2. Start a capture
3. Run ftp (((FTPServer))) but do not enter your username yet.
4. Stop and view the capture and draw arrows in your diagram for each of the packets. Indicate on every arrow the TCP Code ( eg ACK, or ACK,SYN ) and if the packet contains FTP data indicate briefly what it is ( eg "200" )
5. When you have understood what all these packets are doing restart your capture.
6. Enter your username at the FTP prompt. Do not enter your password.
7. Stop and view the capture.
8. Repeat step 4
9. Restart your capture.
10. Enter your password.
11. Stop and view your capture.
12. Repeat step 4.
This process will give you a complete "map" of all packets in the interaction up to where you receive the command prompt. As you will see some packets are part of the FTP conversation - they have a PSH flag set and they contain an FTP related data portion. Other packets have no data - they are just part of the TCP management of the connection.
Further exercises - some Data Pattern filters
1. Do this again to look behind the "dir" command. In this case you have a problem because the packets that you need to view are some way into the transaction. The answer is to use a very specific data pattern filter that will eliminate the packets of the actual dir listing and only display the "Control Connection" packets that set the whole thing up.
?Bring up the Data Pattern filter setting screen ( the sample capture you have made needs to be the current buffer and not be minimised )
?If all is well, when you press the Add Pattern button you should see a decoded packet in the Edit Pattern dialog.
?Look in the TCP header for the words File Transfer (Control). If you do not see these words you are not looking at a suitable packet - use the Previous, Next buttons to select another packet.
?View the TCP header in one of these packets and click on the words File Transfer (Control). Use the Set Data button to create the filter pattern. Was the port 21 ( 0x15 ) the source or the destination of this packet?
?Finish the setting of this pattern by hitting OK once- so far you filter will capture one side of an FTP control conversation. To capture the other side of the conversation you need a second element in the filter that captures packets flowing in the opposite direction - such that packets To or From port 21 will be captured.
?Click on the top line of the Data Filter ( with the blue "AND" ) and then use the Toggle AND/OR to change this to an OR - which is what we want. Think carefully about this - there is no such thing as a packet that is both "to the server" AND "from the server" so AND is left in your filter you will never capture any packets.
?Use Add Pattern again to add a second element to this filter - this needs to be from a packet that was going in the opposite direction to the first one.
?Confirm this filter setting by looking at the summary in the Data Pattern filter screen. It should clearly state that packets flowing in either direction will be captured.
?Hit OK
?Start a capture and use DIR or LS in your FTP session.
?Review the five packets - they should be all to or from port 21 and will involve setting the port to be used by you client and the initial passing of the LIST command.
?There should have been two or three extra packets after this that were not captured - can you deduce ( look at the lecture notes ) what was in these two packets?
?Challenge - can you take a look at these extra packets? If you modify your data pattern filter so that packets in only one direction are captured you can look independently at the two side of the conversion and the 5 packet limit will not be exceeded.
3. Next look at the FTP data port ( port 20 ) traffic - the easy way to get this organised is to edit the patterns in your port 21 filter - simply change 0x15 to 0x14.
4. Record the effect of the "bin" command - look at both ports ( 21 & 20 )
5. Record the traffic associated with an FTP "put" command. - look at both ports ( 21 & 20 )
6. Record the traffic associated with an FTP "get" command. - look at both ports ( 21 & 20 )
7. Record the traffic associated with the FTP "close" command. - look at both ports ( 21 & 20 )