FTP Traffic

Prompt

We found some interesting FTP traffic, analyze the network packet capture to identify what was transferred.

You can read this guide to learn more about computer networking.

FTP.pcap62.7KB

Walk-Through

Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge. FTP (File Transfer Protocol) is a basic protocol used to transfer files from one computer to another. All of the questions and answers are specific to FTP, so it is suggested that you learn more about FTP.

Questions 1 and 2 can be solved by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option.

Using CloudShark, clicking on the first packet and then clicking on “TCP Stream” at the bottom will have the same effect. Doing so will yield the following results:

The answers have been redacted with opaque squares that have a red border.
The answers have been redacted with opaque squares that have a red border.

From this view, the username and password listed on the “USER” and “PASS” lines (in blue text) are visible. The server version is on the first line of the stream.

Questions 4 - 6 can be solved by applying the filter: ftp.response.code == 230. This filter searches for the server response that indicates that a session has been successfully authenticated (code 230). Once filtered, following the TCP stream on the first packet will yield the following results:

The answers have been redacted from the output.
The answers have been redacted from the output.

Question 7 can be solved by applying the ftp-data filter and using knowledge of the packet numbers from the previous section.

There are 4 different interactions that can be seen from the filtered packets. These can be most easily identified by the timing shown on the “Time” column. Notice there are packets at 58 seconds, 92 seconds, 152 second and 162 seconds. By default, the time column displays the time offset (in seconds) that the packet was recorded since the beginning of the packet capture.

Packets that are very close (in the order of milliseconds) in time are likely a continuation of the same response, just split across multiple packets. By viewing the TCP stream, you can combine their contents into a single view. You can also look at the “Info” column to see the corresponding command associated with each packet.

Three of the four interactions are shown here by looking at the ‘Time’ column. Notice there are many packets all with the same time.
Three of the four interactions are shown here by looking at the ‘Time’ column. Notice there are many packets all with the same time.

Look at packet No. 17, at approx. 58 seconds into the capture. In the “Info” column, it shows a “LIST” command in parentheses. The LIST command provides a listing of the current directory. Follow the TCP stream of this packet to see the contents of the directory when the command was run.

image

Below that packet, you can see packet No. 25 at approx. 92 seconds, which shows a “STOR” command in parentheses. The STOR command uploads the file and stores it on the FTP server and the packets in this stream are the pieces of data being uploaded. This explains why there are so many packets occurring at this time.

Packet No. 65 at approx. 152 seconds shows another listing of the current directory after the file was uploaded in the previous TCP stream. You can follow the TCP stream on this packet to see the new directory listing with the uploaded file included. From here, you can see the file size listed in one of the columns to get the answer to question 7.

The answer has been partially redacted
The answer has been partially redacted

Question 8 can be solved by using the ftp.response.code == 230 filter. However, this time the 2nd TCP stream should be followed. Following the first stream reveals the user who uploaded the file, and the second stream shows the activity of a USER named “anonymous”:

The answer has been redacted
The answer has been redacted

Where to learn more about FTP:

  • Wikipedia File Transfer ProtocolWikipedia File Transfer Protocol
  • Be sure to watch all of our Tutorial Video for more information!

Tutorial Video

Cyber Skyline Live - Analyzing FTP Traffic - Feb 3, 2022

In Cyber Skyline Live - Analyzing FTP Traffic, you'll learn from Franz Payer, CEO of Cyber Skyline, about what FTP is, extracting files from a FTP packet capture, and setting up your own FTP server. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live - Analyzing FTP Traffic - Feb 3, 2022

Questions

1. What was the first username:password combination attempt made to log in to the server? ex. 'user:password'

2. What software is the FTP server running? (Name and version)

3. What is the first username:password combination that allows for successful authentication?

4. What is the first command the user executes on the ftp server?

5. What file is deleted from the ftp server?

6. What file is uploaded to the ftp server?

7. What is the filesize (in bytes) of the uploaded file?

8. What file does the anonymous user download?

©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.