host unreachable Host unreachable
05 Connection refused Connection refused
06 TTL expired TTL expired
07 Command not supported Command not supported
08 Address type not supported Address type not supported

Authentication Methods

Value Method
00 No authentication required
01 GSSAPI
02 Username/Password
03-7F IANA assigned
80-FE Reserved for private methods
FF No acceptable methods

Analysis Techniques

Wireshark Display Filters

# Show SOCKS handshake packets only
tcp.port == 1080 && tcp.len > 0 && tcp.len < 100

# Show post-tunnel application data
tcp.port == 1080 && tcp.len > 100

# Show specific SOCKS commands
tcp.payload[0:1] == 05 && tcp.payload[1:1] == 01  # CONNECT
tcp.payload[0:1] == 05 && tcp.payload[1:1] == 02  # BIND
tcp.payload[0:1] == 05 && tcp.payload[1:1] == 03  # UDP ASSOCIATE

# Show UDP SOCKS packets
udp.port == 8000

Follow TCP Stream

  1. Right-click any packet in the SOCKS conversation
  2. Select Follow → TCP Stream
  3. Observe SOCKS negotiation at the beginning
  4. Application protocol becomes visible after success reply

Identifying SOCKS Traffic

Look for this sequence:

  1. Client greeting: 05 01 XX (version 5, method count, methods)
  2. Server response: 05 XX (version 5, chosen method)
  3. Request packet: 05 [01|02|03] 00... (version, command, reserved)
  4. Server reply: 05 00... (version, status)
  5. Application data: Pure protocol, no SOCKS headers

Security Considerations

What SOCKS Does NOT Provide

Security Limitations

  • No Encryption: SOCKS itself does not encrypt traffic
  • Authentication in Cleartext: Username/password sent unencrypted
  • Proxy Trust: Proxy can see and modify all unencrypted traffic
  • No Integrity: No protection against tampering

Recommendations

Best Practices

  1. Combine with TLS/SSL: Use HTTPS, not HTTP, over SOCKS
  2. SSH Tunneling: Use ssh -D 1080 for encrypted SOCKS tunnel
  3. Don't Rely on SOCKS for Confidentiality: Use application-layer encryption
  4. Strong Authentication: If proxy requires auth, use strong credentials
  5. Trust Your Proxy: It can see everything you send

Privacy Benefits

  • DNS Privacy: Domain resolution at proxy prevents DNS leaks
  • IP Hiding: Destination sees proxy IP, not client IP
  • Port/Protocol Diversity: Works for any TCP/UDP application
  • NAT Traversal: Can help bypass restrictive NATs

Command-Line Tools

tcpdump

# Read PCAP file with ASCII output
tcpdump -r socks5_no_auth_http.pcap -A | less

# Read with hex and ASCII
tcpdump -r socks5_no_auth_http.pcap -X | less

# Filter for SOCKS port
tcpdump -r socks5_no_auth_http.pcap -n port 1080

tshark

# Show all packets with full details
tshark -r socks5_no_auth_http.pcap -V

# Show only SOCKS negotiation
tshark -r socks5_no_auth_http.pcap -Y "tcp.port==1080" -V

# Extract HTTP data
tshark -r socks5_no_auth_http.pcap -Y "http" -V

# Export objects
tshark -r socks5_no_auth_http.pcap --export-objects http,output/

Wireshark

# Open in Wireshark GUI
wireshark socks5_no_auth_http.pcap

# Open multiple files
wireshark socks5_*.pcap

Comparison: HTTP Proxy vs SOCKS

Feature HTTP Proxy SOCKS4 SOCKS5
Protocol Support HTTP(S) only TCP only TCP + UDP
Authentication Basic/Digest None Multiple methods
DNS Resolution Client Proxy (4a only) Proxy
IPv6 Support Yes No Yes
UDP Support No No Yes
BIND Support No Yes Yes
OSI Layer Application (L7) Session (L5) Session (L5)
Header Modification Yes No No
Caching Possible No No

Additional Resources

RFCs

  • RFC 1928 - SOCKS Protocol Version 5
  • RFC 1929 - Username/Password Authentication for SOCKS V5
  • RFC 1961 - GSS-API Authentication Method for SOCKS Version 5