Interesting Traces - FTP Server IP address changing

Blue Bar separator


The following trace (figure 1) comes from my attempt to FTP to a web site. I captured it using wireshark on a laptop connected to a tap between my firewall and my Internet router. I'm using the FTP client that comes with Windows Vista. I've deleted all the TCP ACK segments, they lengthen the trace and don't add any additional value. I've edited the rest of the segments to try to keep the lines short but I still had to break frame 33 into 2 lines. I also replaced the first 2 octets of all the addresses to protect everyone's privacy.

The first part of the trace looks normal enough, (frames 1 thru 20). My client port is 47473 and it is going to the FTP port on host AAA.BBB.146.1. I get connected and login. I then issue the "dir" command (see figure 2) which triggers frames 22, 24, and 25. The port command looks normal. The listening port is identified as 47474 (185 * 256 + 114) in the port command in frame 22.

It is this next part which is strange (frames 26 thru 32). The FTP data connection is directed to the correct port, 47474; but is not coming from AAA.BBB.146.1. Instead it is coming from CC.DD.24.166. My firewall is objecting to this sudden change in IP addresses. Both IP addresses are registered to the same hosting service.

Finally in frame 33 the timeout error messages comes back from the original AAA.BBB.146.1 address.

I suspect that it has something to do with multiple IP addresses on the host. The FTP daemon is not binding its socket to the same IP address that accepted the client's connection before sending its connection back to the client. The host therefore uses what amounts to the default IP address to create the connection back to the client. That however is a guess. The support person told me that it has to do with using "grid hosting" and that the host has multiple IP addresses, so I think my guess is a good bet. I did try looking at the Pure-FTPd web site but could find nothing about this. 

No.     Time        Source        Destination           Protocol Info
  1  0.000000   EE.FFF.136.184   AAA.BBB.146.1    47473 > ftp [SYN]        . . .
  2  0.035669   AAA.BBB.146.1    EE.FFF.136.184   ftp > 47473 [SYN, ACK]   . . . 
  4  0.076676   AAA.BBB.146.1    EE.FFF.136.184   Response: 220            . . .
  6  3.633510   EE.FFF.136.184   AAA.BBB.146.1    Request: USER            . . . 
 16 46.306715   AAA.BBB.146.1    EE.FFF.136.184   Response: 331 . . . Password required
 18 50.219261   EE.FFF.136.184   AAA.BBB.146.1    Request: PASS            . . .
 20 50.324619   AAA.BBB.146.1    EE.FFF.136.184   Response: 230-User       . . .
 22 80.653287   EE.FFF.136.184   AAA.BBB.146.1    Request: PORT 68,105,136,184,185,114
 24 80.686086   AAA.BBB.146.1    EE.FFF.136.184   Response: 200 PORT command successful
 25 80.690159   EE.FFF.136.184   AAA.BBB.146.1    Request: LIST
 26 80.727791   CC.DD.24.166     EE.FFF.136.184   ftp-data > 47474 [SYN]   . . .
 28 83.726623   CC.DD.24.166     EE.FFF.136.184   ftp-data > 47474 [SYN]   . . .
 29 89.726896   CC.DD.24.166     EE.FFF.136.184   ftp-data > 47474 [SYN]   . . .
 30 101.728315  CC.DD.24.166     EE.FFF.136.184   ftp-data > 47474 [SYN]   . . .
 31 125.729301  CC.DD.24.166     EE.FFF.136.184   ftp-data > 47474 [SYN]   . . .
 32 173.731012  CC.DD.24.166     EE.FFF.136.184   ftp-data > 47474 [SYN]   . . .
 33 269.735197  AAA.BBB.146.1    EE.FFF.136.184   
      Response: 425 Could not open data connection to port 47474: Connection timed out
Figure 1 - Trace showing server's IP address changing (IP addresses changed to protect privacy) 

L:\>ftp XXXXX
Connected to XXXXX.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 20 of 500 allowed.
220-Local time is now 14:36. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 3 minutes of inactivity.
User (XXXXX:(none)): ABCDE
331 User ABCDE OK. Password required
Password:
230-User ABCDE has group access to:  inetuser
230 OK. Current restricted directory is /
ftp> dir
200 PORT command successful
425 Could not open data connection to port 47474: Connection timed out
ftp>
Figure 2 - text of FTP session (names replaced to protect privacy)

Blue Bar separator
This page was last modified on 10-05-23
mailbox Send comments and suggestions
to ndav1@cox.net |