wireshark not capturing FTP on en0
I set filter to show all FTP on en0 for wireless (macbook). I have FTP blocked on the router, and to have it report all ftp's blocked. I get at least one FTP attempt per day, yet wireshark is not seeing them. In the filter I set FTP en0 is present, or ==, yet I get nothing. What am I doing wrong??
In the router I just blocked the service. The report shows in the router logs. It shows the IP source from one device in the network. I installed wireshark on that device in hopes of finding the app that is trying to send the packets.
Thanks for answering question 1-5, this makes the situation much more clear. But can you answer question 6 as well? Furthermore, what do you see when you apply no filter at all? Is the capture usable, as in, do you see normal IP network traffic?
I see all TCP, UDP, IGMP, and broadcast queries for the network. I just tried FTP to another computer in the network, the router blocked it, but no indication on wireshark.
So capturing works, you're seeing network traffic as expected. What are your filter expressions? What happens when you filter on TCP port 21 (the FTP port)?
Going through safari (ftp://username:[email protected]) on en0 and on 127.0.0.1 (loopback) both port 21 and 23, The router blocked the ftp, yet wireshark showed nothing.
I ran full scan all traffic, tried ftp to remote, and then searched for ftp protocol in live stream, it didn't register.
Just tried the same thing, connecting to ftp://ftp.cc.umanitoba.ca/ (without any router blocking this of course) and it showed up as expected. In your scenario, the least I would expect to see is a TCP SYN packet from the client to the intended FTP host to port 21. Or does your router block the DNS resolution also?