IP Network - FTP

 

 

 

FTP stands for 'File Transfer Protocol'. As you may guess from the term itself, it is a kind of protocol which is mainly used for uploading and downloading files between multiple computers (mainly two computer called a Client and a Server). Regardless of whether you are familiar with this protocol itself, I think most of the reader would already have used this protocol pretty often even though you may not realize it. If you have used some common tools like Filezilla or WinCommand or any other tools which is used to upload your data to a Web Hard or Clouding services it is highly probably that you are already a ftp user. However the purpose of this page is not to explain about those file upload/download tools, but look a little bit deeply into the ftp protocol itself so that you can have some in-depth knowledge on this protocol and it can be helful for the case you have to do troubleshooting on data throughput test with ftp.

 

In any protocol, I think one of the best way to understand the protocol in-detail is to capture a live log and go through every and each lines of the log. For this tutorial, I captured a live ftp log myself using Wireshark and I will explain the details of the log.

 

The configuration that I used to capture the sample log is as shown below. I used the two computers (one Windows 7 laptop and the other one Linux based laptop which are connected under the same subnet. Actually these two PCs were connected each other by WLAN Access Point at my home).

 

 

The server PC (Linux, running svftpd as the ftp server) and the client PC (Windows 7, using windows default ftp client).

 

The first log I will go through is the one for following simple steps. Ftp login and running the simplest ftp command 'ls' and 'get' command. If you understand the full details of protocol regarding these simple steps, you would have complete understanding of ftp protocol itself.

 

    C:\>ftp 192.168.0.10

    Connected to 192.168.0.10.

    220 (vsFTPd 2.3.5)

     

    User (192.168.0.10:(none)): anonymous

    331 Please specify the password.

    Password: anonymous

    230 Login successful.

     

    ftp> ls

    200 PORT command successful. Consider using PASV.

    150 Here comes the directory listing.

    temp.txt

    226 Directory send OK.

    ftp: 10 bytes received in 0.00Seconds 10000.00Kbytes/sec.

     

    ftp> get temp.txt

    200 PORT command successful. Consider using PASV.

    150 Opening BINARY mode data connection for temp.txt (1164 bytes).

    226 Transfer complete.

    ftp: 1164 bytes received in 0.08Seconds 14.92Kbytes/sec.

     

    ftp> quit

    221 Goodbye.

 

The log that was capture for these steps are as shown below. Just scan through the whole log and don't try to undertand everything at this step. Assuming you have basic knowledge of TCP, just trying to make a big picture out this log on your own. Click Here to get the Wireshark file (*.pcapng) shown in this example.

 

 

 

Message Flow for Log In

 

Now let's look into the log a little deeper. I will look into what's happending during the ftp login process. The command line procedure is a shown below.

 

    C:\>ftp 192.168.0.10

    Connected to 192.168.0.10.

    220 (vsFTPd 2.3.5)

     

    User (192.168.0.10:(none)): anonymous

    331 Please specify the password.

    Password: anonymous

    230 Login successful.

 

Following is the illustration of the TCP interactions between client and server which I drawed directly out of the log shown above.

I will put the description on each steps later. Just try to make your own story out of this illustration.

 

 

 

Message Flow for 'ls' - Active Mode

 

In this section, We will look into what's happenning when we run the simplest ftp command 'ls'. The command line procedure is shown below.

 

    ftp> ls

     

    200 PORT command successful. Consider using PASV.

    150 Here comes the directory listing.

    temp.txt

    226 Directory send OK.

    ftp: 10 bytes received in 0.00Seconds 10000.00Kbytes/sec.

 

The TCP socket interaction between client and server is as follows. You would be surprised that this kind of complicated interactions happens even for such a simple command. But even for the most complicated ftp procedure, the TCP interaction is almost the same as this one. So if you have a good understanding of this illustration, you would understand any ftp procedures at this kind of protocol level.

I will come back later for line by line description, but for now, try to make your own story out of this.

A couple of questions for your own study is

i) you see the port number 59898 on client side. Where this come from ?

ii) you see the port number 21 on server side. Where this come from ?

iii) At step 5, another socket with the port of 59914 is created on client side. Where this port number come from ?

iv) At step 5, another socket with the port of 20 is created on server side. Where this port number come from ?

 

 

 

[No 920] Transmission Control Protocol, Src Port: 59898 (59898), Dst Port: ftp (21), Seq: 33, Ack: 78, Len: 26

 

[No 1047] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 59898 (59898), Seq: 78, Ack: 59, Len: 51

 

[No 1050] Transmission Control Protocol, Src Port: 59898 (59898), Dst Port: ftp (21), Seq: 59, Ack: 129, Len: 6

 

[No 1051] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 59898 (59898), Seq: 129, Ack: 65, Len: 0

[No 1052] Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 59914 (59914), Seq: 0, Len: 0

[No 1053] Transmission Control Protocol, Src Port: 59914 (59914), Dst Port: ftp-data (20), Seq: 0, Ack: 1, Len: 0

[No 1054] Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 59914 (59914), Seq: 1, Ack: 1, Len: 0

[No 1057] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 59898 (59898), Seq: 129, Ack: 65, Len: 39

[No 1058] Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 59914 (59914), Seq: 1, Ack: 1, Len: 10

[No 1059] Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 59914 (59914), Seq: 11, Ack: 1, Len: 0

[No 1060] Transmission Control Protocol, Src Port: 59914 (59914), Dst Port: ftp-data (20), Seq: 1, Ack: 12, Len: 0

[No 1061] Transmission Control Protocol, Src Port: 59914 (59914), Dst Port: ftp-data (20), Seq: 1, Ack: 12, Len: 0

[No 1062] Transmission Control Protocol, Src Port: ftp (21), Dst Port: 59898 (59898), Seq: 168, Ack: 65, Len: 24

[No 1063] Transmission Control Protocol, Src Port: 59898 (59898), Dst Port: ftp (21), Seq: 65, Ack: 192, Len: 0

[No 1064] Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 59914 (59914), Seq: 12, Ack: 2, Len: 0

 

 

Message Flow for 'ls' - Passive Mode

 

Here I would give you another example. Which is also for 'ls' command, but this is done in a little bit different way which is called 'Passive Mode'. Click Here to get the Wireshark file (*.pcapng) shown in this example. (For this example, I have used a well know ftp client called 'FileZilla Client' since Windows 7 command line ftp does not do work properly in passive mode.

 

Before jumping directly into the definition of 'Passive Mode'. Just look through the log and try to find the difference between this log and the one in previous section.

 

  

Did you find any difference between this log and previous log just by reading through it ? Probably it would be a little bit difficult.

Then take a loot at the following illustration. Do you realize any difference between this and the illustration in previous section ?  

If you noticed the difference, at least you know what is the differece between the active mode and passive mode of ftp.

I will come back with answer later.

 

 

 

 

FTP Client Commands

 

ABOR    Terminates previous command.

ACCT    Specifies account (ignored).

ALLO    Allocates storage (vacuously).

APPE    Appends to a file.

CDUP    Changes to the parent directory of the current working directory.

CWD     Changes working directory.

DELE    Deletes a file.

FEAT    This command causes the FTP server to list all new FTP features that the server supports

       beyond those described in RFC 959. A typical example reply to the FEAT command might be a

        multi-line reply of the form

HELP    Gives help information.

LIST    Gives list files in a directory (this FTP request is the same as the ls -lgA command).

MKD     Makes a directory.

MDTM    Shows last modification time of file.

MODE    Specifies data transfer mode.

NLST    Gives a name list of files in directory (this FTP request is the same as the ls command).

NOOP    Does nothing.

OPTS    This command allows an FTP client to define a parameter that will be used by a subsequent

        command

PASS    Specifies a password.

PASV    Prepares for server-to-server transfers.

PORT    Specifies a data connection port.

PWD     Prints the current working directory.

QUIT    Terminates session.

RETR    Retrieves a file.

RMD     Removes a directory.

RNFR    Specifies rename-from file name.

RNTO    Specifies rename-to file name.

SITE    The following nonstandard or UNIX-specific commands are sup-ported by the SITE request:

UMASK   Changes umask (SITE UMASK 002).

IDLE    Sets idler time (SITE IDLE 60).

CHMOD   Changes mode of a file (SITE CHMOD 755 FileName).

HELP    Gives help information (SITE HELP).

SIZE    Returns size of current file.

STAT    Returns the status of the server.

STOR    Stores a file.

STOU    Stores a file using a unique file name.

STRU    Specifies the structure of data transfer as a file struc-ture.

SYST    Shows operating system type of server system.

TYPE    Specifies data transfer type with the Type parameter.

USER    Specifies user name.

XCUP    Changes the parent directory of the current working directory (not normally used).

XCWD    Changes current directory (not normally used).

XMKD    Creates a directory (not normally used).

XPWD    Prints the current working directory (not normally used).

XRMD    Removes a directory (not normally used).