Studying Normal Traffic, Part Two: Studying FTP Traffic

by Karen Kent Frederick
Sept. 19, 2017 0 comments Symantec Detection & Response

This is the second article in a three-part series devoted to studying normal traffic. As was explained in "Studying Normal Traffic, Part One", many intrusion detection analysts concentrate on identifying the characteristics of suspicious packets - illegal TCP flag combinations or reserved IP addresses, for example. However, it is also important to be familiar with what normal traffic looks like. A great way to do this is to generate some normal traffic, capture the packets and examine them. The first article in this series explained how to capture packets using WinDump and reviewed some simple examples of normal TCP/IP traffic. In this article, we will be examining FTP traffic, which, from a traffic flow standpoint, is more complicated than most other protocols. Note that in order to understand this material, you should already know the fundamentals of TCP/IP, and you should be familiar with the format of WinDump or tcpdump log files, as discussed in the first article of this series.