Capturing and Analyzing FTP Traffic

After completing this lab, you will be able to:

• Capture network traffic with Wireshark

• Analyze captured FTP traffic

Materials Required
This lab requires the following:
• Windows Server 2019
• Windows 10
• The successful completion of Lab 6.1

In this lab, you use a protocol analyzer to capture FTP traffic and analyze the results.

1. Log on to Windows 10 as the administrator.

2. Click Start, click All Programs, and then click the Wireshark program.

3. From the Capture menu, select Interfaces. The Capture Interfaces window appears.
If there is currently network traffic, you will see the values in the respective columns
changing.

4. Place a check mark in the same row as the listing of your network interface card. An IP
address should be associated with the listing. Click the Start button. Unless there is no
network traffic, you will see frames, appearing as rows, being added to your screen.
If you are on a switched network, you will not see all the traffic that is on the network;
however, the traffic you are interested in is the communication between Client and
Server. On the Capture menu, click Stop so you can set up your connection to the
FTP server.

5. Open a command prompt, type cd \, and press Enter.

6. Type ftp hostname_of_FTP (where hostname_of_FTP is the NetBIOS name of your

FTP server—for example, ftp WIN-XXXXX). Do not press Enter! If you are not sure
of your FTP server’s NetBIOS name, log on to the FTP server and, from a command
prompt, type hostname and press Enter.

7. Switch back to Wireshark and, from the Capture menu, click Start. If prompted, click
Continue without Saving and then switch back to the Command Prompt window and
press Enter to run the command you typed in Step 6 in order to connect to the FTP
Server. The result should look like what is shown in Figure 7-3.
8. Log on to the FTP server as Your_username. (If you have not previously created this
user, In Server Manager, click Tools, then click Computer Management, Local
Users and Groups, Users, expand your domain, right-click the Users container, click
New, and click User. Create a user with the full name Your First and Last Name, the
User login name FirstLetter of your FirstName and Your LastName, and the
password Pa$$word.) Press Enter.

9. Type Your UserName's password as Pa$$word and press Enter.

10. At the ftp> prompt, type dir and press Enter to see what files are in the FTP server’s
home directory. If you get a Windows Firewall error, click Unblock and click
Continue at the User Account Control window. You should now see the file
Confidential.txt listed.

11. Download Confidential.txt to your C: drive as follows: Type get Confidential.txt and
press Enter.

12. Type bye and press Enter to disconnect from the FTP server; return to Wireshark
and, from the Capture menu, click Stop.

13. Click the Windows Start button, click Computer, navigate to

C:\Users\Your Folder\Confidential.txt and open it to verify that you downloaded it
successfully.

14. Return to Wireshark and examine the captured packets.

15. If, in the Source and Destination columns, you see a lot of IP addresses or MAC
addresses that are neither Windows 10’s nor your FTP server’s, you can filter them
by clicking the Edit/apply display filter icon. (See Figure 7-4.)

16. In the Display Filter window, click the Expression button. In the Filter Expression
window, scroll down and click the 1 box to the left of IPv4 and scroll down and select
ip.addr – Source or Destination Address (see Figure 7-5).
17. In the Relation column, select = =. In the Value (Ipv4 address) box, type the IP
address of Client and click OK.

18. In the Filter name box in the Display Filter window, type Client’s source or
destination and then click OK.

19. This will eliminate all the frames that are not directed to or from Client. Modify the
three horizontal windows of Wireshark so that the upper and lower windows are the
biggest, and widen the window so that you can see more of the Info column (see Figure
7-6).
 20. Examine the frames and look at the Info column for clues to the purpose or content of
the frame; keep an eye on the ASCII representation of the data portion of the frame in
the lower window (see Figure 7-6).

What parts of the FTP session would be readable to an attacker sniffing the network with a
protocol analyzer like Wireshark?

21. Close Wireshark without saving the capture. Close all open windows and log off.

Review Questions

1. You have been asked to install an FTP server on the company’s internal network to be
used only by an employee committee that will be working on an advertising campaign to
encourage employees to donate to a charity.

Which of the following would be the most secure configuration of the FTP server?
a. Require users to authenticate using their domain account.
b. Require users to authenticate using a local account.
c. Require users to use anonymous authentication.
d. Allow users to share a single username and password.
2. In this lab, what is listed in the Info column of the frame in which the content of the file
Confidential.txt is visible?
a. FTP Data
b. Response
c. Request
d. get-request

3. Which of the following statements is the most accurate description of the communication
between Client and the FTP server in this lab?
a. Client initiated the connection by sending to the FTP server a packet with TCP
flags SYN and ACK set.
b. Client initiated the connection by sending to the FTP server a packet with TCP
flag ACK set.
c. Client initiated the connection by sending to the FTP server a packet with TCP
flag SYN set.
d. The FTP server initiated the connection by sending a packet to Client with TCP
flag SYN set.

4. Which of the following statements is the most accurate description of the communication
between the Client system and the FTP server in this lab?
a. Once the FTP server was contacted by Client, it sent a packet with the TCP flags
SYN and ACK set.
b. Once the FTP server was contacted by Client, it sent a packet with the TCP flag
ACK set.
c. Once the FTP server was contacted by Client, it sent a packet with the TCP flag
SYN set.
d. The FTP server was not first contacted by Client; it advertised its FTP service,
and Seven responded.

5. Which of the following statements is the most accurate description of the communication
between the Client system and the FTP server in this lab?
a. The teardown of the TCP session began when the FTP server sent a packet to
Client with the TCP flag FIN set.
b. The teardown of the TCP session began when Client sent a FIN packet to the FTP
server.
c. The teardown of the TCP session began when the FTP server sent a packet to
Client with the TCP flags FIN and ACK set.
d. The teardown of the TCP session began when Client sent a packet to the FTP
server with the TCP flags FIN and ACK set.