Excluding passive FTP traffic from a capture

jclapauc01 · ‎07-22-2009

Hi all

I am trying to establish a capture and I want to exclude passive FTP traffic from the capture. The problem is that in passive ftp the control session is well defined and there is no problem excluding it from the capture.But the data session is allowed by the full state firewall traffic inspection, meaning that the pair of ports used for the data session are dinamically established during the control session connection. Is there a way to exclude the whole ftp traffic from the capture?

I am using for example the following access list in the capture:

access-list CAP-LIST extended deny tcp host 10.10.0.1 host 10.10.10.1 eq ftp

access-list CAP-LIST extended permit ip any any

capture mycap access-list CAP-LIST interface OUTSIDE

Thanks a lot for your help.

Jose

cisco24x7 · ‎07-23-2009

Think about ftp passive. Here is how it works:

- First connection from the the client to server is from client random high port to server tcp port 21, command & control port,

- Second connection from the client to server will be from client random high-port to server random high port specified by the server. In this case, you are talking about > 1024 ports on both client and server.

The access-list will look something like this:

access-list 101 deny tcp host 129.174.1.1 host 4.2.2.2 eq ftp

access-list 101 deny tcp host 129.174.1.1 host 4.2.2.2 gt 1023

access-list 101 permit ip any any

Problem with this is that you may miss other traffics that also use high tcp ports such as sqlnet, MSsql, MySQL and terminal service, to name a few.

This is a tcpdump on how passive work. Notice the following lines:

12:31:38.247419 129.174.1.1.35640 > 4.2.2.2.2303: . ack 69 win 1460 (DF) [tos 0x8]

12:31:38.247684 129.174.1.1.35640 > 4.2.2.2.2303: F 1:1(0) ack 70 win 1460 (DF) [tos 0x8]

This tell you that the data connection port is randomized due the nature of passive ftp. Complete tcpdump of passive output below:

[Expert@cp-ngx]tcpdump -nnni eth0 host 129.174.1.1

12:31:30.426628 129.174.1.1.35639 > 4.2.2.2.21: S 2862062823:2862062823(0) win 5840 (DF)

12:31:30.428910 4.2.2.2.21 > 129.174.1.1.35639: S 3767689974:3767689974(0) ack 2862062824 win 5792 (DF)

12:31:30.429130 129.174.1.1.35639 > 4.2.2.2.21: . ack 1 win 1460 (DF)

12:31:30.434889 4.2.2.2.21 > 129.174.1.1.35639: P 1:21(20) ack 1 win 1448 (DF)

12:31:30.435128 129.174.1.1.35639 > 4.2.2.2.21: . ack 21 win 1460 (DF) [tos 0x10]

12:31:30.435268 129.174.1.1.35639 > 4.2.2.2.21: P 1:14(13) ack 21 win 1460 (DF) [tos 0x10]

12:31:30.435886 4.2.2.2.21 > 129.174.1.1.35639: . ack 14 win 1448 (DF)

12:31:38.247203 4.2.2.2.2303 > 129.174.1.1.35640: P 1:69(68) ack 1 win 1448 (DF) [tos 0x8]

12:31:38.247284 4.2.2.2.21 > 129.174.1.1.35639: P 361:385(24) ack 100 win 1448 (DF)

12:31:38.247335 4.2.2.2.2303 > 129.174.1.1.35640: F 69:69(0) ack 1 win 1448 (DF) [tos 0x8]

12:31:38.247419 129.174.1.1.35640 > 4.2.2.2.2303: . ack 69 win 1460 (DF) [tos 0x8]

12:31:38.247684 129.174.1.1.35640 > 4.2.2.2.2303: F 1:1(0) ack 70 win 1460 (DF) [tos 0x8]

12:31:38.247747 129.174.1.1.35639 > 4.2.2.2.21: . ack 385 win 1460 (DF) [tos 0x10]

12:31:38.248375 4.2.2.2.2303 > 129.174.1.1.35640: . ack 2 win 1448 (DF) [tos 0x8]

109 packets received by filter

0 packets dropped by kernel

[Expert@cp-ngx]#

jclapauc01 · ‎07-23-2009

Thanks for your answer.

I understand how passive ftp works.

Let me explain my poblem...

I am trying to capture all the traffic EXCEPT the ftp traffic .

Since passive ftp data traffic is allowed through ftp inspection once the control session is established I am not worried capturing it in order to create my access lists.

BUT when I create a long term capture (in order to verify which traffic I should permit through access-lists) and exclude the traffic on port 21 , the ftp data traffic still shows up since the from and to ports for data communication are decided during the control session connection.

My question is: Is there a way to exclude FTP data traffic from the capture

when using passive ftp????

Thanks again

Jose