February 2019, Reading time: 3 minutes
In this post we will analyze an ftp connection with wireshark. First we see that the client establishes a control connection to port 21 on the server. The server is the one with the public IP address. The RTT time is the difference between SYN and SYN-ACK and is 0.0849. (In order to see the time or delta between displayed packets you have to go to View, Time Display Format, Seconds since previous displayed packet)
if you want to download the pcap file click here. If you want to see a larger image, do right click, open in new tab.
Packet 5: The client requests TLS authentication, but the server does not support it and it says continue with username and password. The client does anonymous login.
Packet 15: we see that the login is successful and then the client requests feat list from the server at packet 18. Server responds in packets 19-31.
In packet 36 the client sends a CWD (change working directory) and then a PWD (print working directory)
Packet 40: client requests binary mode TYPE I
Packet 42: client requests passive mode
Packet 43: server responds, and sends Passive port: 26532
Packet 44: client requests a LIST
Packet 45: a new TCP connection is established to port 26352 and is used for the directory listing until packet 54
Packet 57: a new control conenction established at port 21
We go through the login process, and passv
Packet 80, server enters passive mode and sends port 29022
packet 81, client requests a file called 10MB.zip
Packet 82, a new tcp connection is established at port 29022 and it is this connection that will be used for datatransfer
Packet 82, 83, 84 is the normal SYN, SYN-ACK, ACK procedure
Packet 85 is just an ack to packet 81
Packet 86 server sends a packet with seq 1, ack 1, size 1452
Packet 87 server sends a packet with seq 1453 (1452+1), ack 1, size 1452
Packet 88, client sends a packet, seq 1 ack for 2905(1453+1452), length 0
Packet 89, server sends a packet, seq 2905, acks 1, size 1452
Packet 90, server sends packet with seq 4257(2905+1452), ack 1, size 1452
Packet 91, client send packet with seq 1, ack 5809(4257+1452), length 0
… and so on
You see that during this process the client didn’t send any data, that’s why the seq is always 1 and the ack from the server is 1
The last packet from the server is 10919, that has a seq 10484893 (which the total bytes it sent), ack 1, size 868. It also has the FIN bit set.
Packet 10920, the client acks 10485762(10484893+868) and then sends a FIN-ACK
Packet 10922 is from the control connection “transfer complete”
Packet 10923 is the response of the server to the FIN-ACK and it responds with an ACK 2. this is the last packet of this tcp conversation
the rest packets are for the control connection
From wireshark conversations, you can see that we had 4 tcp sessions. 2 control sessions, and 2 data connections. One data was for the listing, and one for the transfer.
tcptrace graph is a nice straightline, which is ideal. We also see that the distance between the two lines which symbolizes the receive window is kept constant.
If I zoom in a lot, you will see that for every two packets, that correspond to two vertical lines, I get an ack. The ack is the vertical line with the other color.
from statistics, packet lengths, we see the majority of the packets, 66% are between 1280 and 2559 bytes and the other 33.76% is between 40 and 79 bytes