wireshark not capturing FTP on en0

asked 2019-01-01 02:36:29 +0000

arcin_n_sparkin gravatar image

I set filter to show all FTP on en0 for wireless (macbook). I have FTP blocked on the router, and to have it report all ftp's blocked. I get at least one FTP attempt per day, yet wireshark is not seeing them. In the filter I set FTP en0 is present, or ==, yet I get nothing. What am I doing wrong??

edit retag flag offensive close merge delete

Comments

  1. How exactly do you filter?
  2. How have you blocked FTP on your router?
  3. How is it supposed to report blocked FTP?
  4. How do you know you have at least one FTP per day? I assume the router reporting?
  5. Where does this FTP connection attempt come from? Internal or external network?
  6. Have you tested the filter by attempting FTP connections yourself?
Jaap gravatar imageJaap ( 2019-01-01 09:10:22 +0000 )edit

In the router I just blocked the service. The report shows in the router logs. It shows the IP source from one device in the network. I installed wireshark on that device in hopes of finding the app that is trying to send the packets.

arcin_n_sparkin gravatar imagearcin_n_sparkin ( 2019-01-01 17:07:38 +0000 )edit

Thanks for answering question 1-5, this makes the situation much more clear. But can you answer question 6 as well? Furthermore, what do you see when you apply no filter at all? Is the capture usable, as in, do you see normal IP network traffic?

Jaap gravatar imageJaap ( 2019-01-01 18:59:31 +0000 )edit

I see all TCP, UDP, IGMP, and broadcast queries for the network. I just tried FTP to another computer in the network, the router blocked it, but no indication on wireshark.

arcin_n_sparkin gravatar imagearcin_n_sparkin ( 2019-01-01 20:07:37 +0000 )edit

So capturing works, you're seeing network traffic as expected. What are your filter expressions? What happens when you filter on TCP port 21 (the FTP port)?

Jaap gravatar imageJaap ( 2019-01-01 22:54:00 +0000 )edit
see more comments