wireshark not capturing FTP on en0

FTP
wifi
macOS
retag add tags

I set filter to show all FTP on en0 for wireless (macbook). I have FTP blocked on the router, and to have it report all ftp's blocked. I get at least one FTP attempt per day, yet wireshark is not seeing them. In the filter I set FTP en0 is present, or ==, yet I get nothing. What am I doing wrong??

arcin_n_sparkin

asked 2019-01-01 02:36:29 +0000

edit flag offensive 0 remove flag close merge delete

Comments

How exactly do you filter?
How have you blocked FTP on your router?
How is it supposed to report blocked FTP?
How do you know you have at least one FTP per day? I assume the router reporting?
Where does this FTP connection attempt come from? Internal or external network?
Have you tested the filter by attempting FTP connections yourself?

Jaap (2019-01-01 09:10:22 +0000) edit

In the router I just blocked the service. The report shows in the router logs. It shows the IP source from one device in the network. I installed wireshark on that device in hopes of finding the app that is trying to send the packets.

arcin_n_sparkin (2019-01-01 17:07:38 +0000) edit

Thanks for answering question 1-5, this makes the situation much more clear. But can you answer question 6 as well? Furthermore, what do you see when you apply no filter at all? Is the capture usable, as in, do you see normal IP network traffic?

Jaap (2019-01-01 18:59:31 +0000) edit

I see all TCP, UDP, IGMP, and broadcast queries for the network. I just tried FTP to another computer in the network, the router blocked it, but no indication on wireshark.

arcin_n_sparkin (2019-01-01 20:07:37 +0000) edit

So capturing works, you're seeing network traffic as expected. What are your filter expressions? What happens when you filter on TCP port 21 (the FTP port)?

Jaap (2019-01-01 22:54:00 +0000) edit

add a comment see more comments

wireshark not capturing FTP on en0 edit

Comments

Be the first one to answer this question!

wireshark not capturing FTP on en0