FTP protocol for Wireshark packet capture analysis

Hello everyone , I meet you again , I'm your friend, Quan Jun .

Experiment step one To configure FTP The server , And log in to the tester's machine FTP The server

In LAN environment , We use a gadget to （Quick Easy FTP Server） Realization FTP The server .

To configure Quick Easy FTP Server Software

Double click the Quick Easy FTP Server, Here's the picture

Pictured above , You can create anonymous , But anonymity has no password , Here we create a , next step

Input password , It's free here , Just remember , Later, the client login will use . next step

Select a FTP The directory of the server , We choose C On the plate FTP Catalog （ Put some... Under the folder data ）. Here the directory must exist . next step

Permissions we choose “ Allow Downloads ” and “ Allow upload ” that will do . These two are quite common , Other configurations default to . Click next

So we can configure QuickEasy FTP Server, below , We choose to click the open button （ The green button in the upper left corner , That is, the leftmost button of the green question mark in the upper left corner ）, After opening , State change , as follows ;

In this way, we will complete the configuration Quick Easy FTP Server.

Here is an error prone place , It indicates failure when opening , It may be the default port 21 It's occupied , Here are two ways ：

1 Change default port ,21 Change to a port with a larger number ;

2 Use netstat –ano| findstr “21”, Check that the process is occupying 21 port , Then close the program that occupies the port in the task manager . Here is the recommended method 1.

obtain FTP Control link data and data link data

Let's put it on the tester's machine , open Wireshark Caught tools , Filter condition input ip.addr == 10.1.1.33, Here you can go through cmd Command line to log in FTP The server , You can also log in through the browser , Here , For familiarity FTP Common commands , Use cmd Command line login for , as follows

The above information is login FTP After the server , An operation of uploading and downloading files , Here we return to Wireshark The interface stops capturing packets , preservation , The screenshot is as follows :

Next , Let's review the above steps in detail , Analyze .

Experiment step two analysis FTP Protocol packet

stay FTP Control link and data connection are used in workflow to realize data transmission , Let's analyze the details of these two packages .

Analyze the data that controls the link

FTP The control connection of is used to transfer the user name 、 Password and set transmission mode and other control information , Here is the saved ftp.pcapng Take the capture file as an example , analysis FTP Protocol control connection packet .

The figure above shows the... Of all packets Info Column , You can see it here ftp All information transmitted , because FTP Data packets are transmitted in clear text , All we have InFo You can see the login in the column FTP User name of the server 、 Passwords, transfer files, etc . In the diagram above , Sign in FTP The user name of the server is Hetian, The password for 123456, Downloaded the file cat.jpg And uploaded files Tulip.jpg. All shown here are successes , In case of business trip during transmission , The corresponding response code will be returned .

In captured FTP In the packet ,USER,PASS,CWD,RETR and STOR And so on are the control commands used to control the connection . These control commands are in the package details , The display format is the same . Here, take the command to control user information as an example , Analysis package details . stay ftp.pcapng In the capture file , The captured user information is as follows ：

From this interface, you can see login FTP Server time , The control command used is USER and PASS. According to these two commands , You can see that the login account is Hetian, The password for 123456. The details of these two packages are as follows

User name package details

File Transfer Protocol (FTP)

USERHetian\r\n

Requestcommand: USER

Requestarg: Hetian

From the information above , You can see that the package uses FTP agreement , The user name entered is Hetian, The order requested is USER, The request parameter is Hetian.

Password details

FileTransfer Protocol (FTP)

PASS123456\r\n

Requestcommand: PASS

Requestarg: 123456

From the information above , You can see that the password entered is 123456, The order requested is PASS, The request parameter is 123456.

The rest CMD Wait for the order , Learners should check for themselves .

Analyze data connected to data

Data connection is used to transfer file data , That is, through FTP The server uploads and downloads files . Take the captured file as an example , Analyze data connected to data .

In the picture above , Control command RETR and PORT The data of are uploaded and downloaded packets . Here we take the download file as an example （ Upload the same principle ）, Click on... Above 811 The frame data , Right click ,

choice Follow TCPStream choice ,

All... Are shown above FTP Transmission of information , If you want to view the transferred data , It is necessary to remove this information . Close the upper window , stay Wireshark in , You will find that the filter conditions are modified as follows

The easiest way is , Add one in front ！, Can achieve the effect of removing . Here's the picture ：

The next step is to find the file we downloaded . How can I quickly find the downloaded files , Here are two ways , It's your choice ：

Analyze through the fields of the protocol ： You'll find that , Removed FTP Control connection data , It is shown that TCP Protocol data , stay TCP Agreement ,PUSH Fields represent push data , We can do that Info Find PUSH Field , Find the desired file indirectly .

We know that the downloaded file is JPG Format , So we know that the binary representation is JFIF（exe Format opened with binary parser is MZ It's the same thing ）, So you can go through Wireshark Bring your own search , Quickly find the number of frames where the file is located . The shortcut key for searching is Ctrl+F. Here's the picture

In this way, the corresponding frame information can also be found . After we find the frame information （814 Frame or 820 All possible ）, Right click ,Follow TCPStream, You can see the information of the data , Among them JFIF Indicates that the file format is jpg, as follows ：

Let's click on the Save as, Input name cat.jpg that will do .

Open the saved file , That is, the pictures we downloaded

This is the time to close Follow TCP Stream Pop up window ,Wireshark The information displayed is as follows ：

The packet above shows the transmission cat.jpg All non of the document FTP Control packets , In the process , Details can be seen , Manager. TCP Three handshakes and four disconnections . Please follow the above method , To find the uploaded file information .

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/151094.html Link to the original text ：https://javaforall.cn