This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to use Wireshark as a FTP proxy checker tool

0

How to use Wireshark as a FTP proxy checker tool when using various FTP clients uploading to a proxy server with a proxifying program for the FTP client. How can Wireshark confirm files are being transmitted through the port tunneling to the proxy server? Browser proxy can be checked with www.whatismyipadress.com. Where are the instructions on how can FTP uploading by proxy be checked with Wireshark?

asked 21 Jun '12, 17:13

wibon2's gravatar image

wibon2
1111
accept rate: 0%

2 Answers:

0

Wireshark is not a proxy checker, it is a network packet recording and analysis tool. So yes, you can try to diagnose and determine where packets come from and go to, but unless you're able to record the packets on their way via a proxy you're out of luck.

So you could capture in front of the FTP server and determine from what IPs the uploads come in, and then compare the IPs to known client IPs. If they're different, it's probably a proxy. If you do not know the client IPs you'll have to guess, but it is probably not going to work.

answered 21 Jun '12, 17:57

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

There are basically three types of proxies for ftp.

  • http (web) proxy
    You can configure a http (web) proxy for some ftp clients (Filezilla). In that case, the client will use http to communicate with the proxy. Within that protocol it will request the ftp data with ftp://host/file. So, to detect the use of a proxy in this case, just look for URLs in the capture file that start with ftp://.
    Filter: ip.addr eq x.x.x.x and tcp contains "ftp://", where x.x.x.x is your client ip.
    This will also detect browsers trying to access an ftp server. You can check the 'User-Agent' header in the http request.

  • A "regular" ftp proxy
    In this case your ftp clients connect to a ftp proxy, by opening a connection to the proxy ip with the ftp protocol and then they open a connection the the target server with the SITE or OPEN command. There are also proxies, that accept a special syntax for the user account and the password, like this: [email protected] They will relay the ftp connection to the target host. See Filezilla docs for this feature or the KB of Blue Coat or M86 Security. You can detect the use of such a proxy, by looking for SITE, OPEN commands in the ftp control connection or by searching for USER commands with an @ char in it.
    Filter: ip.addr eq x.x.x.x and (ftp contains "SITE" or ftp contains "OPEN").
    Finding the special user name syntax is a bit tricky, as you cannot use regular expressions within the display filters.

  • a transparent ftp proxy
    you can detect this as described by @Jasper, or by using wrong ftp commands. Sometimes transparent ftp proxies answer with non-standard error messages and reveal their existence in this way. However, you cannot use this method within wireshark. You have to do it in the ftp client.

Regards
Kurt

answered 21 Jun '12, 22:23

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Jun '12, 22:28