A network analysis of passive (EPSV or PASV) FTP connection.

Article
07/04/2013

Cases and questions somehow seems to come in bulk.

Lately I have had several cases on FTP connections that uses EPSV or PASV.

And there has been some confusion on how this works and what ports are being used. So below is, hopefully, an understandable explanation.

The network traces is taken on Windows 2012 running IIS 8.

Below the sender is always on the left side, the receiver is on the right.

Frame # Src IP Src Port Dst IP Dst Port Proto Desc

Here we see that the client has initiated the connection to the FTP service. I.e. the client uses, for example, Internet Explorer, to go to the URL: ftp://<the ftp server>.

This initiates the 3 way handshake between the client (on random port, 50209 in this case) and the control channel port on the server (which is 21 by default).

741 <client side> 50209 (0xC421) <server side> 21 (0x15) TCP TCP:Flags=......S., SrcPort=50209, DstPort=FTP control(21), PayloadLen=0, ...

743 <server side> 21 (0x15) <client side> 50209 (0xC421) TCP TCP:Flags=...A..S., SrcPort=FTP control(21), DstPort=50209, PayloadLen=0, ...

744 <client side> 50209 (0xC421) <server side> 21 (0x15) TCP TCP:Flags=...A...., SrcPort=50209, DstPort=FTP control(21), PayloadLen=0, ...

The server then, from port 21, tells the client that we are on the FTP service and that the user have logged in.

All FTP command communication between the client and server occurs on port 21 on the server side.

745 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '220 Microsoft FTP Service'

749 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '230 User logged in.'

Now, here we see that the client tells the server that the client wants to use EPSV (extended passive mode).

This request is sent from client’s port (50209) to the command channel port (21).

The server then responds that it wants the data transfer connection to occur port 34347. The server selects one of its ephemeral port and it just happens to be 34347 in this case.

It could however be any other port that the servers sees fit to use.

754 <client side> 50209 (0xC421) <server side> 21 (0x15) FTP FTP:Request from Port 50209, 'EPSV'

755 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '229 Entering Extended Passive Mode (|||34347|)'

The first thing that now happens is that the client establishes a new connection between itself and the server for the data transfer communications.

The client now uses its port 50214 on its side. And as seen above, it has been informed that the server wants the client to connect to the server on port 34347.

So we now have a new 3 way handshake between these ports.

757 <client side> 50214 (0xC426) <server side> 34347 (0x862B) TCP TCP:Flags=......S., SrcPort=50214, DstPort=34347, PayloadLen=0, ...

758 <server side> 34347 (0x862B) <client side> 50214 (0xC426) TCP TCP:Flags=...A..S., SrcPort=34347, DstPort=50214, PayloadLen=0, ...

759 <client side> 50214 (0xC426) <server side> 34347 (0x862B) TCP TCP:Flags=...A...., SrcPort=50214, DstPort=34347, PayloadLen=0, ...

Once this is done, we can see that the client sends a LIST command (a DIR) to get a list of files available on the server side.

This is a command, so this happens on server port 21.

760 <client side> 50209 (0xC421) <server side> 21 (0x15) FTP FTP:Request from Port 50209, 'LIST'

761 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '125 Data connection already open; Transfer starting.'

The data is now transferred between server (on port 34347) and the client (on port 50214).

Once the data is transferred, the server is finishing the connection. This happens with the 4 way handshake.

This starts with the server sending an ACK-FIN (frame 763) over the data transfer connection and then sends a message to the client over the command channel (frame 764).

The client ACKs the servers FIN (frame 765) and the 226 message sent by server (frame 766).

The client then sends its own ACK-FIN (frame 767) to the server which then ACKs (frame 768) that. And the connection is now closed.

763 <server side> 34347 (0x862B) <client side> 50214 (0xC426) TCP TCP:Flags=...A...F, SrcPort=34347, DstPort=50214, PayloadLen=0, ...

764 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '226 Transfer complete.'

765 <client side> 50214 (0xC426) <server side> 34347 (0x862B) TCP TCP:Flags=...A...., SrcPort=50214, DstPort=34347, PayloadLen=0, ...

766 <client side> 50209 (0xC421) <server side> 21 (0x15) TCP TCP:Flags=...A...., SrcPort=50209, DstPort=FTP control(21), PayloadLen=0, ...

767 <client side> 50214 (0xC426) <server side> 34347 (0x862B) TCP TCP:Flags=...A...F, SrcPort=50214, DstPort=34347, PayloadLen=0, ...

768 <server side> 34347 (0x862B) <client side> 50214 (0xC426) TCP TCP:Flags=...A...., SrcPort=34347, DstPort=50214, PayloadLen=0, ...

Later on, we have a new EPSV command coming in, this time the server selects a different port that it wants the data transfer communication to occur on (34348).

Again, this information is sent on the command channel to the client.

1407 <client side> 50209 (0xC421) <server side> 21 (0x15) FTP FTP:Request from Port 50209, 'EPSV'

1408 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '229 Entering Extended Passive Mode (|||34348|)'

The client then performs a new 3-way handshake between these ports.

1410 <client side> 50215 (0xC427) <server side> 34348 (0x862C) TCP TCP:Flags=......S., SrcPort=50215, DstPort=34348, PayloadLen=0, ...

1411 <server side> 34348 (0x862C) <client side> 50215 (0xC427) TCP TCP:Flags=...A..S., SrcPort=34348, DstPort=50215, PayloadLen=0, ...

1412 <client side> 50215 (0xC427) <server side> 34348 (0x862C) TCP TCP:Flags=...A...., SrcPort=50215, DstPort=34348, PayloadLen=0, ...

And then we see the request from the client to download (RETR) a particulare file (FtpFile.txt here).

1413 <client side> 50209 (0xC421) <server side> 21 (0x15) FTP FTP:Request from Port 50209,'SIZE /FtpFile.txt'

1414 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '213 1763790'

1415 <client side> 50209 (0xC421) <server side> 21 (0x15) FTP FTP:Request from Port 50209,'RETR /FtpFile.txt'

1416 <server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '125 Data connection already open; Transfer starting.'

And then the above is repeated until the FTP session is over.

So, why is this of interest? Well, if the connection is ACTIVE rather than PASSIVE it means that the server will do the data transfer on port 20 (server side).

In the scenario above the server decides on the fly what port to use for the data connection. This then means that the client may have a firewall that is blocking outbound connections on this port.

In the scenario above, it would possibly mean that the client is allowing outbound traffic on the known FTP command channel port (21). So we can establish a connection and the user can login and so on.

But as soon as the client performs any data transfer action (a DIR or LIST command for example) we may have a situation where the port provided by the server for the data transfer (port 34347 and 34348 in the example above)

is blocked in the firewall. This would then mean that the server sends the response to the client over the command port (21) and then just waits until it times out since no data is coming in over the network.

So, if you have situation where you can connect and login to your FTP server but not transfer or list any data, then the first thing to do is to verify that there is nothing blocking on the port

that the server chooses to use for the data transfer. If so, you should see (in the example above) that the server sends the port to use (34347 in frame 755) but no SYN coming in from client (frame 757).

One last thing, if the client uses PASV rather than EPSV then the FTP:Response containing the port to use will look different.

EPSV:

<server side> 21 (0x15) <client side> 50209 (0xC421) FTP FTP:Response to Port 50209, '229 Entering Extended Passive Mode (|||34347|)'

PASV:

<client side> 49707 (0xC22B) <server side> 21 (0x15) FTP FTP:Request from Port 49707, 'PASV'

<server side> 21 (0x15) <client side> 49707 (0xC22B) FTP FTP:Response to Port 49707, '227 Entering Passive Mode (10,166,56,104,130,242).'

<client side> 49708 (0xC22C) <server side> 33522 (0x82F2) TCP TCP:Flags=......S., SrcPort=49708, DstPort=33522, PayloadLen=0, ...

<server side> 33522 (0x82F2) <client side> 49708 (0xC22C) TCP TCP:Flags=...A..S., SrcPort=33522, DstPort=49708, PayloadLen=0, ...

<client side> 49708 (0xC22C) <server side> 33522 (0x82F2) TCP TCP:Flags=...A...., SrcPort=49708, DstPort=33522, PayloadLen=0, ...

EPSV sends the port number in 'clear text' PASV sends it in the format of (10,166,56,104,130,242).

However, do not despair. The math is simple. Take the second to last number (130) and multiply it with 256 and add the last number (242) and you will have the port number.

In this case ((130 * 256) + 242) = 33522. And the 3-way handshake will occur on this port.

Hope the above helps.

Information About the IIS File Transmission Protocol (FTP) Service

https://support.microsoft.com/kb/283679

Opening connection (3-way handshake)

https://en.wikipedia.org/wiki/3_way_handshake#Connection_establishment

Closing connection (4-way handshake)

https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_termination

A network analysis of passive (EPSV or PASV) FTP connection.

Additional resources