Can Network Monitor detect Passive FTP sessions (PASV mode)?

book

Article ID: 160229

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

You need to know if a DLP network monitor can detect FTP traffic in passive (PASV) mode.

 

An overview of how both FTP modes work:

 

Normal (Active) FTP

  1. Client opens a control connection to the FTP server on destination port 21.
  2. Client initiates a file transfer by sending a PORT command on the control connection, and includes a port number on which it will listen.
  3. Server opens a data connection from source port 20 to the destination port specified by the client.

Passive FTP

  1. Client opens a control connection to the FTP server on destination port 21.
  2. Client initiates a file transfer by sending a PASV command on the control connection.
  3. Server responds to the PASV command with a random high port (1024 or higher) on which the client should connect. 
  4. Client opens a data connection to the destination port specified by the server (the source port is typically a random high port, but some systems use source port 20).

 

Resolution

Network Monitor uses the same information that can be seen through a PCAP-based capture utility, such as Wireshark.

 

For both types of FTP traffic, the monitor needs to inspect the control connection in order to determine which data connection is associated with it, because the ports vary with every connection. In either case, the system needs full duplex (bidirectional) traffic in its capture stream in order to correctly analyze and detect on FTP traffic.

With normal (active) FTP connections, the outbound PORT command contains the information needed to interpret the data connection. However, the data connection itself is initiated inbound (server to client), and the initiation of that connection will not be visible in an outbound-only traffic stream. Detection may still occur in some cases, since the data itself is visible, but without the whole stream this cannot be considered complete or reliable.

 

With passive FTP connections, the port number is contained within the inbound response from the server to the client's PASV FTP command. Thus, if the inbound traffic is not visible, the network monitor cannot determine which data connection is associated with the transfer, and no detection will occur.

Bidirectional traffic is a requirement for FTP in general, but for PASV transfers in particular, there is no possibility of detecting file transfers on a simplex capture due to the randomness of the ports and the incomplete information from the control connection.