Tutorial: File Transport Protocol (FTP)

This tutorial discusses the plugin ftpDecode. It is the oldest file transfer protocol and not encrypted. So we can scrutinize and extract all content. It is sometimes even used today, you won’t believe it.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates ftpDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: ftp-dpic.pcap. Now you’re all set.

ftpDecode

Let’s look at the plugin configuration first:

$ ftpDecode
$ vi src/ftpDecode.h

This plugin is data carving capable, so it extracts the content of the flows including user names and passwords. The latter are also printed in the flow file. If FTP_SAVE=1 all the content including commands, up and downloads are extracted under the path FTP_F_PATH. If no file name is found, e.g. if you only recorded the B flow, then the FTP_NONAME is used. Note that FTP_RMDIR=1 defines that the file directory is deleted for each new t2 execution. So if you want to keep earlier files, switch it to 0. Here we keep at the default value.

The lengths of the extracted usernames and passwords can be configured as the form of the FTP command flow output. We leave it in human readable and aggregated and leave data carving off.

So execute t2 on the supplied pcap including packet mode.

$ t2 -r ~/test_data/data/ftp-dpic.pcap -w ~/results -s
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 47104
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: ftpDecode, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/data/ftp/ftp-dpic.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1168195766.739929 sec (Sun 07 Jan 2007 18:49:26 GMT)
Dump stop : 1168195799.748737 sec (Sun 07 Jan 2007 18:49:59 GMT)
Total dump duration: 33.008808 sec
Finished processing. Elapsed time: 0.002674 sec
Finished unloading flow memory. Time: 0.002753 sec
Percentage completed: 100.00%
Number of processed packets: 92
Number of processed bytes: 69464 (69.46 K)
Number of raw bytes: 69464 (69.46 K)
Number of pad bytes: 26
Number of pcap bytes: 70960 (70.96 K)
Number of IPv4 packets: 92 [100.00%]
Number of A packets: 37 [40.22%]
Number of B packets: 55 [59.78%]
Number of A bytes: 2096 (2.10 K) [3.02%]
Number of B bytes: 67368 (67.37 K) [96.98%]
Average A packet load: 56.65
Average B packet load: 1224.87 (1.22 K)
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0xc3
ftpDecode: Aggregated ftpStat=0x0b
ftpDecode: Number of FTP control packets: 20 [21.74%]
ftpDecode: Number of FTP-DATA packets: 69 [75.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 92 [100.00%]
Number of TCP bytes: 69464 (69.46 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 8
Number of processed A flows: 4 [50.00%]
Number of processed B flows: 4 [50.00%]
Number of request     flows: 4 [50.00%]
Number of reply       flows: 4 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 11.50
Number of processed A packets/flows: 9.25
Number of processed B packets/flows: 13.75
Number of processed total packets/s: 2.79
Number of processed A+B   packets/s: 2.79
Number of processed A     packets/s: 1.12
Number of processed   B   packets/s: 1.67
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.24
Average full raw bandwidth: 16835 b/s (16.84 Kb/s)
Average full bandwidth : 16829 b/s (16.83 Kb/s)
Max number of flows in memory: 6 [0.00%]
Memory usage: 0.02 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$

So the end report states that we have 8 flows with 20 control and 69 data packets. Looking at the aggregated ftpStat reveals that we have a passive and active FTP flow.

$ tawk -V ftpStat=0x0b
The ftpStat column with value 0x0b is to be interpreted as follows:

   bit | ftpStat | Description
   =============================================================================
     0 | 0x01    | FTP control port found
     1 | 0x02    | FTP passive parent flow
     3 | 0x08    | FTP active parent flow

So a promising error free download, lets look at the flow file now. Unfortunately we have no user name and passwords in the pcap, so try it with your own, you will see them in ftpUser and ftpPass. Flow 1 being denoted by ftpStat=0x09 contains four commands: TYPE;PASV;SIZE;RETR, hence there is a download initiated. The B flow shows the aggregated return codes, 226 indicates a successful download. A list of codes can be found in ftpDecode.h. ftpCDFindex denotes the link between the command flow with its spawned data flow 2 for the user initiated A flow 1. B flow 1 did not spawn any data flow, so the A flow 1 is linked. The data flow 2 denotes flow 1 as its parent. The column ftpCP shows all command parameters of all ftp flows. In flow 2 we see the name of the downloaded file.

$ cd ~/results
$ tcol ftp-dpic_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg                        srcPort  dstIP            dstIPCC  dstIPOrg                        dstPort  l4Proto  tcpStatesAFlags  ftpStat  ftpCDFindex  ftpCC                ftpRC                ftpNumUser  ftpUser  ftpNumPass  ftpPass  ftpNumCP  ftpCP
A     2        0x0400000000004000  1168195766.764244  1168195766.976730  0.212486   1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4076     128.121.136.217  us       "NTT America"                   30012    6        0x42             0x02     1                                                      0                    0                    1        "/funwithbill/Microsoft-1978.jpg"
B     2        0x0400000000004001  1168195766.782725  1168195766.965575  0.182850   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   30012    67.180.72.76     us       "Comcast Cable Communications"  4076     6        0x02             0x02     1                                                      0                    0                    1        "/funwithbill/Microsoft-1978.jpg"
A     1        0x0400000000004000  1168195766.739929  1168195799.748737  33.008808  1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4075     128.121.136.217  us       "NTT America"                   21       6        0x43             0x09     2            TYPE;PASV;SIZE;RETR                       0                    0                    2        "I";"/funwithbill/Microsoft-1978.jpg"
B     1        0x0400000000004001  1168195766.751652  1168195767.017088  0.265436   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   21       67.180.72.76     us       "Comcast Cable Communications"  4075     6        0x03             0x09     2                                 200;227;213;150;226  0                    0                    1        "/funwithbill/Microsoft-1978.jpg"
A     3        0x0400000000004000  1168195798.794148  1168195798.808733  0.014585   1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4072     128.121.136.217  us       "NTT America"                   21       6        0x83             0x01                                                            0                    0                    0
B     3        0x0400000000004001  1168195798.808082  1168195798.808646  0.000564   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   21       67.180.72.76     us       "Comcast Cable Communications"  4072     6        0x03             0x01                                                            0                    0                    0
A     4        0x0400000000004000  1168195799.515059  1168195799.527966  0.012907   1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4071     128.121.136.217  us       "NTT America"                   21       6        0x83             0x01                                                            0                    0                    0
B     4        0x0400000000004001  1168195799.527449  1168195799.527938  0.000489   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   21       67.180.72.76     us       "Comcast Cable Communications"  4071     6        0x03             0x01

The packet file shows the ftp status for each packet and the content, which matches the extracted command and parameter columns in the flow file. Here you can see also the text for the ftp return codes for the control flow. You can see the content being downloaded in flow 2.

$ cd ~/results
$ tcol ftp-dpic_packets.txt
%pktNo  flowInd  flowStat            time               pktIAT     flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg                      srcPort  dstIP            dstIPCC  dstIPOrg                      dstPort  l4Proto  tcpStatesAFlags  ftpStat  l7Content
1       1        0x0400000000004000  1168195766.739929  0.000000   0.000000      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4075     128.121.136.217  us       NTT America                   21       6        0x01             0x01     TYPE I\r\n
2       1        0x0400000000004001  1168195766.751652  0.000000   0.000000      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4075     6        0x01             0x01     200 Type set to I\r\n
3       1        0x0400000000004000  1168195766.752010  0.012081   0.012081      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4075     128.121.136.217  us       NTT America                   21       6        0x01             0x01     PASV\r\n
4       1        0x0400000000004001  1168195766.764051  0.012399   0.012399      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4075     6        0x01             0x09     227 Entering Passive Mode (128,121,136,217,117,60).\r\n
5       2        0x0400000000004000  1168195766.764244  0.000000   0.000000      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4076     128.121.136.217  us       NTT America                   30012    6        0x00             0x00
6       2        0x0400000000004001  1168195766.782725  0.000000   0.000000      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   30012    67.180.72.76     us       Comcast Cable Communications  4076     6        0x00             0x00
7       2        0x0400000000004000  1168195766.782811  0.018567   0.018567      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4076     128.121.136.217  us       NTT America                   30012    6        0x00             0x00
8       1        0x0400000000004000  1168195766.782932  0.030922   0.043003      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4075     128.121.136.217  us       NTT America                   21       6        0x01             0x09     SIZE /funwithbill/Microsoft-1978.jpg\r\n
9       1        0x0400000000004001  1168195766.806945  0.042894   0.055293      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4075     6        0x01             0x09     213 64170\r\n
10      1        0x0400000000004000  1168195766.807113  0.024181   0.067184      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4075     128.121.136.217  us       NTT America                   21       6        0x01             0x09     RETR /funwithbill/Microsoft-1978.jpg\r\n
11      1        0x0400000000004001  1168195766.818968  0.012023   0.067316      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4075     6        0x01             0x09     150 Opening BINARY mode data connection for /funwithbill/Microsoft-1978.jpg (64170 bytes)\r\n
12      2        0x0400000000004001  1168195766.827519  0.044794   0.044794      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   30012    67.180.72.76     us       Comcast Cable Communications  4076     6        0x00             0x02     ......JFIF.....,.,.....C......................\n.....\n...\n..\r...\r............................C.......\t..\t.\r.\r.............................................................".....................................\t\n.....................}........!1A..Qa."q.2....#B...R..$3br.\t\n.....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................................................................................................\t\n.....................w.......!1..AQ.aq."2...B....\t#3R..br.\n.$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E..+SP..(...(...(...(...(...(.....> .|'.-{Z.4...WN....KY<....|...x....4O..@......7>!.....R~..._.u...~...P..Q^.7.U...5x{....\rGP.R..M.!........Q'<..`...F._..?..\r....+...3u$V.Ms.2....(....2:Z+...*.kZ.b. ...Z..4V.i%.....H..fA..i\..C..}.....<Awm%.....,Q..+[.......|?/.$.`.......[.,.../..y.O3..4..W........eo....V..W..y,..,^_.....N....|G....K-7X.m.5[...O........2.......Rx.....gc....o._../CI..w?j./&H....f.
13      2        0x0400000000004001  1168195766.828740  0.001221   0.046015      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   30012    67.180.72.76     us       Comcast Cable Communications  4076     6        0x00             0x02     2=..+.....O.x.].tM/W..W...-J.....Fc....5:Z+...w...S.,t}R.B.G.67............J.o..\n....!.....X..-.....H..y...q..E.w.VU..4.......V.Z4..j...O2)".|.........5..k..x\.}..T......(.....-j..Z...i.)w....^[\..H..H..V......:.Y...Y[Gwu..w:.v..G/....(..}......<...1.....~.I..e.......2.._..lyqbIq..^....:>.-...p.E..-k#"......./.x.-.\r^(..a.LV7q.k4...H..~.}+R.......C....G_.....O....E'..Z...V.......+..5c.[]x.G.9o...l$..U.~U...b...}.mq.G.ig.....s...&......+##...iZ...cm}es....^lWP..G,.Z....O.|..kK%.....\...Hm"...2..ryq..q..@.-..xc..j...<Quql-f.....O.I...+..)|...............m.5..Sk>.!.f..9%..?.k ......=....M......4.KT.....J.+[[....._._..O.W..?..........u...2....=".w?.z...h.s.~<.|.%.z..\r.....[v?....".~.O.4xc....%...5H.o4..ol..S[7....G..~............jz........./b.....4..._*3..5............u(n....)o.../6Y".?0..ZB:Z+..Y.OD....;]..R.+..o..P..)c.A.......4.../.h........Y....r\.e.I..|..i.......I...G?............hy...^3.y........?.|....>3........u..Ib.....Rc.....h?h{...K...S....*-9~...s../.....x............x.....d....t.V.............K.....&....z..QZ...Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@....J.G.w.../.|q..Q...~..z....M.9%.m....4I.....C....M.....O.;.>...u.j:.....'W..'..H...../...w..#..X9.W.|g.1.............\.\.B=3V.Hm/b....2...T.9....+##..u......$..[..I.....Dj.......nzy^a.!.^..<.3Z~;.o.Y~<x_......E...Z-...s%....K.. ._............\t.v.....?..a...>...:~.q,.C7....d.G.......o.w..F._.i....<.,..F..=k.E.....M$....Q.....?.<O....|P...N..............l....H"..X.U...%..
14      2        0x0400000000004000  1168195766.828821  0.046010   0.064577      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4076     128.121.136.217  us       NTT America                   30012    6        0x00             0x02
15      2        0x0400000000004001  1168195766.842401  0.013661   0.059676      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   30012    67.180.72.76     us       Comcast Cable Communications  4076     6        0x00             0x02     ..u..\rz=..J......k._K4.K..........(.`....5......<-...qM....|7...I.E....q....&.=y..._U.Z..w........<~....Z.k,W:....Y@.ne..........|A.\r..|...>.....f.L.$....1I)...1k..?y..,..0............[.G....>.....w.u.....r\.>T]....>..T...$.I........tC...]K.~...._f..........m}AE..=..|.......x+.........iwRE.....8.1.dqP|m.U....>5.....j:..u..Mu..I,F.k...<....5.c.8..U..d>!....).I...E.a....g.u...<1.....V..-j.D.....H...V....9LR.FL.......>.....z....k.....@.....)6..........+.o+..Ib...s..........>......6........V2Gk{c'..iLg8.$..W..Y..a...Q.K....oN...R..]wT#..._...?v?...+....(.>..<Gj.^x.B..+.V9m.q.hR[y......yR...^..}YE.p..|.i.......=&....9.Zu..5.V..I0....^..~6.*.......[J{x..gG.......T$.#.5.Q@.k.......:......k6>..F.X......_..5..?...7.=?...2....ItC4O....!1y...O....Q@.O......f...w...P.<;k._..".!.(..........\n.~\r|........|Y....j...F......>N%.......c..'...TP..?.?g.[....9......CH..J..'...x.b._31.Z.,Rg..H$......O.h...._..h.O.....]V.......\........^.E.|.._......K...H.<..MJ.I"....[......ua._*Y}.y..]k..[.{........j1....siWz.ql.$..)%.......*(.....c........^#....B.b...N.....P....E.....#.......\...My.-.V...X......Im...R.[I.K..]x>..e...^)...._....=:+.....(........h.|.6A....\~.....?.........F...._..`..\rZ.XVO.....b..o.g.<..*....g.\rOW.Iw.........|..),w.1...)....5..O@.......N..O.....+Ko.Q.j...\n(..5\n(..\n(.h...(...(...(...(...(...(.......O.=.......Q..yo....q..%.?.]t?.k..h...........J.........|..Q..'..._.;P..S..~.X..j...R......u/&).uU?..r..Y.{]....{T_.7...$...?.~._.;Iy.Rx.+.Dzf.a..e.4
...
82      1        0x0400000000004001  1168195767.017088  0.198120   0.265436      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4075     6        0x01             0x09     226 Transfer complete.\r\n
83      1        0x0400000000004000  1168195767.160579  0.201264   0.420650      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4075     128.121.136.217  us       NTT America                   21       6        0x01             0x09
84      3        0x0400000000004000  1168195798.794148  0.000000   0.000000      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4072     128.121.136.217  us       NTT America                   21       6        0x01             0x01
85      3        0x0400000000004001  1168195798.808082  0.000000   0.000000      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4072     6        0x01             0x01
86      3        0x0400000000004001  1168195798.808646  0.000564   0.000564      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4072     6        0x01             0x01
87      3        0x0400000000004000  1168195798.808733  0.014585   0.014585      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4072     128.121.136.217  us       NTT America                   21       6        0x01             0x01
88      4        0x0400000000004000  1168195799.515059  0.000000   0.000000      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4071     128.121.136.217  us       NTT America                   21       6        0x01             0x01
89      4        0x0400000000004001  1168195799.527449  0.000000   0.000000      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4071     6        0x01             0x01
90      4        0x0400000000004001  1168195799.527938  0.000489   0.000489      3        eth:ipv4:tcp             00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800   128.121.136.217  us       NTT America                   21       67.180.72.76     us       Comcast Cable Communications  4071     6        0x01             0x01
91      4        0x0400000000004000  1168195799.527966  0.012907   0.012907      3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4071     128.121.136.217  us       NTT America                   21       6        0x01             0x01
92      1        0x0400000000004000  1168195799.748737  32.588158  33.008808     3        eth:ipv4:tcp             00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800   67.180.72.76     us       Comcast Cable Communications  4075     128.121.136.217  us       NTT America                   21       6        0x43             0x09

From the end report alone we can deduct that there is extractable content available. From the flow file we know its name and consistency status. Now we like to see it. Let’s data carve.

Data Carving with ftpDecode

In order to enable the Data Carving mode FTP_SAVE has to be switched on. Use t2conf and t2build to reconfigure and recompile ftpDecode and rerun t2 on the pcap.

$ t2conf ftpDecode -D FTP_SAVE=1 && t2build ftpDecode
...
$ t2 -r ~/test_data/data/ftp-dpic.pcap -w ~/results
...
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0xc3
ftpDecode: Aggregated ftpStat=0x0f
ftpDecode: Number of FTP control packets: 20 [21.74%]
ftpDecode: Number of FTP-DATA packets: 69 [75.00%]
ftpDecode: Number of files extracted: 1
--------------------------------------------------------------------------------
...
$

We see that on content file was extracted and the status confirms that the file was properly extracted.

$ tawk -V ftpStat=0x0f
The ftpStat column with value 0x0f is to be interpreted as follows:

   bit | ftpStat | Description
   =============================================================================
     0 | 0x01    | FTP control port found
     1 | 0x02    | FTP passive parent flow
     2 | 0x04    | FTP passive parent flow write finished
     3 | 0x08    | FTP active parent flow

The flow file looks the same, except that the B flow 2 has the bit 0x04 set, indicating successful extraction.

$ tcol ~/results/ftp-dpic_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg                        srcPort  dstIP            dstIPCC  dstIPOrg                        dstPort  l4Proto  tcpStatesAFlags  ftpStat  ftpCDFindex  ftpCC                ftpRC                ftpNumUser  ftpUser  ftpNumPass  ftpPass  ftpNumCP  ftpCP
A     2        0x0400000000004000  1168195766.764244  1168195766.976730  0.212486   1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4076     128.121.136.217  us       "NTT America"                   30012    6        0x42             0x02     1                                                      0                    0                    1        "/funwithbill/Microsoft-1978.jpg"
B     2        0x0400000000004001  1168195766.782725  1168195766.965575  0.182850   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   30012    67.180.72.76     us       "Comcast Cable Communications"  4076     6        0x02             0x06     1                                                      0                    0                    1        "_funwithbill_Microsoft-1978.jpg"
A     1        0x0400000000004000  1168195766.739929  1168195799.748737  33.008808  1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4075     128.121.136.217  us       "NTT America"                   21       6        0x43             0x09     2            TYPE;PASV;SIZE;RETR                       0                    0                    2        "I";"/funwithbill/Microsoft-1978.jpg"
B     1        0x0400000000004001  1168195766.751652  1168195767.017088  0.265436   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   21       67.180.72.76     us       "Comcast Cable Communications"  4075     6        0x03             0x09     2                                 200;227;213;150;226  0                    0                    1        "/funwithbill/Microsoft-1978.jpg"
A     3        0x0400000000004000  1168195798.794148  1168195798.808733  0.014585   1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4072     128.121.136.217  us       "NTT America"                   21       6        0x83             0x01                                                            0                    0                    0
B     3        0x0400000000004001  1168195798.808082  1168195798.808646  0.000564   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   21       67.180.72.76     us       "Comcast Cable Communications"  4072     6        0x03             0x01                                                            0                    0                    0
A     4        0x0400000000004000  1168195799.515059  1168195799.527966  0.012907   1           3        eth:ipv4:tcp  00:16:36:a9:08:20  00:01:5c:22:a5:82  0x0800              67.180.72.76     us       "Comcast Cable Communications"  4071     128.121.136.217  us       "NTT America"                   21       6        0x83             0x01                                                            0                    0                    0
B     4        0x0400000000004001  1168195799.527449  1168195799.527938  0.000489   1           3        eth:ipv4:tcp  00:01:5c:22:a5:82  00:16:36:a9:08:20  0x0800              128.121.136.217  us       "NTT America"                   21       67.180.72.76     us       "Comcast Cable Communications"  4071     6        0x03             0x01

By default the extracted files reside under the /tmp folder.

$ cd /tmp/FTPFILES/
$ ls
ftp_flow_1_A.txt  ftp_flow_1_B.txt  _funwithbill_Microsoft-1978.jpg_2_B
$

The first two file are the command and response from flow 1, the third is our extracted file. T2 adds the file index and the flow direction to the file name. Let’s look into the files.

$ cat ftp_flow_1_A.txt
TYPE I
PASV
SIZE /funwithbill/Microsoft-1978.jpg
RETR /funwithbill/Microsoft-1978.jpg
$ cat ftp_flow_1_B.txt
200 Type set to I
227 Entering Passive Mode (128,121,136,217,117,60).
213 64170
150 Opening BINARY mode data connection for /funwithbill/Microsoft-1978.jpg (64170 bytes)
226 Transfer complete.
$ eog _funwithbill_Microsoft-1978.jpg_2_B

Try your own FTP traffic. Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf ftpDecode --reset && t2build ftpDecode
...
$

Have fun FTP data carving.