Analysis of the FTP protocol for Wireshark grasping packet analysis

Source: Internet
Author: User
Tags ftp connection ftp server list ftp protocol

Today just applied for a virtual host, upload data to become a problem, Google, hehe, see the FLASHFXP This software, this is called What ghost Things, forgive the English rotten to the extreme, download installation, recently happened to the agreement analysis is very interested Ah, so, This is the Virgo article today, hehe, the individual always love to say some nonsense, well, if you think so, then let's get to the point.

Analysis of Wireshark grasping bag

Data packet analysis and summarization of protocol FTP protocol

This article is mainly aimed at the analysis of the FTP packet in Wireshark, and does not include the in-depth analysis of the protocol itself.

The basic application of Wireshark here is not to repeat, the individual is a vegetable, but also a bit of the rhythm of the pit, is it, at least everyone else said so, suggest you look at this book "Wireshark analysis of the actual combat (second edition)" People's postal press publishing.

Let's start with the following:

Open the FLASHFXP software, open the Wireshark grasp Analysis tool, start to grasp the packet analysis, connect the virtual host, find a file in the virtual host, then download to the local, disconnect the FTP service connection, stop Wireshark grasp analysis tool.

Since it is interested in FTP, it is also to the FTP packet analysis, and began to analyze this very lazy but very clever agreement it:


We enter the filter condition in the Display filter as: FTP (note here we should know the FTP protocol is based on the TCP protocol, FTP is part of the TCP protocol, when the device recognition is to see the TCP protocol has the FTP protocol field part of the TCP protocol to identify as an FTP protocol), We can see that through the filter of the display filter, the data content of the control channel of the FTP protocol we can see clearly,

The following is the analysis process for each packet:


Uh, uh.

Well, let you down, we can not first of the FTP control channel packet analysis, alas, negligence, forgive me for the first time, as shown above, we enter the IP of my virtual host in the display filter, then filter, we can see the entire FTP connection process, The following is an analysis of our message:

First of all, because FTP is based on TCP transmission, in fact, within the TCP, is part of the TCP, but, with this part, we have the TCP packet is considered an FTP packet.

You can see that the first three packets are TCP's three handshake connection process, here we can see that TCP is connected to the FTP server 21 port, which also reminds us that FTP use of the port is 21, and my client directly use the automatic allocation of the port, we analyze the TCP connection process, As you can see, flags:0x002 (SYN), which means that this is a TCP-requested message, while in the serial number (sequence number:0 (relative sequence number) indicates that it is a relative Because it's the first time you've had a handshake, this is 0,

This is the second TCP message, here we can see that the SYN is set to 1 and the ACK is also for 1, which means it's an answering packet, and for sending a request message to a sci-fi segment, this is the second handshake of the TCP link, where the sequence number is placed for 1, The relative serial number is 1, which is the second handshake, as for the third handshake, the same and second, but not the request, but only the answer message. The above is the process of establishing the connection for TCP, a little more to repeat.


Description of the process of the FTP session:

After the TCP connection is established, the server actively connected to the client, as for the server's active connection or passive connection, I am not very clear, why the server to connect the client, rather than let the client to connect the server, where the active and passive we should think is relative to the server, rather than the client.

First, the server sends the client a description of the system for the operation of the machine, and Microsoft's FTP server

The client sends the request and enters the user name

The server responds to the client and says it needs a username password

The client sends the password to the server,

Server username and password Authentication successful, allow client to log on to FTP server

The feat command is used to request that the FTP server list all of its extended commands and extension capabilities.  belong to Active mode command. (for reference, it is forgetting what the teacher said)

According to the above, the display here should be the corresponding server support to expand the function bar

The following message means a response to the above NO. 433 message (here personally think there should be no FTP in the part of the message, the second FTP is based on TCP, so the display for the TCP message)

Size (This is I do not understand the place, welcome everyone to give answers, check the information, but did not find)

PWD Customer count request host to display the path of the user, the server shows the path of the customer

The following references are from http://www.cnblogs.com/zh2000g/archive/2010/03/02/1676653.html

Port mode, is the client through the port command to tell the server to use the data port number, and then on the client initiative to establish TCP/IP monitoring of this port. When the file transfer operation, the server to connect the client's this data port, for data transmission.

PASV mode, is the client through the PASV command to tell the server side, want to use PASV way to transmit data. After the server receives the command, it proactively establishes a TCP/IP listener on the server side and returns the data port number to the client. In the operation of file transfer, the client connects to the server side of the data port for data transmission.

Indicates that the client has sent a listener to the server telling the server to connect using the PASV method

The server responded by entering active connection mode, which means that the server actively connects to the client


The process of establishing a TCP connection again, this process is for data transmission, after the connection is established

Client requests Server to display all directories

The data connection has been established,

Display the directory after the data connection, open the Ftp-data message will find that this shows the FTP server in the root directory under all subfolders


The establishment of the data connection is complete. Data transfer completed, here we need to pay attention to, in the process of FTP out, FTP did not transfer a data (file) to establish a connection, so, that is, we use FTP for data transmission process, we have a large part of the time is used to do connection, If we have more files, in this case, we suggest that you want to compress files and then use FTP for data transmission, so that you can reduce the number of data connection established, thus reducing the data transmission time.


The following command opens the Web's folder CWD

The server command was executed successfully and returned to the client

Show Table of Contents


The client requests that the PASV mode be established again, as described above.

Request succeeded, establish the server's active connection again


Note that the server here to return to the client is an IP address (its own IP address, that is, the IP of the virtual host, followed by a number of numbers indicating the server to open for the client port number, where the calculation method, the front of the number *256+ behind the number, Get the last client to connect to the server is the server's port number

connection establishment, data transmission

of which:

The RETR and Stor commands are the FTP protocols for downloading and uploading commands that can be targeted at files and directories.

Here comes the RETR command, which is the web.html download operation.

Transfer (download) of 6 packets, complete the web.html download

Connection Complete, disconnect

Finally for the FTP control channel disconnect, in this period, we should know that the FTP control link is always in progress, you can see the final control link to disconnect.


I am a piece of cake, there is no practical experience, so the article write a little touch of the mind, very messy, but I want to accumulate a little bit, so that their knowledge reserves more and more rich, I hope that everyone a lot of advice, the first manuscript, welcome to make valuable suggestions.

Finally, we recommend that you look at the other big God wrote blog, I hope the great God do not accuse me hotlinking ah.

Click on the Open link http://network.51cto.com/art/201406/441747.htm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.