How to Analyze Network Protocols, Learn More >>

Being able to support more than 300 protocols in the latest version, Capsa Network Sniffer make it easy to analyze protocols in network and understand what is happening.

Recommend Network Analysis Software >>

RFC 959
RFC 2228
RFC 2640

The File Transfer Protocol (FTP) provides the basic elements of file sharing between hosts. FTP uses TCP to create a virtual connection for control information and then creates a separate TCP connection for data transfers. The control connection uses an image of the TELNET protocol to exchange commands and messages between hosts.


FTP control frames are TELNET exchanges and can contain TELNET commands and option negotiation. However, most FTP control frames are simple ASCII text and can be classified as FTP commands or FTP messages. The standard FTP commands are as follows:

Command Description
ABOR Abort data connection process.
ACCT <account> Account for system privileges.
ALLO <bytes> Allocate bytes for file storage on server.
APPE <filename> Append file to file of same name on server.
CDUP <dir path> Change to parent directory on server.
CWD <dir path> Change working directory on server.
DELE <filename> Delete specified file on server.
HELP <command> Return information on specified command.
LIST <name> List information if name is a file or list files if name is a directory.
MODE <mode> Transfer mode (S=stream, B=block, C=compressed).
MKD <directory> Create specified directory on server.
NLST <directory> List contents of specified directory.
NOOP Cause no action other than acknowledgement from server.
PASS <password> Password for system log-in.
PASV Request server wait for data connection.
PORT <address> IP address and two-byte system port ID.
PWD Display current working directory.
QUIT Log off from the FTP server.
REIN Reinitialize connection to log-in status.
REST <offset> Restart file transfer from given offset.
RETR <filename> Retrieve (copy) file from server.
RMD <directory> Remove specified directory on server.
RNFR <old path> Rename from old path.
RNTO <new path> Rename to new path.
SITE <params> Site specific parameters provided by server.
SMNT <pathname> Mount the specified file structure.
STAT <directory> Return information on current process or directory.
STOR <filename> Store (copy) file to server.
STOU <filename> Store file to server name.
STRU <type> Data structure (F=file, R=record, P=page).
SYST Return operating system used by server.
TYPE <data type> Data type (A=ASCII, E=EBCDIC, I=binary).
USER <username> User name for system log-in.


FTP messages are responses to FTP commands and consist of a response code followed by explanatory text. Standard FTP messages are as follows:

Response Code Explanatory Text
110 Restart marker at MARK yyyy=mmmm (new file pointers).
120 Service ready in nnn minutes.
125 Data connection open, transfer starting.
150 Open connection.
200 OK.
202 Command not implemented.
211 (System status reply).
212 (Directory status reply).
213 (File status reply).
214 (Help message reply).
215 (System type reply).
220 Service ready.
221 Log off network.
225 Data connection open.
226 Close data connection.
227 Enter passive mode (IP address, port ID).
230 Log on network.
250 File action completed.
257 Path name created.
331 Password required.
332 Account name required.
350 File action pending.
421 Service shutting down.
425 Cannot open data connection.
426 Connection closed.
450 File unavailable.
451 Local error encountered.
452 Insufficient disk space.
500 Invalid command.
501 Bad parameter.
502 Command not implemented.
503 Bad command sequence.
504 Parameter invalid for command.
530 Not logged onto network.
532 Need account for storing files.
550 File unavailable.
551 Page type unknown.
552 Storage allocation exceeded.
553 File name not allowed.

Vulnerabilities for this protocol (from CVE)

CVE ID Protocol Source Port Targetport
Description: Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack.
Description: One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges.
Description: The lreply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.
Description: Buffer overflow in AIX ftpd in the libc library.
Description: Buffer overflow in ToxSoft NextFTP client through CWD command.
Description: Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.
Description: The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.
Description: CWD ~root command in ftpd allows root access.
Description: CWD ~root command in ftpd allows root access.

TCP/IP Protocols: