Ask Your Question
0

reading .txt files transferred in an FTP capture

asked 2019-09-05 18:46:18 +0000

baldchicken gravatar image

updated 2019-09-06 04:21:14 +0000

Guy Harris gravatar image

I have a Wireshark capture where it shows that the port was opened, the password was entered the data connection was established, the transfer was complete and the response was closed.

It looks as though the transfer of the text file went from pointA to pointB, but is there a way to see what was in that text file?

edit retag flag offensive close merge delete

Comments

1

What protocol was used to transfer the file?

Guy Harris gravatar imageGuy Harris ( 2019-09-05 20:39:43 +0000 )edit

Port 21 = FTP.... unencrypted traffic.

baldchicken gravatar imagebaldchicken ( 2019-09-06 02:18:28 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-06 04:22:47 +0000

Guy Harris gravatar image

is there a way to see what was in that text file?

You could select a packet from the FTP data connection and do Analyze > Follow > TCP Stream, which should pop up a window containing all the text that was transferred.

edit flag offensive delete link more

Comments

I think a nicer long-term solution would be for Wireshark to be able to support the ability to export objects from ftp transfers. If that's a feature of interest, then I'd advise @baldchicken to open a Wireshark enhancement bug report for this at https://bugs.wireshark.org/bugzilla/.

cmaynard gravatar imagecmaynard ( 2019-09-06 14:33:28 +0000 )edit

To add on to Guy's method above, you can set a Display Filter for "ftp-data" then right click a packet and select Follow -> TCP Stream. Be aware that this changes your Display Filter from "ftp-data" to "tcp.stream eq [number]".

bubbasnmp gravatar imagebubbasnmp ( 2019-09-06 16:23:20 +0000 )edit

Appreciate the input. Seems like an "enhancement request" is in order.

When I follow the steps to follow the TCP stream, it just shows a cleaner version of the packets:

230 User logged in.
PASV
227 Entering Passive Mode (10,2,2,156,237,255).
XYZ.txt
150 Opening ASCII mode data connection.
226 Transfer complete.
QUIT
221 Goodbye.
baldchicken gravatar imagebaldchicken ( 2019-09-06 17:04:53 +0000 )edit

You selected a packet from the FTP control connection, not from the data connection, and did Follow > TCP Stream, so you got the text on the control connection.

FTP sends commands and responses over one TCP connection and file data over a separate TCP connection.

Guy Harris gravatar imageGuy Harris ( 2019-09-06 17:21:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-05 18:46:18 +0000

Seen: 285 times

Last updated: Sep 06