Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-users: Re: [Wireshark-users] where to see transfered data

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 12 Feb 2008 11:47:24 +0100

On Tue, Feb 12, 2008 at 02:17:39AM -0800, J V wrote:
>    
>   I'm new in Wireshark and have one question. Where to see data I transfer?
>   Question is because I tranfer by ftp 90 bytes BMP file with appropriate capture
>   filtr. When look to packet detail frame I see
>   Frame 4 .... 118 bytes captured, but inside there is nothing around 90 bytes
>   The biggest block is 64 bytes (Opening binary mode data......)

The FTP protocol is a tricky protocol as it uses a control connection and
separate data connections. If you use the capture filter "ftp" you will 
only see the data in the control connection (client:highport -> server:21).
You can use the capture filter "ftp-data" to capture the data-connections
(server:20 -> client:other-high-port).

But... if passive ftp is used, the data connections are set up on random
ports (server:highport -> client:other-highport). In which case the 
capture filter "ftp or ftp-data" will not even help you. You will then have 
to capture all (tcp) traffic between the client and the server and do
the filtering later by hand.

Hope this helps,
Cheers,
    Sake

References:
- [Wireshark-users] where to see transfered data
  - From: J V

Prev by Date: [Wireshark-users] Packet Capture
Next by Date: Re: [Wireshark-users] Packet Capture
Previous by thread: [Wireshark-users] where to see transfered data
Next by thread: [Wireshark-users] Packet Capture
Index(es):
- Date
- Thread