This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Completely lost on this TCP FTP issue.

0

My system in Florida cannot ftp to ftp.childnet.us.

It can ftp to other sites, i.e. ftp.bnl.gov

I can ftp to ftp.childnet.us from outside of our network.

I've done about everything I can think of to troubleshoot this. Here's what's going on exactly.

1) launch the command:

C:\Windows\system32>ftp ftp.childnet.us

2) Our systems do a 3-way TCP handshake:

96  4.871876000 192.168.180.12  65.240.236.154  TCP 66  51337 > ftp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=1 SACK_PERM=1
97  4.901984000 65.240.236.154  192.168.180.12  TCP 66  ftp > 51337 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1420 WS=256
SACK_PERM=1
98  4.902033000 192.168.180.12  65.240.236.154  TCP 54  51337 > ftp [ACK] Seq=1 Ack=1 Win=8192 Len=0

That results in the following display in the ftp screen:

Connected to ftp.childnet.us.

3) But then something goes wrong. The next packet is this:

99  4.930141000 65.240.236.154  192.168.180.12  TCP 60  ftp > 51337 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

That is Childnet resetting the connection. it results in the following message on screen:

Connection closed by remote host.

And that's that. Nothing is possible.

I've been banging my head to figure this one out for quite a while. I'm open to any ideas here.

thanks!

asked 13 Jul '13, 09:07

meatstack's gravatar image

meatstack
11112
accept rate: 0%

1

what is the ip.ttl of the rst packet? is it the same as the syn_ack?

(13 Jul '13, 09:49) mrEEde2

2 Answers:

2

Just a guess, but I have seen behavior like this on the FTP command channel when the client IP address (in this case your public NAT address) was listed on a blacklist, or, depending on how the server is set up, NOT part of the whitelist. The FTP server learns about the connection attempt right after the stack finished the three way handshake, compares your public IP to the list of allowed clients and closes the socket when it is not allowed. This results in a Reset packet coming from the server right after the handshake.

Update: looks like the PC from where you're not able to connect is on a blacklist (or the public IP range is, for whatever reason), since I can connect to their FTP service just fine.

Advice: contact the FTP server admin, give him your public IP and ask, why you're being refused.

answered 13 Jul '13, 11:20

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 13 Jul '13, 14:32

I connected to the site and entered 5 times a wrong user/password. My 6th connection (and all thereafter) received a RESET. I guess I'm now banned by their FTP server forever ;-))

@meatstack: Please follow the advice of @Jasper and contact the admin of that system. Maybe one of your users (or you) did the same I did ;-))

UPDATE: And here is the online help for that nice feature :-)

http://help.globalscape.com/help/eft6-2/mergedprojects/eft/banning_an_ip_address_that_uses_an_invalid_account.htm

Regards
Kurt

(13 Jul '13, 16:19) Kurt Knochner ♦

0

Perhaps you need to use passive ftp mode?

See also http://ask.wireshark.org/questions/22585/question-about-passive-ftp and the various links in the answers to that question.

answered 13 Jul '13, 10:30

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%