Wireshark-users: Re: [Wireshark-users] where to see transfered data
From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 12 Feb 2008 11:47:24 +0100
On Tue, Feb 12, 2008 at 02:17:39AM -0800, J V wrote:
>    
>   I'm new in Wireshark and have one question. Where to see data I transfer?
>   Question is because I tranfer by ftp 90 bytes BMP file with appropriate capture
>   filtr. When look to packet detail frame I see
>   Frame 4 .... 118 bytes captured, but inside there is nothing around 90 bytes
>   The biggest block is 64 bytes (Opening binary mode data......)

The FTP protocol is a tricky protocol as it uses a control connection and
separate data connections. If you use the capture filter "ftp" you will 
only see the data in the control connection (client:highport -> server:21).
You can use the capture filter "ftp-data" to capture the data-connections
(server:20 -> client:other-high-port).

But... if passive ftp is used, the data connections are set up on random
ports (server:highport -> client:other-highport). In which case the 
capture filter "ftp or ftp-data" will not even help you. You will then have 
to capture all (tcp) traffic between the client and the server and do
the filtering later by hand.

Hope this helps,
Cheers,
    Sake