Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000026302 - How to recover a file that was sent via FTP using RSA NetWitness

Document created by RSA Customer Support

on Jan 10, 2017•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000026302
Applies To	RSA NetWitness NextGen RSA NetWitness Investigator
Issue	How to recover a file that was sent via FTP using RSA NetWitness.
Resolution	Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID. Port 21/tcp FTP Command Session Port 20/tcp FTP Data Session In the attached PDF document, Session ID 171651750 negotiates a FTP session tcp.dstport 21 will use tcp.srcport 46736 to transmit the file. This creates a New Session ID 171653117 using port 46737 to Port 27327 as agreed in the first session.
Legacy Article ID	a59820

Attachments

Outcomes

0 Comments

Recommended Content