HPE Community
Operating System - HP-UX
1822494 Members
2490 Online
109642 Solutions
New Discussion юеВ

How to capture ftp traffic using tcpdump command

 
SOLVED
Go to solution
Becke
Super Advisor

тАО04-13-2005 06:42 PM

тАО04-13-2005 06:42 PM

How to capture ftp traffic using tcpdump command

Hi Guys,
Basically i will be changing all the scripts which are in ftp and will replace it with sftp tool eventualy, however before I do this i need to identify what the ftp traffic is, i need to log all the ftp activity on all the servers for about a week, i can use "tcpdump" command. But i need to gather information ONLY pertaining to FTP traffic on each server and log the results over a week's period. Please advise how I use tcpdump command which just gathers ftp activity.

Subsequently i then need to write a report of the current ftp activity, what, please advise regarding the below as well, what I'm looking for,
i. Source of transaction
ii.Destination of transaction
iii.Host type
iv.Number of transaction
v. Total data transferred.

Please advise regarding the above, any help would be greatly appreciated.
cheers
0 Kudos
Reply
3 REPLIES 3
Laurent Menase
Honored Contributor

тАО04-13-2005 07:13 PM

тАО04-13-2005 07:13 PM

Solution

Re: How to capture ftp traffic using tcpdump command

Hi,

Does the options -i -o -l -L for ftpd set in inetd.conf would not be enought?
Or ftpaccess log command?
I would not advise tcpdump methode:
it can loose messages,
it will capture any traffic, and then produce a huge volume of data, and it will be difficult to gather data from the output.
Reply
Biswajit Tripathy
Honored Contributor

тАО04-13-2005 07:29 PM

тАО04-13-2005 07:29 PM

Re: How to capture ftp traffic using tcpdump command

It's not possible for you to do this using tcpdump.
You will be able to find the source/destination using
tcpdump, but not the number of transactions and
total data. The major problem would be while the user
is using passive FTP, where both the port numbers are
generated at runtime and tcpdump will have no way
of knowing what the port numbers are.

- Biswajit
:-)
Reply
rick jones
Honored Contributor

тАО04-15-2005 05:55 AM

тАО04-15-2005 05:55 AM

Re: How to capture ftp traffic using tcpdump command

If you setup your filter to capture packets to/from ports:

$ grep ftp /etc/services
ftp-data 20/tcp # File Transfer Protocol (Data)
ftp 21/tcp # File Transfer Protocol (Control)

and make sure you use a sufficiently large snaplen, you could in theory post-process it to see how much was transferred and what - the FTP control channel (port ftp) will have the file retrieval commands going across it, and you will see the PORT/PASV commands that tell you which ports will be used for data connections associated with that control connection.

Tools like ethereal may help with the post-processing.

However, tcpdump is going to be rather heavy overhead unless your FTP traffic is trivial. The aforementioned "increase the ftpd logging" would be much lower overhead, although it might not capture client activity.
there is no rest for the wicked yet the virtuous have no pillows
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.