Hey, I have two production machines in VLAN5 which sent data to VLAN10 where is Filezilla ftp server. One machine works ok, i mean data are trasfered corecctly with APPE command. Unfortunately on second is not. Example log of first one which is ok:
Second, which create file but file has always 0 data in it. Just empty.
I've sniffed data on server and this is result:
GOOD Apply to end of file. 6939 2016-08-04 11:53:25.085005 192.168.0.11 192.168.1.200 FTP 78 Request: APPE rf_2_2016-8-4.txt 6940 2016-08-04 11:53:25.085005 192.168.0.11 192.168.1.200 TCP 60 49471 → 60988 [SYN] Seq=0 Win=4096 Len=0 MSS=1400 6942 2016-08-04 11:53:25.085005 192.168.0.11 192.168.1.200 TCP 60 49471 → 60988 [ACK] Seq=1 Ack=1 Win=4096 Len=0 6943 2016-08-04 11:53:25.085005 192.168.1.200 192.168.0.11 FTP 157 Response: 150 Opening data channel for file upload to server of "/rf_2_2016-8-4.txt", restarting at offset 3416 6947 2016-08-04 11:53:25.100605 192.168.0.11 192.168.1.200 TCP 60 49470 → 21 [ACK] Seq=73 Ack=250 Win=4096 Len=0 6948 2016-08-04 11:53:25.100605 192.168.0.11 192.168.1.200 FTP-DATA 197 FTP Data: 143 bytes 6949 2016-08-04 11:53:25.100605 192.168.0.11 192.168.1.200 TCP 60 49471 → 60988 [RST, ACK] Seq=144 Ack=1 Win=4096 Len=0 6950 2016-08-04 11:53:25.100605 192.168.1.200 192.168.0.11 FTP 119 Response: 426 Connection closed; aborted transfer of "/rf_2_2016-8-4.txt" 6952 2016-08-04 11:53:25.116206 192.168.0.11 192.168.1.200 FTP 60 Request: QUIT 6953 2016-08-04 11:53:25.116206 192.168.1.200 192.168.0.11 FTP 67 Response: 221 Goodbye 6954 2016-08-04 11:53:25.116206 192.168.1.200 192.168.0.11 TCP 54 21 → 49470 [FIN, ACK] Seq=328 Ack=79 Win=64322 Len=0 6955 2016-08-04 11:53:25.116206 192.168.0.11 192.168.1.200 TCP 60 49470 → 21 [ACK] Seq=79 Ack=329 Win=4083 Len=0 6956 2016-08-04 11:53:25.116206 192.168.0.11 192.168.1.200 TCP 60 49470 → 21 [RST, ACK] Seq=79 Ack=329 Win=4096 Len=0 BAD: No store data in file. File is 0 bytes 7568 2016-08-04 11:53:34.679128 192.168.0.48 192.168.1.200 FTP 81 Request: APPE r_1_2016-8-4CTC2.txt 7569 2016-08-04 11:53:34.679128 192.168.0.48 192.168.1.200 TCP 66 49441 → 50234 [SYN] Seq=0 Win=29200 Len=0 MSS=1400 SACK_PERM=1 WS=128 7570 2016-08-04 11:53:34.679128 192.168.1.200 192.168.0.48 TCP 66 50234 → 49441 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 7571 2016-08-04 11:53:34.679128 192.168.0.48 192.168.1.200 TCP 60 49441 → 50234 [ACK] Seq=1 Ack=1 Win=29312 Len=0 7572 2016-08-04 11:53:34.679128 192.168.1.200 192.168.0.48 TCP 54 [TCP Window Update] 50234 → 49441 [ACK] Seq=1 Ack=1 Win=262144 Len=0 7573 2016-08-04 11:53:34.679128 192.168.1.200 192.168.0.48 FTP 133 Response: 150 Opening data channel for file upload to server of "/r_1_2016-8-4CTC2.txt" 7577 2016-08-04 11:53:34.694728 192.168.0.48 192.168.1.200 TCP 60 49441 → 50234 [RST, ACK] Seq=1 Ack=1 Win=29312 Len=0 7578 2016-08-04 11:53:34.694728 192.168.1.200 192.168.0.48 FTP 122 Response: 426 Connection closed; aborted transfer of "/r_1_2016-8-4CTC2.txt" 7579 2016-08-04 11:53:34.694728 192.168.0.48 192.168.1.200 TCP 60 49440 → 21 [ACK] Seq=77 Ack=295 Win=29312 Len=0 7580 2016-08-04 11:53:34.725929 192.168.0.48 192.168.1.200 FTP 60 Request: QUIT 7581 2016-08-04 11:53:34.725929 192.168.1.200 192.168.0.48 FTP 67 Response: 221 Goodbye 7582 2016-08-04 11:53:34.725929 192.168.1.200 192.168.0.48 TCP 54 21 → 49440 [FIN, ACK] Seq=308 Ack=83 Win=65536 Len=0 7584 2016-08-04 11:53:34.741529 192.168.0.48 192.168.1.200 TCP 60 49440 → 21 [RST, ACK] Seq=83 Ack=309 Win=29312 Len=0 It's look that ftp server don't open file to write and show end of file. What do You think? How can i solve it or make more tests. asked 04 Aug '16, 04:38 Tester1 edited 04 Aug '16, 04:39 showing 5 of 6 show 1 more comments |
Debugging on text is a pain in general; here, it is not clear what display filter you have used, so some overhead TCP messages (i.e. without FTP of FTP-DATA payload) may be missing. So if you can publish the complete capture files, maybe anonymized using Tracewrangler, you can get much more reasoned guesses.
Without the capture, I would first think of user privileges (where UserY may have different access rights to the target directory) and of firewall settings (where the FTP server may not be able to open the FTP-DATA TCP session towards the client Y).
I've filtered IP of client and server. Is it enough?
https://www.cloudshark.org/captures/f99b933801b9 https://www.cloudshark.org/captures/980a9e53de20
It is actually more than enough as you've also stripped the ftp and ftp-data payload :-) Substitution of the IP addresses but keeping the payload would have been better in this particular case.
What I can see is an attempt to set up a second TCP connection, presumably for ftp-data, which ends by RST (rather than FIN) sent by the TCP client (which is the FTP client as well in this case). This excludes the possibility that a firewall would prevent this session from being set up, but without the ftp payload it is hard to say more. So what about the user privileges, can you log in to the server as userY and check whether you can create a file in the ftpd's root directory?
Only 3 machines upload\download to server text files. When i collect data for analyses only two machines work in the same time. So i don't think is ftp payload problem, becouse it's problem only one machine.
About privilages: I've tested on other user on which it works on first machine and the same problem. I made test: I've disconnected client (production machine) and give the same IP for notebook and from the ftp windows command line i've make append function and it works.
ftp> append c:\temp\test.txt test.txt 200 Port command successful 150 Opening data channel for file upload to server of "/tests/test.txt", restarting at offset 93 226 Successfully transferred "/tests/test.txt" ftp: 11 bytes sent in 0.01Seconds 0.73Kbytes/sec. ftp> append c:\temp\test.txt test.txt 200 Port command successful
I know that ftp windows client don't use passive mode.
What can i test next?
I haven't got it from the initial description, but can you confirm that only Append is problematic, while normal Put works fine from all machines? Because if yes, it is not a task for Wireshark, as that would mean an application level issue at either the server or the client, and Wireshark can only show you what happens at protocol level.
I can't test PUT on client, because it's PLC client and I have to ask to external programmer. I can ask him to modify it at Monday.
I made other test. On second server i've installed FTP server with the same configuration and it works :) Second server is in the same subnetwork like first one.
First server has had Kaspersky KES8, so i deinstalled and problem is the same. I thought that it can do something bad. I haven't any information in events.