HPE Community
Operating System - HP-UX
1828412 Members
3831 Online
109977 Solutions
New Discussion

Re: How to capture ftp activity through tcpdump command

 
SOLVED
Go to solution
Becke
Super Advisor

‎04-24-2005 07:48 PM

‎04-24-2005 07:48 PM

How to capture ftp activity through tcpdump command

Hi Guys,

How do i capture ftp activity thorugh tcpdump command, we have automated ftp scripts in place, and I would like to capture ftp traffic.

Please advise
Cheers
0 Kudos
Reply
4 REPLIES 4
Denver Osborn
Honored Contributor

‎04-24-2005 10:10 PM

‎04-24-2005 10:10 PM

Re: How to capture ftp activity through tcpdump command

Here's one example that will listen on lan0 for traffic on port 21 and write the output to file /tmp/ftp.out.

tcpdump -i lan0 -n port 21 -w /tmp/ftp.out


Hope this helps,
-denver
0 Kudos
Reply
Becke
Super Advisor

‎04-25-2005 11:19 PM

‎04-25-2005 11:19 PM

Re: How to capture ftp activity through tcpdump command

Thanks a lot Denver

This would certainly help, so I can use ent0 for ethernet(production network), the command should look like this then,

tcpdump -i lan0 -n port21 -w /tmp/ftp.out, is that right?

Kind Regards,
Raf
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎04-25-2005 11:44 PM

‎04-25-2005 11:44 PM

Solution

Re: How to capture ftp activity through tcpdump command

That's crazy talk.

Just define ftp to do more logging by changing /etc/inetd.conf:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -L -v -u 000

then get the pid of inetd:

ps -ef | grep inetd

then send it a command to reread the inetd.conf file:

kill -s SIGHUP pidnumberhere

You get things like this:

Apr 26 07:38:20 vpart3 ftpd[24050]: USER root
Apr 26 07:38:22 vpart3 ftpd[24050]: PASS password
Apr 26 07:38:22 vpart3 ftpd[24050]: FTP LOGIN FROM vpart1.mydomain.com [10.2.109.29], root
Apr 26 07:38:22 vpart3 ftpd[24050]: SYST
Apr 26 07:38:22 vpart3 ftpd[24050]: TYPE Image
Apr 26 07:38:25 vpart3 ftpd[24050]: CWD /tmp
Apr 26 07:38:27 vpart3 ftpd[24050]: PORT
Apr 26 07:38:27 vpart3 ftpd[24050]: TYPE ASCII
Apr 26 07:38:27 vpart3 ftpd[24050]: LIST
Apr 26 07:38:27 vpart3 ftpd[24050]: TYPE Image
Apr 26 07:38:48 vpart3 ftpd[24050]: PORT
Apr 26 07:38:48 vpart3 ftpd[24050]: RETR stats_5040.txt
Apr 26 07:38:51 vpart3 ftpd[24050]: QUIT
Apr 26 07:38:51 vpart3 ftpd[24050]: FTP session closed

beats trying to decypher tcpdump

live free or die
harry d brown jr
Live Free or Die
Reply
Becke
Super Advisor

‎04-26-2005 12:06 AM

‎04-26-2005 12:06 AM

Re: How to capture ftp activity through tcpdump command

Thanks for your explanation,

How do I automate this task, so I only capture ftp traffic, we have automated ftp scripts in place, and I'd like to capture ftp traffic only.

Thanks for your help

Cheers,
Raf
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.