CiscoルーターのNATによるFTPペイロードの書き換えについて説明します。
NATの概要については、下記を参照してください。
関連ページ
NAT(Network Address Translation)とは | アドレス変換の概要と利用例
【NATの概要】 NATとは、「Network Address Translation」の略で、送信元や送信先のIPアドレスを変換する技術です。 NATの種類としては、静的NAT(スタティックNAT)と動…
目次
NATによるFTPのペイロード書き換えの概要
NATによるFTPのペイロード書き換えは、FTPトラフィックを検査して、パケット内のデータ部分のIPアドレスを書き換えるプロセスを指します。
以下は、NATによるFTPのペイロード書き換えの一般的なプロセスです。
STEP
FTPパケットの受信
NAT機器が、FTPパケットを受信すると、このトラフィックを検査します。
STEP
ペイロード(データ部分)の解析
FTPパケットのペイロード(データ部分)を解析して、IPアドレスなど情報を取得します。
STEP
ペイロード(データ部分)の書き換え
NATテーブルの情報を参照し、ペイロード内のIPアドレスを書き換えます。
STEP
FTPパケットの送信
ペイロード内の情報を書き換えたFTPパケットを送信します。
NATによるFTPのペイロード書き換えの検証
ネットワーク構成
下記のネットワーク構成でNATによるFTPペイロード書き換えの検証を行います。
NATルーターの設定
NATルーターには、インターフェースとNATの設定を行います。
FTPのペイロードを書き換えない場合(no-payloadオプションあり)
interface GigabitEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip nat inside source static 192.168.2.100 192.168.1.100 no-payloadFTPのペイロードを書き換える場合(no-payloadオプション無し)
interface GigabitEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip nat inside source static 192.168.2.100 192.168.1.100検証パターン
以下の4パターンで検証を行います。No1の「FTPモード:アクティブ、ペイロード上書き:しない」の場合、FTP通信が失敗する可能性があります。
| No | FTPモード | ペイロード上書き | FTP通信可否 |
|---|---|---|---|
| 1 | アクティブ | しない | NG |
| 2 | アクティブ | する | OK |
| 3 | パッシブ | しない | OK |
| 4 | パッシブ | する | OK |
FTP通信が失敗するパターンの詳細
FTPモード:アクティブ、ペイロード上書き:しない
「FTPモード:アクティブ、ペイロード上書き:しない」の場合、データコネクションが確立できず、FTP通信がNGとなる可能性があります。
通信詳細
FTP通信の詳細は下記のとおりです。
STEP
コントロールコネクションの接続開始(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続を開始します。
STEP
コントロールコネクションの接続確認(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続確認を行います。
STEP
コントロールコネクションの接続完了(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続完了を通知します。(TCP3WAYハンドシェイクの完了)
STEP
ログイン処理(クライアント⇔サーバー)
ユーザー名やパスワードを入力しログイン処理を行います。
STEP
データコネクション用の情報連携(クライアント→サーバー)
PC(クライアント)からFTPサーバーへデータコネクション用の情報(IPアドレス/ポート番号)を通知します。
データコネクション用の情報(IPアドレス/ポート番号)は、FTPパケットのペイロード(データ部分)に記載されています。NATルーターでペイロードの書き換えが無効の場合、この情報は書き換えられません。
STEP
データコネクションの接続開始(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続を開始します。
アクティブモードの場合、データコネクションの接続は、サーバーから開始されます。通知されたIPアドレス(PCの実アドレス)に対して通信が開始されます。
STEP
データコネクションの接続確認(クライアント→サーバー)※通信NG
PC(クライアント)からFTPサーバーへ接続確認を行います。
PC(クライアント)から確認応答(SYN, ACK)が返されますが、FTPサーバーから見ると、送信元のIPアドレスが異なるため、TCPセッションが確立されません。
※192.168.2.100と通信開始したはずが、192.168.1.100から応答が返ってくる。
通信全体の概要図
コントロールコネクション
データコネクション
パケットキャプチャ確認
上記の通信内容のパケットキャプチャです。※画像クリックで拡大表示できます。
PC(クライアント)側
"No.","Time","Source","Destination","Protocol","Length","Info"
"1","16:35:41","192.168.2.100","192.168.1.101","TCP","66","61309 > 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"2","16:35:41","192.168.1.101","192.168.2.100","TCP","66","21 > 61309 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"3","16:35:41","192.168.2.100","192.168.1.101","TCP","54","61309 > 21 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"4","16:35:41","192.168.1.101","192.168.2.100","FTP","96","Response: 220 3Com 3CDaemon FTP Server Version 2.0"
"5","16:35:41","192.168.2.100","192.168.1.101","FTP","68","Request: USER ftpuser"
"6","16:35:41","192.168.1.101","192.168.2.100","FTP","87","Response: 331 User name ok, need password"
"7","16:35:41","192.168.2.100","192.168.1.101","FTP","68","Request: PASS ftpuser"
"8","16:35:41","192.168.1.101","192.168.2.100","FTP","74","Response: 230 User logged in"
"9","16:35:41","192.168.2.100","192.168.1.101","FTP","60","Request: FEAT"
"10","16:35:41","192.168.1.101","192.168.2.100","FTP","76","Response: 211- Feature listing"
"11","16:35:41","192.168.2.100","192.168.1.101","TCP","54","61309 > 21 [ACK] Seq=35 Ack=118 Win=262656 Len=0"
"12","16:35:41","192.168.1.101","192.168.2.100","FTP","88","Response: MDTM"
"13","16:35:41","192.168.2.100","192.168.1.101","TCP","54","61309 > 21 [ACK] Seq=35 Ack=152 Win=262400 Len=0"
"14","16:35:41","192.168.2.100","192.168.1.101","FTP","60","Request: XPWD"
"15","16:35:41","192.168.1.101","192.168.2.100","FTP","84","Response: 257 ""/"" is current directory"
"16","16:35:41","192.168.2.100","192.168.1.101","FTP","62","Request: TYPE A"
"17","16:35:41","192.168.1.101","192.168.2.100","FTP","74","Response: 200 Type set to A."
"18","16:35:41","192.168.2.100","192.168.1.101","FTP","82","Request: PORT 192,168,2,100,239,126"
"19","16:35:41","192.168.1.101","192.168.2.100","FTP","84","Response: 200 PORT command successful."
"20","16:35:41","192.168.2.100","192.168.1.101","FTP","60","Request: LIST"
"21","16:35:41","192.168.1.101","192.168.2.100","TCP","66","20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"22","16:35:41","192.168.2.100","192.168.1.101","TCP","66","61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"23","16:35:41","192.168.1.101","192.168.2.100","TCP","60","21 > 61309 [ACK] Seq=232 Ack=83 Win=1050880 Len=0"
"24","16:35:42","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"25","16:35:42","192.168.2.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"26","16:35:44","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"27","16:35:44","192.168.2.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"28","16:35:48","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"29","16:35:48","192.168.2.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"30","16:35:56","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"31","16:35:56","192.168.2.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"32","16:36:02","192.168.2.100","192.168.1.101","TCP","54","61310 > 20 [RST] Seq=1 Win=0 Len=0"
"33","16:36:02","192.168.1.101","192.168.2.100","FTP","83","Response: 226 Closing data connection"
"34","16:36:02","192.168.2.100","192.168.1.101","TCP","54","61309 > 21 [ACK] Seq=83 Ack=261 Win=262400 Len=0"
"35","16:36:07","192.168.2.100","192.168.1.101","TCP","54","61309 > 21 [RST, ACK] Seq=83 Ack=261 Win=0 Len=0"
FTPサーバー側
"No.","Time","Source","Destination","Protocol","Length","Info"
"1","16:35:54","192.168.1.100","192.168.1.101","TCP","66","61309 > 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"2","16:35:54","192.168.1.101","192.168.1.100","TCP","66","21 > 61309 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"3","16:35:54","192.168.1.100","192.168.1.101","TCP","60","61309 > 21 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"4","16:35:54","192.168.1.101","192.168.1.100","FTP","96","Response: 220 3Com 3CDaemon FTP Server Version 2.0"
"5","16:35:54","192.168.1.100","192.168.1.101","FTP","68","Request: USER ftpuser"
"6","16:35:54","192.168.1.101","192.168.1.100","FTP","87","Response: 331 User name ok, need password"
"7","16:35:54","192.168.1.100","192.168.1.101","FTP","68","Request: PASS ftpuser"
"8","16:35:54","192.168.1.101","192.168.1.100","FTP","74","Response: 230 User logged in"
"9","16:35:54","192.168.1.100","192.168.1.101","FTP","60","Request: FEAT"
"10","16:35:54","192.168.1.101","192.168.1.100","FTP","76","Response: 211- Feature listing"
"11","16:35:54","192.168.1.100","192.168.1.101","TCP","60","61309 > 21 [ACK] Seq=35 Ack=118 Win=262656 Len=0"
"12","16:35:54","192.168.1.101","192.168.1.100","FTP","88","Response: MDTM"
"13","16:35:54","192.168.1.100","192.168.1.101","TCP","60","61309 > 21 [ACK] Seq=35 Ack=152 Win=262400 Len=0"
"14","16:35:54","192.168.1.100","192.168.1.101","FTP","60","Request: XPWD"
"15","16:35:54","192.168.1.101","192.168.1.100","FTP","84","Response: 257 ""/"" is current directory"
"16","16:35:54","192.168.1.100","192.168.1.101","FTP","62","Request: TYPE A"
"17","16:35:54","192.168.1.101","192.168.1.100","FTP","74","Response: 200 Type set to A."
"18","16:35:54","192.168.1.100","192.168.1.101","FTP","82","Request: PORT 192,168,2,100,239,126"
"19","16:35:54","192.168.1.101","192.168.1.100","FTP","84","Response: 200 PORT command successful."
"20","16:35:54","192.168.1.100","192.168.1.101","FTP","60","Request: LIST"
"21","16:35:54","192.168.1.101","192.168.2.100","TCP","66","20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"22","16:35:54","192.168.1.100","192.168.1.101","TCP","66","61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"23","16:35:54","192.168.1.101","192.168.1.100","TCP","54","21 > 61309 [ACK] Seq=232 Ack=83 Win=1050880 Len=0"
"24","16:35:55","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"25","16:35:55","192.168.1.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"26","16:35:57","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"27","16:35:57","192.168.1.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"28","16:36:01","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"29","16:36:01","192.168.1.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"30","16:36:09","192.168.1.101","192.168.2.100","TCP","66","[TCP Retransmission] 20 > 61310 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"31","16:36:09","192.168.1.100","192.168.1.101","TCP","66","[TCP Retransmission] 61310 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"32","16:36:15","192.168.1.100","192.168.1.101","TCP","60","61310 > 20 [RST] Seq=1 Win=0 Len=0"
"33","16:36:15","192.168.1.101","192.168.1.100","FTP","83","Response: 226 Closing data connection"
"34","16:36:15","192.168.1.100","192.168.1.101","TCP","60","61309 > 21 [ACK] Seq=83 Ack=261 Win=262400 Len=0"
"35","16:36:20","192.168.1.100","192.168.1.101","TCP","60","61309 > 21 [RST, ACK] Seq=83 Ack=261 Win=0 Len=0"
- No18のパケットでデータコネクション用の情報を通知していますが、クライアント側とサーバー側で同じIPアドレスになっています。(PORT 192,168,2,100)
- No21でFTPサーバーからデータコネクションの接続を開始していますが、送信先が192.168.2.100(PCの実アドレス)となっています。
- No22でFTPサーバーに確認応答が返ってきていますが、送信元が192.168.1.100(PCのNAT後のIPアドレス)となっています。
FTP通信が成功するパターンの詳細
FTPモード:アクティブ、ペイロード上書き:する
通信詳細
FTP通信の詳細は下記のとおりです。
STEP
コントロールコネクションの接続開始(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続を開始します。
STEP
コントロールコネクションの接続確認(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続確認を行います。
STEP
コントロールコネクションの接続完了(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続完了を通知します。(TCP3WAYハンドシェイクの完了)
STEP
ログイン処理(クライアント⇔サーバー)
ユーザー名やパスワードを入力しログイン処理を行います。
STEP
データコネクション用の情報連携(クライアント→サーバー)
PC(クライアント)からFTPサーバーへデータコネクション用の情報(IPアドレス/ポート番号)を通知します。
データコネクション用の情報(IPアドレス/ポート番号)は、FTPパケットのペイロード(データ部分)に記載されています。NATルーターでペイロードの書き換えが有効の場合、この情報も書き換えられます。
STEP
データコネクションの接続開始(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続を開始します。
アクティブモードの場合、データコネクションの接続は、サーバーから開始されます。通知されたIPアドレス(PCのNATアドレス)に対して通信が開始されます。
STEP
データコネクションの接続確認(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続確認を行います。
STEP
データコネクションの接続完了(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続完了を通知します。(TCP3WAYハンドシェイクの完了)
STEP
ファイル転送の実行
PC(クライアント)とFTPサーバーの間で、ファイル転送を実行します。(GET/PUT等の処理)
通信全体の概要図
コントロールコネクション
データコネクション
パケットキャプチャ確認
上記の通信内容のパケットキャプチャです。※画像クリックで拡大表示できます。
PC(クライアント)側
"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","192.168.2.100","192.168.1.101","TCP","66","61299 > 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"2","0.001251","192.168.1.101","192.168.2.100","TCP","66","21 > 61299 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"3","0.001432","192.168.2.100","192.168.1.101","TCP","54","61299 > 21 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"4","0.011637","192.168.1.101","192.168.2.100","FTP","96","Response: 220 3Com 3CDaemon FTP Server Version 2.0"
"5","0.015693","192.168.2.100","192.168.1.101","FTP","68","Request: USER ftpuser"
"6","0.028276","192.168.1.101","192.168.2.100","FTP","87","Response: 331 User name ok, need password"
"7","0.038681","192.168.2.100","192.168.1.101","FTP","68","Request: PASS ftpuser"
"8","0.044530","192.168.1.101","192.168.2.100","FTP","74","Response: 230 User logged in"
"9","0.046771","192.168.2.100","192.168.1.101","FTP","60","Request: FEAT"
"10","0.052520","192.168.1.101","192.168.2.100","FTP","76","Response: 211- Feature listing"
"11","0.095576","192.168.2.100","192.168.1.101","TCP","54","61299 > 21 [ACK] Seq=35 Ack=118 Win=262656 Len=0"
"12","0.096995","192.168.1.101","192.168.2.100","FTP","88","Response: MDTM"
"13","0.143550","192.168.2.100","192.168.1.101","TCP","54","61299 > 21 [ACK] Seq=35 Ack=152 Win=262400 Len=0"
"14","0.148602","192.168.2.100","192.168.1.101","FTP","60","Request: XPWD"
"15","0.153681","192.168.1.101","192.168.2.100","FTP","84","Response: 257 ""/"" is current directory"
"16","0.186385","192.168.2.100","192.168.1.101","FTP","62","Request: TYPE A"
"17","0.192852","192.168.1.101","192.168.2.100","FTP","74","Response: 200 Type set to A."
"18","0.201035","192.168.2.100","192.168.1.101","FTP","82","Request: PORT 192,168,2,100,239,116"
"19","0.211386","192.168.1.101","192.168.2.100","FTP","84","Response: 200 PORT command successful."
"20","0.217762","192.168.2.100","192.168.1.101","FTP","60","Request: LIST"
"21","0.225269","192.168.1.101","192.168.2.100","TCP","66","20 > 61300 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"22","0.225678","192.168.2.100","192.168.1.101","TCP","66","61300 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"23","0.226735","192.168.1.101","192.168.2.100","TCP","60","20 > 61300 [ACK] Seq=1 Ack=1 Win=131328 Len=0"
"24","0.230785","192.168.1.101","192.168.2.100","FTP","106","Response: 150 File status OK ; about to open data connection"
"25","0.231023","192.168.1.101","192.168.2.100","FTP-DATA","105","FTP Data: 51 bytes (PORT) (LIST)"
"26","0.232712","192.168.1.101","192.168.2.100","FTP-DATA","1114","FTP Data: 1060 bytes (PORT) (LIST)"
"27","0.232870","192.168.2.100","192.168.1.101","TCP","54","61300 > 20 [ACK] Seq=1 Ack=1113 Win=261632 Len=0"
"28","0.248850","192.168.2.100","192.168.1.101","TCP","54","61300 > 20 [FIN, ACK] Seq=1 Ack=1113 Win=261632 Len=0"
"29","0.249948","192.168.1.101","192.168.2.100","TCP","60","20 > 61300 [ACK] Seq=1113 Ack=2 Win=131328 Len=0"FTPサーバー側
"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","192.168.1.100","192.168.1.101","TCP","66","61299 > 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"2","0.000129","192.168.1.101","192.168.1.100","TCP","66","21 > 61299 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"3","0.001325","192.168.1.100","192.168.1.101","TCP","60","61299 > 21 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"4","0.010366","192.168.1.101","192.168.1.100","FTP","96","Response: 220 3Com 3CDaemon FTP Server Version 2.0"
"5","0.015551","192.168.1.100","192.168.1.101","FTP","68","Request: USER ftpuser"
"6","0.027098","192.168.1.101","192.168.1.100","FTP","87","Response: 331 User name ok, need password"
"7","0.038745","192.168.1.100","192.168.1.101","FTP","68","Request: PASS ftpuser"
"8","0.043367","192.168.1.101","192.168.1.100","FTP","74","Response: 230 User logged in"
"9","0.046823","192.168.1.100","192.168.1.101","FTP","60","Request: FEAT"
"10","0.051394","192.168.1.101","192.168.1.100","FTP","76","Response: 211- Feature listing"
"11","0.095746","192.168.1.100","192.168.1.101","TCP","60","61299 > 21 [ACK] Seq=35 Ack=118 Win=262656 Len=0"
"12","0.095819","192.168.1.101","192.168.1.100","FTP","88","Response: MDTM"
"13","0.143574","192.168.1.100","192.168.1.101","TCP","60","61299 > 21 [ACK] Seq=35 Ack=152 Win=262400 Len=0"
"14","0.148598","192.168.1.100","192.168.1.101","FTP","60","Request: XPWD"
"15","0.152584","192.168.1.101","192.168.1.100","FTP","84","Response: 257 ""/"" is current directory"
"16","0.186427","192.168.1.100","192.168.1.101","FTP","62","Request: TYPE A"
"17","0.191562","192.168.1.101","192.168.1.100","FTP","74","Response: 200 Type set to A."
"18","0.201066","192.168.1.100","192.168.1.101","FTP","82","Request: PORT 192,168,1,100,239,116"
"19","0.210184","192.168.1.101","192.168.1.100","FTP","84","Response: 200 PORT command successful."
"20","0.217831","192.168.1.100","192.168.1.101","FTP","60","Request: LIST"
"21","0.224079","192.168.1.101","192.168.1.100","TCP","66","20 > 61300 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"22","0.225572","192.168.1.100","192.168.1.101","TCP","66","61300 > 20 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"23","0.225697","192.168.1.101","192.168.1.100","TCP","54","20 > 61300 [ACK] Seq=1 Ack=1 Win=131328 Len=0"
"24","0.229585","192.168.1.101","192.168.1.100","FTP","106","Response: 150 File status OK ; about to open data connection"
"25","0.229942","192.168.1.101","192.168.1.100","FTP-DATA","105","FTP Data: 51 bytes (PORT) (LIST)"
"26","0.231585","192.168.1.101","192.168.1.100","FTP-DATA","1114","FTP Data: 1060 bytes (PORT) (LIST)"
"27","0.232594","192.168.1.100","192.168.1.101","TCP","60","61300 > 20 [ACK] Seq=1 Ack=1113 Win=261632 Len=0"
"28","0.248799","192.168.1.100","192.168.1.101","TCP","60","61300 > 20 [FIN, ACK] Seq=1 Ack=1113 Win=261632 Len=0"
"29","0.248907","192.168.1.101","192.168.1.100","TCP","54","20 > 61300 [ACK] Seq=1113 Ack=2 Win=131328 Len=0"- No18のパケットでデータコネクション用の情報を通知していますが、クライアント側とサーバー側で異なるIPアドレスになっています。(クライアント側:PORT 192,168,2,100、サーバー側:PORT 192,168,1,100)
FTPモード:パッシブ、ペイロード上書き:する/しない共通
通信詳細
FTP通信の詳細は下記のとおりです。
STEP
コントロールコネクションの接続開始(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続を開始します。
STEP
コントロールコネクションの接続確認(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続確認を行います。
STEP
コントロールコネクションの接続完了(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続完了を通知します。(TCP3WAYハンドシェイクの完了)
STEP
ログイン処理(クライアント⇔サーバー)
ユーザー名やパスワードを入力しログイン処理を行います。
STEP
パッシブモードへの移行
PC(クライアント)からFTPサーバーへパッシブモードへの移行を指示します。
STEP
データコネクション用の情報連携(サーバー→クライアント)
FTPサーバーからPC(クライアント)へデータコネクション用の情報(IPアドレス/ポート番号)を通知します。
パッシブモードの場合、データコネクション用の情報(IPアドレス/ポート番号)は、FTPサーバーからFTPクライアントへ通知します。
STEP
データコネクションの接続開始(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続を開始します。
パッシブモードの場合、データコネクションの接続は、クライアントから開始されます。通知されたIPアドレス(FTPサーバーのアドレス)に対して通信が開始されます。
STEP
データコネクションの接続確認(サーバー→クライアント)
FTPサーバーからPC(クライアント)へ接続確認を行います。
STEP
データコネクションの接続完了(クライアント→サーバー)
PC(クライアント)からFTPサーバーへ接続完了を通知します。(TCP3WAYハンドシェイクの完了)
STEP
ファイル転送の実行
PC(クライアント)とFTPサーバーの間で、ファイル転送を実行します。(GET/PUT等の処理)
通信全体の概要図
コントロールコネクション
データコネクション
パケットキャプチャ確認
上記の通信内容のパケットキャプチャです。※画像クリックで拡大表示できます。
PC(クライアント)側
"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","192.168.2.100","192.168.1.101","TCP","66","61315 > 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"2","0.000893","192.168.1.101","192.168.2.100","TCP","66","21 > 61315 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"3","0.001248","192.168.2.100","192.168.1.101","TCP","54","61315 > 21 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"4","0.009557","192.168.1.101","192.168.2.100","FTP","96","Response: 220 3Com 3CDaemon FTP Server Version 2.0"
"5","0.012135","192.168.2.100","192.168.1.101","FTP","68","Request: USER ftpuser"
"6","0.019147","192.168.1.101","192.168.2.100","FTP","87","Response: 331 User name ok, need password"
"7","0.027842","192.168.2.100","192.168.1.101","FTP","68","Request: PASS ftpuser"
"8","0.033663","192.168.1.101","192.168.2.100","FTP","74","Response: 230 User logged in"
"9","0.035997","192.168.2.100","192.168.1.101","FTP","60","Request: FEAT"
"10","0.042479","192.168.1.101","192.168.2.100","FTP","76","Response: 211- Feature listing"
"11","0.083504","192.168.2.100","192.168.1.101","TCP","54","61315 > 21 [ACK] Seq=35 Ack=118 Win=262656 Len=0"
"12","0.084408","192.168.1.101","192.168.2.100","FTP","88","Response: MDTM"
"13","0.131560","192.168.2.100","192.168.1.101","TCP","54","61315 > 21 [ACK] Seq=35 Ack=152 Win=262400 Len=0"
"14","0.142597","192.168.2.100","192.168.1.101","FTP","60","Request: XPWD"
"15","0.148500","192.168.1.101","192.168.2.100","FTP","84","Response: 257 ""/"" is current directory"
"16","0.182810","192.168.2.100","192.168.1.101","FTP","62","Request: TYPE A"
"17","0.192872","192.168.1.101","192.168.2.100","FTP","74","Response: 200 Type set to A."
"18","0.202005","192.168.2.100","192.168.1.101","FTP","60","Request: PASV"
"19","0.209621","192.168.1.101","192.168.2.100","FTP","104","Response: 227 Entering passive mode (192,168,1,101,236,74)"
"20","0.218068","192.168.2.100","192.168.1.101","TCP","66","61316 > 60490 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"21","0.219173","192.168.1.101","192.168.2.100","TCP","66","60490 > 61316 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"22","0.219349","192.168.2.100","192.168.1.101","TCP","54","61316 > 60490 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"23","0.219919","192.168.2.100","192.168.1.101","FTP","60","Request: LIST"
"24","0.226870","192.168.1.101","192.168.2.100","FTP","90","Response: 125 Using existing data connection"
"25","0.227126","192.168.1.101","192.168.2.100","FTP-DATA","105","FTP Data: 51 bytes (PASV) (LIST)"
"26","0.230272","192.168.1.101","192.168.2.100","FTP-DATA","1307","FTP Data: 1253 bytes (PASV) (LIST)"
"27","0.230483","192.168.2.100","192.168.1.101","TCP","54","61316 > 60490 [ACK] Seq=1 Ack=1306 Win=261376 Len=0"
"28","0.242359","192.168.2.100","192.168.1.101","TCP","54","61316 > 60490 [FIN, ACK] Seq=1 Ack=1306 Win=261376 Len=0"
"29","0.243410","192.168.1.101","192.168.2.100","TCP","60","60490 > 61316 [ACK] Seq=1306 Ack=2 Win=131328 Len=0"FTPサーバー側
"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","192.168.1.100","192.168.1.101","TCP","66","61315 > 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"2","0.000119","192.168.1.101","192.168.1.100","TCP","66","21 > 61315 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"3","0.001266","192.168.1.100","192.168.1.101","TCP","60","61315 > 21 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"4","0.008694","192.168.1.101","192.168.1.100","FTP","96","Response: 220 3Com 3CDaemon FTP Server Version 2.0"
"5","0.012191","192.168.1.100","192.168.1.101","FTP","68","Request: USER ftpuser"
"6","0.018350","192.168.1.101","192.168.1.100","FTP","87","Response: 331 User name ok, need password"
"7","0.028120","192.168.1.100","192.168.1.101","FTP","68","Request: PASS ftpuser"
"8","0.032838","192.168.1.101","192.168.1.100","FTP","74","Response: 230 User logged in"
"9","0.036177","192.168.1.100","192.168.1.101","FTP","60","Request: FEAT"
"10","0.041693","192.168.1.101","192.168.1.100","FTP","76","Response: 211- Feature listing"
"11","0.083529","192.168.1.100","192.168.1.101","TCP","60","61315 > 21 [ACK] Seq=35 Ack=118 Win=262656 Len=0"
"12","0.083613","192.168.1.101","192.168.1.100","FTP","88","Response: MDTM"
"13","0.131696","192.168.1.100","192.168.1.101","TCP","60","61315 > 21 [ACK] Seq=35 Ack=152 Win=262400 Len=0"
"14","0.142781","192.168.1.100","192.168.1.101","FTP","60","Request: XPWD"
"15","0.147704","192.168.1.101","192.168.1.100","FTP","84","Response: 257 ""/"" is current directory"
"16","0.183082","192.168.1.100","192.168.1.101","FTP","62","Request: TYPE A"
"17","0.192004","192.168.1.101","192.168.1.100","FTP","74","Response: 200 Type set to A."
"18","0.202024","192.168.1.100","192.168.1.101","FTP","60","Request: PASV"
"19","0.208679","192.168.1.101","192.168.1.100","FTP","104","Response: 227 Entering passive mode (192,168,1,101,236,74)"
"20","0.218148","192.168.1.100","192.168.1.101","TCP","66","61316 > 60490 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM"
"21","0.218293","192.168.1.101","192.168.1.100","TCP","66","60490 > 61316 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM"
"22","0.219315","192.168.1.100","192.168.1.101","TCP","60","61316 > 60490 [ACK] Seq=1 Ack=1 Win=262656 Len=0"
"23","0.219824","192.168.1.100","192.168.1.101","FTP","60","Request: LIST"
"24","0.225973","192.168.1.101","192.168.1.100","FTP","90","Response: 125 Using existing data connection"
"25","0.226322","192.168.1.101","192.168.1.100","FTP-DATA","105","FTP Data: 51 bytes (PASV) (LIST)"
"26","0.229363","192.168.1.101","192.168.1.100","FTP-DATA","1307","FTP Data: 1253 bytes (PASV) (LIST)"
"27","0.230497","192.168.1.100","192.168.1.101","TCP","60","61316 > 60490 [ACK] Seq=1 Ack=1306 Win=261376 Len=0"
"28","0.242558","192.168.1.100","192.168.1.101","TCP","60","61316 > 60490 [FIN, ACK] Seq=1 Ack=1306 Win=261376 Len=0"
"29","0.242657","192.168.1.101","192.168.1.100","TCP","54","60490 > 61316 [ACK] Seq=1306 Ack=2 Win=131328 Len=0"以上で、「NATによるFTPのペイロード書き換え | FTPデータ通信が失敗する要因」の説明は完了です!
