Ask Your Question
0

FTP Client sends reset .00002 after started file transfer

asked 2024-12-21 12:19:16 +0000

BillSTS gravatar image

updated 2024-12-24 17:53:14 +0000

I am having an ongoing issue cannot wrap my head around, ftp (using cmd FTP prompt) to send a 400k text file and when they agree to send the file, the client sends the file over port 20 and .00002 seconds sends a reset without even allowing the receiving end to send an ack back. This results in only a partial file being sent. When I use an FTP client I get "an existing connection was forceabley closed by the remote host. The packet looks like the image below.

THE FULL PCAP FILE IS in the Comments section

image description

edit retag flag offensive close merge delete

Comments

The reset is coming from the MAC address of the Sending Server

BillSTS gravatar imageBillSTS ( 2024-12-21 15:49:22 +0000 )edit

Hard to say anything given the fragment of an image to work with. Is .101 the client or the server as it seems it's that host that's sending the RST?

grahamb gravatar imagegrahamb ( 2024-12-21 16:11:51 +0000 )edit

At least include the entire Info column in your image. For example, it matters over which TCP connection the RST was sent, so the port information would be useful.

johnthacker gravatar imagejohnthacker ( 2024-12-22 16:39:06 +0000 )edit

Here is the full PCAP- I already disabled the account and FTP so no need to try and hack it. Rename the ext to PCAP FULL PCAP FILE

BillSTS gravatar imageBillSTS ( 2024-12-24 17:39:43 +0000 )edit

This is using 2 different ftp clients to 2 different FTP servers with totally different server software

BillSTS gravatar imageBillSTS ( 2024-12-24 17:54:19 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-12-24 21:24:28 +0000

SYN-bit gravatar image

Thanks for the PCAP. As you mention it involves two different ftp client and two different FTP servers, it seems to be related to your system itself. As it is your system sending the TCP/RST on the upload, could it be that there is a host firewall or other software blocking you from uploading in FTP?

edit flag offensive delete link more

Comments

What throws me off is a RST flag is sent immediatley during the begining of the handshake. On a success one, the flag is not present

BillSTS gravatar imageBillSTS ( 2024-12-26 15:28:08 +0000 )edit

The TCP/RST packet does not come immediately during/after the 3-way-handshake, there are 10 data packets after the 3-way-handshake before the TCP/RST is sent.

SYN-bit gravatar imageSYN-bit ( 2024-12-27 11:03:15 +0000 )edit

I have to give you credit- I found the answer. I went from knowing 0 to 50 in the past 4 weeks with wireshark and packet capturing. The take away to rule out if its a network issue in this peticular incident was I captured packets at the Sonicwall as well as the Server and exported to PCAP. Atter reading the Sonicall capture, they were the exact same packets and RST on the firewall as the server, so I agrred it was an issue at the server level. We have Threatlocker and even when this was disabed, other parts of the security suite were causing the RST to be sent after this first 10 1460 frames were sent for any ftp TXT upload. After uninstalling it, I have the results. Now its time to show these to the engineers at Threatlocker. Thx!

BillSTS gravatar imageBillSTS ( 2024-12-28 13:58:07 +0000 )edit

Yay, that's good news that you identified the problem software and were able to get it working. Now hopefully Threatlocker can help you circumvent this problem with their software so you can continue using it and be able to upload txt files with FTP too.

Just for my own understanding, I assume Threatlocker was installed on the system with IP address 192.168.0.1 which you previously referred to as client (as in FTP client), but in the last comment is referred to as server (as in, system running a server OS on which the FTP client is used). Is that correct?

SYN-bit gravatar imageSYN-bit ( 2024-12-28 15:10:28 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-12-21 12:19:16 +0000

Seen: 81 times

Last updated: Dec 24 '24

Related questions

Wireshark can capture FTP packets, but cannot view the packet contents of FTP-Data.

FTP from PLC to Robot with larger files fails

How are FTP ports decided ?

wireshark not capturing FTP on en0

Saving, opening, and viewing a .jpg from an TCP stream over FTP

percentage of each application layer protocol in a pcap file

FTP Server not responding

client wait 30s befor send SYN to ftp server on the passive port

Decrypt FTP login?

How to export packet bytes for pdf file in binary mode data connection? [closed]