Ed Greshko <Ed.Greshko@xxxxxxxxxxx> wrote:
thomas wrote:
> There is requirement to view the data transfer being done by any user
> or application on port no 21 (i.e ftp port). Is there any option in
> netstat that can show data is being transfered on port no 21 or data
> transfer has been completed?
> Any other way to track the same?
You will need to record activity on ports 20 and 21. Port 20 is the "data
channel" for ftp while port 21 is the "command channel".
Unless the user sets passive mode. Then both data and commands are on
port 21.
You can use something like tcpdump to grab the content and commands.
Unfortunately, matching up the transfered data with the command session
is non-trivial. tcpreplay allows you to "replay" a captured session if
that's any help.
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
