FTP protocol analysis and Expansion

Source: Protocol Analysis Network

Depending on whether the Port or Passive mode is used, FTP uses different TCP Port numbers. Before describing the FTP in detail
Briefly discuss some basic concepts of TCP port numbers. TCP uses the port number to identify the application sent and received.
TCP can be used to separate byte streams and transmit corresponding bytes to the correct application.
The TCP port number can be semi-permanent or temporary. Server listening allows customers to access the semi-permanent port

User Access. Customer
The client uses a temporary port to identify a dialog locally. The client port only exists when the TCP Service is used, and the server
The port is listened as long as the server is running.

TCP ports can be classified into three categories:
1. Well-known ports are used to identify standard services running on TCP, including FTP, HTTP, TELNET, SMTP, etc.
The port number range is 0-1023;
2. register the port number to identify
Authority) the registered application. The registered port number is 1024-49151;
3. The private port number is not registered and can be dynamically allocated to any application. The private port number is 49152-65535;
The registered port number is intended to be used only by the registered application. However, the port number has reached the limit in recent years.
You may see that the registration port used by the registration application is used as a temporary port by the non-registration application. RFC1700 details
It is a well-known and registered port number, but unfortunately, this RFC document has not
Updated, and then you can still get a list of promptly updated ports from IANA. The detailed URL is:
Http://www.iana.org/assignments/port-numbers

> 2.0 <FTP Port mode and FTP Passive mode
When you troubleshoot an FTP problem, you must first ask whether the port mode or passive mode is used.
Mode. Because these two kinds of behavior are different, the problems caused by these two modes are also different. In the past, the client default is acti.
Ve (port) mode. Recently, due to Port mode security issues, FTP applications on many clients are in Passive mode by default.

> 2.1 FTP Port Mode
The procedure for FTP in Port mode is as follows:
1. The client sends a tcp syn (TCP synchronization) packet to the server segment's well-known FTP control port 21, the client
Use a temporary port as its source port;
2. the server sends a syn ack (synchronous confirmation) packet to the client. The source port is 21 and the destination port is used on the client.
Temporary port;
3. The client sends an ACK packet. The client uses this connection to send FTP commands, and the server uses this
Connect to send FTP response;
4. When a user requests a List request or initiates a request to send or accept files, the client software uses
PORT command, which contains a temporary PORT. The client wants the server to use
This temporary PORT; The PORT command also contains an IP address, which is usually the customer's own IP address, and FT
P also supports the third-party mode. In the third-party mode, the client tells the server to open a connection with another host;
5. the server sends a SYN packet to the temporary PORT of the client. The source PORT is 20 and the temporary PORT is in the port command of the client.
The temporary port number sent to the server;
6. The client uses the source port as the temporary port, and the destination port is 20 to send a syn ack packet;
7. The server sends an ACK packet;
8. The host sending data sends data through this connection, and the data is sent in the form of a TCP segment (Note: segment, layer-4th PDU (
Some commands, such as STOR, indicate that the client needs to send data, and RETR indicates that the server segment sends data ).
The other party confirms the ACK (Note: TCP is a connection-oriented protocol)
9. After the data transmission is complete, the host sending the data end the data connection with a FIN command. This FIN Command requires another
The host is confirmed by ACK, And the other host also sends a fin command. The FIN command also needs to send data to the host using
CK confirmation;
10. The client can send more commands on the control connection, which can enable and disable other data connections.
After the configuration, the client uses the FIN command to close a control connection. The server uses the ACK package to confirm the FIN and server of the client.
It also sends its FIN, and the client uses ACK for confirmation.

The following figure shows the first steps of ftp port mode:
/======================================================== ==================================
|
| [Ftp Client] [ftp Server] |
|
| (TCP: 21 connection initialization, control port) |
| SYN |
| Port xxxx ----------------------> Port 21 [TCP] |
| SYN + ACK |
| Port xxxx <---------------------- Port 21 |
| ACK |
| Port xxxx ----------------------> Port 21 |
|
| (Control operation: User column directory or file transfer) |
|
| Port, IP, Port yyyy |
| Port xxxx <---------------------- Port 21 |
| Port Seccussful |
| Port xxxx <---------------------- Port 21 |
| List, Retr or Stor |
| Port xxxx ----------------------> Port 21 |
|
|
| (TCP: 20 connection initialization, data port) |
| SYN |
| Port yyyy <---------------------- Port 20 |
| SYN + ACK |
| Port yyyy ----------------------> Port 20 |
| ACK |
| Port yyyy <---------------------- Port 20 |
|
|
| (Data operation: Data Transmission) |
| Data + ACK |
| Port yyyy <---------------------> Port 20 |
|. |
|. |
|. |
|
========================================================== =====================================/

The FTP Port mode brings many problems to network administrators. First, the IP address and end in the PORT Command Message
The slogan code is not straightforward. In addition, protocol commands at the application layer should theoretically not contain network address information (note:
IP address), because this breaks the protocol layer principle and may cause coordination and security issues.

It is the address parameter of the port command decoded by the WildPackets EtherPeek protocol analyzer. The address parameter is the PORT number. See PORT
192,168, 10,232, 6,127; multiply the first Arabic digit of part 1 by 6,127, and then add 256 Arabic numerals
The port number is obtained. Therefore, the client specifies the port number 6*256 + 127 = 1663;
/======================================================== ==================================
| IP Header-Internet Protocol datasync |
| Version: 4 |
| Header Length: 5 (20 bytes) |
|
| ...... |
|
| Time To Live: 128 |
| Protocol: 6 TCP-Transmission Control Protocol |
| Header Checksum: 0xAA36 |
| Source IP Address: 192.168.0.1 DEMO |
| Dest. IP Address: 192.168.0.3 VI |
| No IP Options |
|
| TCP-Transport Control Protocol |
| Source Port: 2342 manage-exec |
| Destination Port: 21 ftp |
| Sequence Number: 2435440100 |
| Ack Number: 9822605 |
| Offset: 5 (20 bytes) |
| Reserved: