FTP: a deeper look at an 'Active' file transfer

Body

With ftp we can do an ACTIVE file transfer or a PASSIVE file transfer.  In most cases it's just the adding of a parameter in our bpml to switch.   It may be that we don't need to add anything because the default setting is just fine.  

An ACTIVE file transfer is one where the ftp client will request, by the PORT command, that the ftp server initiate opening the data connection.  The ftp server will do this by connecting to the client on a tcp port that the client is listening on.

So what happens when we do an Active file transfer?  

Hopefully this blog will visually show you what happens during an ACTIVE file transfer.  

PASSIVE will be handled in another blog.

The FTP client used in this blog was IBM Sterling B2B Integrator.

The bpml used was simple:

FTP Client Begin Session Service
FTP Client LIST service
FTP Client End Session service

Below is the pretty typical Status Report one would find for the FTPClientBeginSession Service:

Below is the Status Report from the FTPClientList Service:

Finally, below you will find the status Report from the FTPCientEndSession Service:

Everything above is what we typically see during a ftp session within SBI and I would guess, to an extent, from most ftp client applications. 

Now lets take a look at the packet level, with Wireshark, for the same ftp session.

Take note of the responses that show in our status report and all the responses and activity that happens behind the scenes in the tcp and ftp protocol.

The FTP Client is ip addr: 9.99.99.33 and the FTP Server is 9.99.9.88.

We can see the Source (Sender) and Destination (Receiver) columns.

We also see that this packet capture starts with packet number 219.

1 - 3. We can see the 3-part tcp handshake. The client sends a SYN, the server responds with a SYN,ACK, then the client responds with ACK.  This is tcp protocol and it established a connection between the client and server.

- After the connection is made (3-part handshake), in packets 229 and 231 you can see the client sends his logon information.

4 -The FTPClientList Service was set to do an Active file transfer.  This is seen by the PORT command being sent by the client in packet 236: PORT 9,99,99,33,108,96

- The PORT command is the way the client tells the server what port the client will be listening on for the server to reach out to it for the data connection.

- PORT 9,99,99,33,108,96 these 6 numbers, following the PORT command, break down as follows:

First 4 are the ip address: 9.99.99.33 

The fifth and sixth numbers are the port. You take the fifth number multiply it by 256 then add the sixth number:

108 * 256 = 27648 + 96 = 27744

So the PORT command is telling the server that the client is listening at the ip/port of 9.99.99.33:27744 ***

5 - The client sends the LIST command to the server, we see this in packet 241.

- In packet 242 we see the Server responding with "150 Opening ASCII mode data connection."

6 - Notice the gap in the packets?  This screen shot is filtered by the tcp connection between client ip/port <=> server ip/port.

With the port command we have a new set of ports to deal with.  These missing packets are below:

*** Above you can see the server, 9.99.9.88, from port 63883, has reached out to the client 9.99.99.33 on port 27744.

The 3 part handshake is established, packets 243-245.

The list is sent to the client in packet 246 (maybe in 247?).

Then 247-250 is this tcp connection closing down.

NOW BACK TO THE OTHER SCREEN SHOT

- In packet 251 we pick back up with the ftp session.

- In packet 252 we see the server sending the message that the list was transferred (226 Transfer complete)

7 - The client sends the quit command to end the ftp session.

- In packet 257 we see the response from the server to the clients quit command.

8 - Finally we see the actual tcp tear-down of the connection.  Very similar to what happened to the data connection in packets 247-250.

From the previous entries you can see that a potential issue could be a firewall blocking the data port.  The ftp client might be listening on a certain port but if the firewall prevents the server from getting through the ftp client will timeout.