File Transfer Protocol (FTP) is a protocol created for transferring files over TCP/IP across a network. FTP is a protocol that runs over TCP ports 20 and 21 for the data and control connections (FTP commands) respectively.
FTP has two modes of operation:
Both types of connections can be implemented, and they will be explained later in this recipe in the How it works... section.
When working with FTP, if you suspect any connectivity or slow response problems, configure port mirror to one of the following:
- The FTP server port
- The client port
- A link that the traffic crosses
If required, configure a capture or display filter.
To check FTP performance problems, follow these steps:
- First, check for any Ethernet, IP, or TCP problems, as described in previous chapters. In many cases, slow responses happen due to networking problems and not necessarily due to application problems.
- Check for TCP retransmissions and duplicate ACKs. Check if they are on the entire traffic or only on the FTP connection.
If you get it on various connections, it is probably due to a slow network that influences the entire traffic.
If you get it only on FTP connections to the same server or client, it can be due to a slow server or client.
- When you are copying a single file in an FTP file transfer, you should get a straight line in the IO graph and a straight gradient in the TCP stream graph (time-sequence).
- In the following screenshot, we can see what a bad FTP looks like in the TCP stream graph (time-sequence):
- In the following screenshot, we can see how it looks in the IO graph (configured with filters):
- In the capture file shown in the following screenshot, we can see TCP window problems. These are listed as follows:
- The server
15.216.111.13sends a TCP Window Full message to the client, indicating that the server send window is full (packet5763). - The client
10.0.0.2sends a TCP Zero Window message to the server, telling the server to stop sending data (packet5778). - The server keeps sending TCP Zero Window Probe messages to the client, asking the client if the condition is still zero window (that tells the server not to send any more data). The client answers these messages with TCP Zero Window Probe Ack, indicating that this is still the case (packets
5793to5931). - After a while, the client sends the message TCP Window Update to the server, telling it to start increasing the FTP throughput (packet
5939).
- The server
- In the preceding case, it was simply a slow client. We solved the problem by working over it and deleting some unnecessary processes.
If you are facing connectivity problems, it can be due to a non-functioning server, firewall that blocks the connection on the way, or software installed on the server or client that blocks it. In this case, go through the following steps:
- Was the TCP connection opened properly with the
SYN/SYN-ACK/ACKpackets? If not, it can be due to:- The firewall that blocks communications. Check with the system administrator.
- The server that is not running. Check this on the server— in the process table, FTP server management, and so on.
- A software of the server blocks connectivity. It can be an antivirus that has an additional firewall that blocks connections, VPN client, or any other security or protection software.
- Check the connectivity on the client, too. It can be that it is blocked by a VPN client, a firewall on the client, and so on.
- In the active mode, the client opens connection to the server that opens another connection. Make sure that the firewalls on the way support it, or use passive mode.
There are two modes of FTP: active and passive. In the active mode, the server opens another connection to the client, while in passive mode, it is the client that opens the second connection to the server. Let's see how it works.
In passive mode, the operations are as shown in the following screenshot:
- The client opens a control connection from a random port P (
1024in the example) to the server port21. - The server answers back from port
21to the client port1024. - Now, the client opens a data connection from the port P+1 (
1025in the example) to a data port that the server has opened and notified the client about (port2000in the example). - The server answers from the data port (
2000in the example) to the client port that initiated the connection, that is, the data port P+1 (1025in the example).
In the active mode, the operation is slightly different:
- The client opens a control connection from a random port P (
1024in the example) to the server port21. - The server answers from port
21to the client port1024. - The server opens the data connection from port
20to the client port P+1 (1025in the example). - The client answers from the data port P+1 (
1025in the example) to the server port20.
FTP is a very simple application; and in most cases, FTP problems have very simple solutions. Some examples are as follows:
- Problem 1: I've monitored an international connection with FTP clients on one side of the network and an FTP server on the other side. The customer complained about slow performance and blamed the international service provider. After checking with the service provider, they said the connection is nearly not loaded (20 percent of a 10 Mbps line), a fact that I confirmed when I checked the line. When I looked at the TCP issues (retransmissions, window problems, and so on), there were none. Just to check, I removed the FTP server and installed another one (there are many free ones), and it started to work. It was a simple problem of an inefficient FTP server.
- Problem 2: A customer complained that when connecting to an FTP server, the connection was refused after every 5 or 6 trials. When I checked it with Wireshark, I saw that the FTP connection refused messages (and I already knew about this from the customer's complaint), so it looked like a dead end. Just to check, I started to stop the services running on the server, and the problem came out. It was an antivirus software that was interfering with this specific FTP server.
The bottom line is: even with Wireshark (and other software), sometimes common sense will help you more.