Analyzing an Ftp Connection With Wireshark

by: George El., February 2019, Reading time: 3 minutes

In this post we will analyze an ftp connection with wireshark. First we see that the client establishes a control connection to port 21 on the server. The server is the one with the public IP address. The RTT time is the difference between SYN and SYN-ACK and is 0.0849. (In order to see the time or delta between displayed packets you have to go to View, Time Display Format, Seconds since previous displayed packet)

if you want to download the pcap file click here. If you want to see a larger image, do right click, open in new tab.

ftp control

Packet 5: The client requests TLS authentication, but the server does not support it and it says continue with username and password. The client does anonymous login.

Packet 15: we see that the login is successful and then the client requests feat list from the server at packet 18. Server responds in packets 19-31.

ftp control

In packet 36 the client sends a CWD (change working directory) and then a PWD (print working directory)

Packet 40: client requests binary mode TYPE I

Packet 42: client requests passive mode

Packet 43: server responds, and sends Passive port: 26532

Packet 44: client requests a LIST

Packet 45: a new TCP connection is established to port 26352 and is used for the directory listing until packet 54

Packet 57: a new control conenction established at port 21

We go through the login process, and passv

ftp control

Packet 80, server enters passive mode and sends port 29022

packet 81, client requests a file called

Packet 82, a new tcp connection is established at port 29022 and it is this connection that will be used for datatransfer

Packet 82, 83, 84 is the normal SYN, SYN-ACK, ACK procedure

Packet 85 is just an ack to packet 81

Packet 86 server sends a packet with seq 1, ack 1, size 1452

Packet 87 server sends a packet with seq 1453 (1452+1), ack 1, size 1452

Packet 88, client sends a packet, seq 1 ack for 2905(1453+1452), length 0

Packet 89, server sends a packet, seq 2905, acks 1, size 1452

Packet 90, server sends packet with seq 4257(2905+1452), ack 1, size 1452

Packet 91, client send packet with seq 1, ack 5809(4257+1452), length 0

… and so on

You see that during this process the client didn’t send any data, that’s why the seq is always 1 and the ack from the server is 1

ftp control

The last packet from the server is 10919, that has a seq 10484893 (which the total bytes it sent), ack 1, size 868. It also has the FIN bit set.

Packet 10920, the client acks 10485762(10484893+868) and then sends a FIN-ACK

Packet 10922 is from the control connection “transfer complete”

Packet 10923 is the response of the server to the FIN-ACK and it responds with an ACK 2. this is the last packet of this tcp conversation

the rest packets are for the control connection

From wireshark conversations, you can see that we had 4 tcp sessions. 2 control sessions, and 2 data connections. One data was for the listing, and one for the transfer.

ftp conversations

tcptrace graph is a nice straightline, which is ideal. We also see that the distance between the two lines which symbolizes the receive window is kept constant.

ftp sequence

If I zoom in a lot, you will see that for every two packets, that correspond to two vertical lines, I get an ack. The ack is the vertical line with the other color.

ftp control

from statistics, packet lengths, we see the majority of the packets, 66% are between 1280 and 2559 bytes and the other 33.76% is between 40 and 79 bytes

ftp control

comments powered by Disqus