Lab 7: ProtocolStacks+FTP

In this lab you will be looking more deeply at the workings of FTP, and looking at the mapping between user commands, FTP protocol commands and replies, and TCP. The support services (IP, ethernet) are assumed for this lab. Although you will be getting a "behind the scenes" look at FTP, the main goal of the lab is one of consolidation of general concepts.

Preliminary Exercise

This exercise is designed to make the last slide in the lecture a lot clearer:

The object is to reproduce this diagram on a piece of paper and then to use NetXRay to build up a complete set of arrows going back and forth across the "pink cloud" - the gap in the diagram between "Client" and "Server" which is where packets are actually sent across the network.

The instructions that follow break up an FTP session into a series of brief steps that will each capture five, or less packets; You will need to reconnect several times to the FTP server. but the result should be that you capture, in a series of files, all the packets involved.

1. Start a NetXRay capture with a filter for FTP ( IP/TCP/FTP )

2. Start a capture

3. Run ftp (((FTPServer))) but do not enter your username yet.

4. Stop and view the capture and draw arrows in your diagram for each of the packets. Indicate on every arrow the TCP Code ( eg ACK, or ACK,SYN ) and if the packet contains FTP data indicate briefly what it is ( eg "200" )

5. When you have understood what all these packets are doing restart your capture.

6. Enter your username at the FTP prompt. Do not enter your password.

7. Stop and view the capture.

8. Repeat step 4

9. Restart your capture.

10. Enter your password.

11. Stop and view your capture.

12. Repeat step 4.

This process will give you a complete "map" of all packets in the interaction up to where you receive the command prompt. As you will see some packets are part of the FTP conversation - they have a PSH flag set and they contain an FTP related data portion. Other packets have no data - they are just part of the TCP management of the connection.

Further exercises - some Data Pattern filters
1. Do this again to look behind the "dir" command. In this case you have a problem because the packets that you need to view are some way into the transaction. The answer is to use a very specific data pattern filter that will eliminate the packets of the actual dir listing and only display the "Control Connection" packets that set the whole thing up.

2. From this point on, the appropriate use of NetXRay is assumed

3. Next look at the FTP data port ( port 20 ) traffic - the easy way to get this organised is to edit the patterns in your port 21 filter - simply change 0x15 to 0x14.

4. Record the effect of the "bin" command - look at both ports ( 21 & 20 )

5. Record the traffic associated with an FTP "put" command. - look at both ports ( 21 & 20 )

6. Record the traffic associated with an FTP "get" command. - look at both ports ( 21 & 20 )

7. Record the traffic associated with the FTP "close" command. - look at both ports ( 21 & 20 )