Cant see text file content in Wireshark

I captured the packets while transferring file without encryption through filezilla. But in that pcap file (open with wireshark) I cant see text file content that is uploaded, but its expected to see.
@amanagar, @Saurabh_Crio_TA, @chandra-kiran_crio

Find the right packets in pcap file…

You need to figure out where the data transfer actually started and since it is a text file, whole data will be transferred with the help of few packets

Lets say the transfer has started from packet A and ended at packet B. So in between A and B, click on packets, at bottom(in wireshark) you are going to find the exact text which are in the text file if its not encrypted

Hey soumyadip! This can happen if you used port filter during tcpdump and you missed few ports through which data transfer is taking place. Make sure you go through config file before filtering. Hope this helps.

Happy coding! :slightly_smiling_face:

@Midhun I cant understand what you said. Basically we filter out 8080 but in conf file we listening to port 8081. Please explain what you said.

hey, can you tell me how to check from which packet does file transfer started.

@Midhun Even I captured packets without port filtering then also I could not find text content in pcap file.

Hey Soumya!

I hope this sentence will clear you doubt : " The FTP is a TCP service which uses 2 ports . The first FTP port is the 'command port ’ which utilizes the communication between the FTP server and the FTP client. The second port is the ’ data transfer ’ port where the real file transfer runs."

Also try reading this: https://www.jscape.com/blog/bid/80512/active-v-s-passive-ftp-simplified
You will figure it out eventually .:slight_smile:

@Midhun Ok, but even I cant find text content when I captured packets without filtering out port 8080. Then also pcap file dont show file content. I cant understand why this happened even after successful file transfer between filezilla and Qbox. I uploaded file in ~/ and also in ~/workspace/QBox

wireshark has color schema which helps you know that. If you have already filtered out right packets you must see some packets having dark background.(even if you have not filtered them, they will be present with color schema applied, but u might find it hard searching them) That indicates the start. It also uses same coloring scheme when its finished, making it easier for you to understand.
and with tcp protocols, look at info column too. that really does have useful info

Yes @AmoghaKS I checked that also but cant find content that I wrote in my uploaded text file .

@Soumyadip
we filtered out 8080 cz it has nothing to do with our task

so which port does matter here?


so this darkened packets is where file transfer started?

when transfer of file get started…QBox server uses some port. To be more specific there are 3 port numbers which play important role here. (and among them one of these 3 is very important)

If you filter them all properly few packets will definitely contain packets carrying actual text files…in between you might find few packets with encrypted text, we don’t understand it, ignore them.

@AmoghaKS How to find text file? I tried to search by a part of the text in search bar.

This is not where it started. Look out, that’s what, you are gonna find many such packets…somewhere you’ll find the required one. You have to search them. use filters. I mean filter by ports that QBox uses for file transfer. and 8081 is not the one you need here.

which port does QBox uses for file transfer?

@AmoghaKS port is 8083. Am I right?

oh…that doesn’t work (note: you’ll not find separate text file and may not find complete set of texts in a single packet)…click on packets. At the bottom you’ll find actual text (again that works if you have clicked the right packet… the right port, otherwise you’ll see some encrypted thing)

hint: such right packets will have length greater compared to other packets

1 Like

we weren’t revealing it cz thatz the main task here… you can go ahead buddy.

if you have trouble with finding exact time where tcp started. then,

in wireshark
goto: statistics->conversations : choose tcp there. column “Rel start” gives you info you need

I guess the port it chooses to transfer the data is going to be random… So, you have three ports, one of those is gonna be used as a FTP_Control port (8081) and one of the other two is gonna be used as the FTP_data port. Good luck! :slightly_smiling_face: