Understanding FTP File Transfer Service: Active vs. Passive Modes Explained

I. Introduction to FTP

1. File Transfer

The file transfer service is an essential service in a networked environment, and currently, the most prevalent method of file transfer on the network is using the FTP protocol.

FTP, which stands for File Transfer Protocol, allows the transfer of various file types such as electronic documents, images, audio, video, programs, and more over a network. If a user needs to send files from their computer to another computer, they can use FTP to upload (upload) or (put) files. More commonly, users use FTP to download (download) or retrieve (get) files from an FTP server.

2. How FTP Works

A complete FTP file transfer requires the establishment of two types of connections: one for file transfer commands, known as the control connection, and another for the actual file transfer, known as the data connection.

1) Control Connection

        When a client wishes to establish a data transfer with an FTP server for uploading or downloading, it first initiates a request to the server’s TCP port 21 to establish a connection. The FTP server accepts the client’s request, completing the connection process, which is referred to as the FTP control connection.

2) Data Connection

        Once the FTP control connection is established, file transfer can begin via the FTP data connection. FTP data connection refers to the process of FTP transferring data, with two transmission modes: active transfer mode (PORT) and passive transfer mode (PASSIVE, abbreviated as PASV). In active transfer mode, the FTP server uses port 20 to connect with the client’s temporary port and transmits data, while the client remains in a receiving state. In passive transfer mode, the FTP server opens a transient port waiting for the client to connect and transfer data, with the server only passively receiving data, not actively transferring it.

II. Detailed Analysis of FTP Transfer

1. Analyzing the FTP Transfer Process

To analyze FTP transfers, the first thing to determine is whether the FTP transfer uses active mode or passive mode, as the implementation methods for these two modes are different, and analysis under the two modes differs significantly. Below, the FTP transfer under each mode is analyzed separately.

1) Active Transfer Mode

We use the Cola Network Analysis System to capture and analyze an FTP data transfer in active mode. The client hostname is “WWW-D999420E316,” with an address “192.168.1.189,” and the FTP server’s address is 192.168.1.188. The FTP client software used on the client is SecureFX, and the transfer mode is active (PORT) mode.

Open the Cola Network Analysis System on the client machine. To avoid data interference, set a filter to capture only this machine’s data communication.

 Establish an FTP session on the SecureFX client software to connect to the FTP server 192.168.1.188, upload a file named t1.cap to the server, and download a file named Readme.txt from the server to the client. Stop the capture on the Cola Network Analysis System after completing the operations.

 

Figure 1 shows the TCP session view captured by the Cola Network Analysis System of the operations described above.

                         (Figure 1 FTP Active Transfer Mode Connection and Data Stream Recombination Information)

 From Figure 1, it is clear that the above operations establish FTP control connections and FTP data connections between the client and server. By closely examining the data stream recombination information corresponding to the FTP control connection, we can identify the original steps in the operations (i.e., the steps in FTP active transfer mode) as follows:

1.  The client (here “WWW-D999420E316”) uses a temporary port as the source port (here 1492) to send a TCP SYN packet to the FTP server (here 192.168.1.188) at port 21, requesting the establishment of a TCP connection. The FTP server sends a SYN/ACK (synchronous acknowledgment) packet to the client with a source port of 21 and a target port matching the client’s temporary port 1492. The client sends an ACK (acknowledgment) packet to the FTP server, successfully establishing a TCP handshake;
2. The FTP server requires identity verification from the server, prompting for a username and password, here the username is anonymous, and the password is Administrator@;
3. The client uses the SYST command to retrieve the FTP server’s operating system, shown as Windows_NT, namely Windows 2003;
4. The client uses the PWD command to determine the current directory, presently “/,” indicating the root directory of the FTP server;
5.  ……
6. The client uses the PORT command to send a request to the FTP server for uploading or downloading a file, with this command including its address (here 192.168.1.189) and a temporary port (here 5,213, calculated as 5*256+213=1493), the FTP server, upon receipt, uses 20 as the source port and 1493 as the target port to establish a TCP connection with the client;
7.  The client utilizes the LIST command to fetch the file list in the FTP server’s current directory;
8. The client rechecks the current directory using PWD or CWD commands, current directory being “/”;
9. The client reissues a PORT command to the FTP server making an upload or download request, also providing a temporary port for establishing the TCP connection;
10. The client sets the file transfer type via the TYPE command, where the transfer type is I. Normally, transfer types include ASCII (abbreviated A) and binary files (abbreviated I);
11. The client uploads a file to the FTP server using the STOR command; here, the file is t1.cap;
12. The FTP server uses the 226 response code to inform the client that the transmission of the t1.cap file was completed successfully;
13. The client revisits the current directory on the FTP server using PWD or CWD commands, effectively refreshing the current directory;
14. The client resets the FTP server’s transfer mode to ASCII via the TYPE command;
15. The client repeats a PORT command, issuing another upload or download request, specifying a temporary port anew for the TCP connection;
16. The client downloads a file to the local system from the FTP server using the RETR command, with the file being Readme.txt here;
17. The FTP server employs the 226 response code to notify the client that Readme.txt is successfully transferred;
18. After data transmission finishes, the client sends a TCP FIN packet to the FTP server indicating the conclusion of the connection, requiring the FTP server to confirm with a TCP ACK packet. Simultaneously, the FTP server sends a TCP FIN packet to the client, which the client must affirm with a TCP ACK packet, upon mutual confirmation closing the FTP control connection.

In Figure 1, the FTP control connection involves the client utilizing a temporary port for communication with the FTP server’s port 21. The other data transmission links entail the client operating via temporary ports with the FTP server’s port 20, executing commands such as LIST for directory listing, PORT for file transfer requests, STOR for uploading file t1.cap, PORT for file transfer requests, RETR for downloading file Readme.txt, and connection closure.

(Note: When a client issues distinct commands on the FTP control connection, separate FTP data connections open and close promptly. Each transferred file opens a unique FTP data connection, completing its transfer independently, ensuring that control connection closure transpires afterward.)

Figure 2 illustrates the logging view of FTP transfer log information recorded after active mode FTP data transfer with the Cola Network Analysis System. The current FTP data transfer detailing the client, FTP server, account usage, operation type (upload or download), transferred files and paths, and transfer mode (active or passive) are visible. To review all log details, access the listed column heads (Serial number, Client IP…) in the figure, right-click to open the context menu, click “More…”, check all items in the “List Options” dialog, and confirm to save.

                                            (Figure 2 Logging Information in FTP Active Transfer Mode)

 2) Passive Transfer Mode

We capture and analyze an FTP data transfer operation conducted in passive mode using the Cola Network Analysis System. The client hostname is “WWW-D999420E316,” while the FTP server’s address is 192.168.1.188. The FTP client software deployed on the client is SecureFX, utilizing passive (PASSIVE) mode for the transfer.

 By starting the Cola Network Analysis System on the client host, a filter is configured to capture data traffic local to the machine, mitigating external influences.

Establish an FTP session with the FTP server 192.168.1.188 via the SecureFX client software, upload a file labeled t1.cap to the server, and download a file identified as Readme.txt to the client, concluding the data collection of the Cola Network Analysis System once operations finalize.

               Figure 3 exemplifies the TCP session view captured by the Cola Network Analysis System of the intricately described operations.                              (Figure 3 Connection and Data Stream Recombination Information in FTP Passive Transfer Mode)

 From Figure 3, it is evident that the above actions establish an FTP control connection and TCP connection between client and server. Respective data stream recombination information analysis from the FTP control connection reveals, in exactitude, the sequence of the original operations (i.e., operations in FTP passive mode) is as follows:

1.  The client (here “WWW-D999420E316”) utilizes a temporary port as a source port (here 1785) to dispatch a TCP SYN packet to port 21 of the FTP server (here 192.168.1.188), requesting a TCP connection. The FTP server issues a SYN ACK (synchronous acknowledgment) packet to the client, stemming from a source port of 21 towards the client’s temporary port 1785;
2. The client reverts an ACK (acknowledgment) packet to the FTP server, securing a successful TCP handshake. Identity verification by the FTP server necessitates a username and password entry, adopting username anonymous, and password Administrator@;
3. The client invokes SYST command to ascertain the operating system of the FTP server, denoted as Windows_NT, equivalent to Windows 2003;
4. The client employs PWD command to identify the current directory, currently “/,” symbolizing the root directory of the FTP server;
5. The client subscribes to the PASV command advising the FTP server of the client’s reliance on passive transfer mode;
6. The FTP server reacts to the PASV command of the client, the content of response amalgamating the FTP server’s locus and transient port, here interpreted as 192.168.1.188,6,42, deducing target port as 6*256+42=1578;
7. The client proceeds with the LIST command to attain the file list accessible in FTP server’s present directory;
8. The client repetitively utilizes PWD or CWD commands to reestablish the prevailing directory on FTP server, thereby refreshing the current directory;
9. The client iterates the PASV command, reapplying file transfer requests to FTP server, which upon apprisal, reciprocates by forwarding address and temporary port facilitating connection establishment;
10. The client configures the file’s transfer type via TYPE command, relayed as I here;
11. The client adopts STOR command to transmit file to FTP server, demarcated file being t1.cap here;
12. The FTP server mobilizes the 226 response code to notify the client of the conclusion of a successful transfer of t1.cap;
13. The client juggles PWD or CWD commands persistently to recall FTP server’s prevailing directory, hence refreshing the ongoing directory;
14. A reset is initiated restoring the transfer type to ASCII mode via TYPE command by the client;
15. PASV command is reiterated by the client embodying prior file transfer requests to FTP server, with the server consenting, reciprocating address and provisional port to facilitate the connection in step 9;
16. The client forays with the RETR command to obtain files locally from FTP server, the concurrent file honored here is Readme.txt; FTP server enacts 226 response code to inform the client about the triumphant transfer of Readme.txt;
17. The client, post data exchange, submits a TCP FIN packet to the FTP server indicating the wrap-up of the connection, whereby confirmation is mediated via the FTP server’s TCP ACK packet. Concurrently, FTP server extends a TCP FIN packet to counterpart client, confirmation consistent with client’s TCP ACK packet, validating a mutually acclaimed FTP control connection termination;

Figure 3 embodies selective FTP control connection, where client leverage transient port to engage FTP server’s port 21 in communication. All additional operations manifest through FTP data connections, with client employing transient ports connecting to FTP server’s transient ports fostering operations such as LIST command for directory listing, PASV command to dispatch file transfer solicitations, STOR to upload file t1.cap, PASV command to reissue file transfer solicitations, RETR for retrieving Readme.txt file, and fulfilling connection termination.

(Consideration: Every distinct command imparted by client on FTP control connection shall federally instate independent FTP data connections, later discontinuing independently. Each file within upload/download sequence initiates personalized FTP data connection executing transfer coherently, conclusively embracing web undergird deployment.)

An evaluation contrasting Figure 1 depicting active transfer against Figure 3 sanctioning passive transfer typifies that Figure 1 uncovers that caught connection protocol pronounces FTP Data, albeit Figure 3 denotes TCP, issuing from FTP utilizing transient ports performing passive mode data transmission, evolving TCP connection owing to provisional fortuity for both correlation ends.

Portraying Figure 4 resolutely surveys FTP data transmission logs post passive modality, extending insights into the conduct of dissections by Cola Network Analysis System, providing nuances like FTP data deployment activity participants, deployment stages, involved account protocols, operational hues (upload/download), transmission files & slates, preferentially induced modality (active/passive). Observing elaborate log notifications, row delineation (Serial, Client IP…) encompasses context menu advances, alongside clicking “More…”, gleaning broad entries by elective “List Options”, validating efforts in frugality.

                                           (Figure 4 Logging Information in FTP Passive Transfer Mode)

 2. FTP Commands

 Gleaning insights from the preceding analysis and snapshots, it’s evident that FTP transfer proceedings on client-side unfold through command issuance, prevalent commands encountered in the context are as outlined below.

3. FTP Responses

The analysis and snapshots illustrate that all commands from the client are met with responses from the FTP server, with common response codes represented as shown below.

III. Conclusion

The foregoing briefly introduces the FTP protocol and, utilizing the Cola Network Analysis System, follows and analyzes FTP data transfer in both active and passive modes. Based on this, users encountering FTP transfer malfunctions can align with the above analysis and employ network detection analysis software (here, the Cola Network Analysis System) to track and scrutinize FTP data transfer, thus swiftly resolving such issues.