This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am unable to capture ftp protocols. what I do is that I opened wireshark and start capturing packets on wifi and then I opened site ftp://ftp.mcafee.com and also downloaded a file and when I analyse the captured pcap file, there is no packet with the ftp protocol. I get this without filter alt text

and this by applying filter alt text

asked 10 Nov '15, 06:45

shazzy's gravatar image

shazzy
6114
accept rate: 0%

edited 10 Nov '15, 19:21

Do you have a local Firewall active?

(10 Nov '15, 08:09) Christian_R

Christian_R, shazzy says he has successfully downloaded the file so the firewall should not be the issue?

(10 Nov '15, 09:40) sindy

Is the wifi the only interface through which the computer can get to internet?

If yes, have you captured any packets at all?

If yes, have you set any capture filter (not display filter)?

If yes, what exactly?

(10 Nov '15, 09:44) sindy

ok I have edited my comment. Incase if anyone able to capture packets from that website, can you please send me your pcap file to examine

(10 Nov '15, 19:22) shazzy

Did you capture any DNS resolution for ftp.mcafee.com? and if so, filter on the returned IP address to see if you have any traffic to/from that address.

This would be much easier if you would provide your pcap file for analysis.

(10 Nov '15, 19:26) Rooster_50
showing 5 of 6 show 1 more comments

You have a proxy configured in your browser (proxy: 10.3.100.207), see the CONNECT method in frame #62. So, if you open an FTP URL in the browser, you won't see the FTP protocol. Instead your browser will talk to the proxy via HTTP (port 8080 in your case) and ask the proxy to get the data from the FTP server. The proxy will open the FTP connection. As a result, on the client you will only see connections to the proxy (TCP/8080). If you want to decode that as HTTP, right click on one frame and select "Decode As -> HTTP".

To see the FTP request, please apply one of the following filters:

frame contains "ftp://ftp.mcafee.com"
frame contains "ftp://"

Then right click that frame and choose "Follow TCP Stream".

Regards
Kurt

permanent link

answered 10 Nov '15, 19:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

(10 Nov '15, 19:46) Kurt Knochner ♦

thanks it worked yes I forgot to mention I am using proxy 10.3.100.207

(10 Nov '15, 19:48) shazzy

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(10 Nov '15, 19:49) Kurt Knochner ♦

do you also know how to properly open wireshark in monitor mode in windows

(10 Nov '15, 19:54) shazzy

That's a different question. Please open a new one.

Long story short: not supported on Windows with WinPcap. You would need special hardware like, AirPcap.

(10 Nov '15, 19:56) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×56
×2

question asked: 10 Nov '15, 06:45

question was seen: 5,433 times

last updated: 10 Nov '15, 19:56

p​o​w​e​r​e​d by O​S​Q​A