This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

unable to capture packets with ftp protocol

0

I am unable to capture ftp protocols. what I do is that I opened wireshark and start capturing packets on wifi and then I opened site ftp://ftp.mcafee.com and also downloaded a file and when I analyse the captured pcap file, there is no packet with the ftp protocol. I get this without filter alt text

and this by applying filter alt text

asked 10 Nov '15, 06:45

shazzy's gravatar image

shazzy
6114
accept rate: 0%

edited 10 Nov '15, 19:21

Do you have a local Firewall active?

(10 Nov '15, 08:09) Christian_R

Christian_R, shazzy says he has successfully downloaded the file so the firewall should not be the issue?

(10 Nov '15, 09:40) sindy

Is the wifi the only interface through which the computer can get to internet?

If yes, have you captured any packets at all?

If yes, have you set any capture filter (not display filter)?

If yes, what exactly?

(10 Nov '15, 09:44) sindy

ok I have edited my comment. Incase if anyone able to capture packets from that website, can you please send me your pcap file to examine

(10 Nov '15, 19:22) shazzy

Did you capture any DNS resolution for ftp.mcafee.com? and if so, filter on the returned IP address to see if you have any traffic to/from that address.

This would be much easier if you would provide your pcap file for analysis.

(10 Nov '15, 19:26) Rooster_50
(10 Nov '15, 19:42) shazzy
showing 5 of 6 show 1 more comments

One Answer:

1

You have a proxy configured in your browser (proxy: 10.3.100.207), see the CONNECT method in frame #62. So, if you open an FTP URL in the browser, you won't see the FTP protocol. Instead your browser will talk to the proxy via HTTP (port 8080 in your case) and ask the proxy to get the data from the FTP server. The proxy will open the FTP connection. As a result, on the client you will only see connections to the proxy (TCP/8080). If you want to decode that as HTTP, right click on one frame and select "Decode As -> HTTP".

To see the FTP request, please apply one of the following filters:

frame contains "ftp://ftp.mcafee.com"
frame contains "ftp://"

Then right click that frame and choose "Follow TCP Stream".

Regards
Kurt

answered 10 Nov '15, 19:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

(10 Nov '15, 19:46) Kurt Knochner ♦

thanks it worked yes I forgot to mention I am using proxy 10.3.100.207

(10 Nov '15, 19:48) shazzy

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(10 Nov '15, 19:49) Kurt Knochner ♦

do you also know how to properly open wireshark in monitor mode in windows

(10 Nov '15, 19:54) shazzy

That's a different question. Please open a new one.

Long story short: not supported on Windows with WinPcap. You would need special hardware like, AirPcap.

(10 Nov '15, 19:56) Kurt Knochner ♦