Parsing FTP Logs

FTP stands for File Transfer Protocol, and an FTP server sends and receives files over a TCP/IP network using FTP. These servers, just like their web server counterparts, keep detailed logs. In fact, if you understand web logs, you will be pleased to know that the Windows FTP server uses the same default log format, which is W3C. When examining FTP logs, you can primarily use the fields shown previously in Table 11-1, but be aware that FTP logs do not record the following fields:

cs-uri-query
cs-host
cs(User-Agent)
cs(Cookie)
cs(Referrer)

Although both FTP and HTTP use the same default logging format, the sc-status codes differ for the two protocols. Table 11-4 lists the status codes for FTP.

Table 11-4: FTP sc-status Codes ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Parsing FTP Logs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly