Protocols > File Transfer Protocol (FTP)

FTP, or the File Transfer Protocol, is one of the oldest and most standard (though less used every day) protocols on the internet.  It's a plain-text protocol, including the transfer of the passwords, which is part of the reason that it is becoming less and less used every day.  There are a few things you could capitalize on to identify this protocol, but the simplest in my mind is what I've used.  When you connect to an FTP server, typically it's going to kick back a "220 Server Banner of some kind here" message, and so you could check for the reciept of the 220 message.  Once you have received this 220 message, the FTP client will then return a "USER username" message.  Basically, I'm using a simple state machine waiting on the 220 and then a returning USER command to identify the protocol. 

Now, the biggest thing that makes this protocol complex to classify is that it uses external data sesions to that of the control session, and there is no way to identify them purely by inspecting their packets.  So, you must keep watching the FTP control session to catch the messages about the external sessions, and do a session prediction to find these.  The PORT command is used to define these sessions.  A sample port command will look like this:

PORT 192,168,1,100,45,123

The first four octets in this string are the IP address of the system that is waiting for the connection (the client), and the last two octets are the port number when you take 256 times the first one and add it to the second.  So, in this case, the port number would be 45 * 256 + 123 = 11643.  We then predict this session, and presto, we have a classified ftp-data session.