A blog for Linux Lovers.

Posted by sibu on October 1, 2014

Analyzing proftpd xferlog

The xferlog file contains logging information from the FTP server daemon, This file usually is found in /var/log but can be located anywhere by using a proftpd configuration directive.

The three characters following the file name represent the transfer-type (ascii or binary), any special actions (usually _ meaning none) and the direction (outgoing, incoming or deleted).

  1. ascii format:
    • a _ i (uploaded)
    • a _ o (downloaded)
    • a _ d (deleted)
  2. binary format:
    • b _ i (uploaded)
    • b _ o (downloaded)
    • b _ d (deleted)

    The last character in each row shows the completion status of the transfer. This should be “c” for complete and “i” for incomplete transfer.

Commands to extract the list of file got deleted

$ grep "_ d" /path/to/xferlog

Return all incomplete transfers:

$ egrep "i$" /path/to/xferlog

current-time : server Time

transfer-time : is the total time in seconds for the transfer.

remote-host : is the remote host name.

file-size : is the size of the transferred file in bytes.

filename : is the name of the transferred file. If the filename contains any spaces or control characters, each such character is replaced by an underscore (’_') character.

transfer-type : is a single character indicating the type of transfer.
a : for an ascii transfer,
b : for a binary

transferspecial-action-flag : is one or more single

character flags indicating any special action taken. Can be one or more of:

C :file was compressed
U :
file was uncompressed
T :
file was tar’ed
_ : no action was taken

direction : is the direction of the transfer. Can be one of:
o : outgoing
i : incoming
d : deleted

access-mode : is the method by which the user is logged in. Can be one of:
a :(anonymous) is for an anonymous guest user.
r : (real) is for a local authenticated user.

username : is the local username, or if guest, theID string given.

service-name : s the name of the service being invoked, usually FTP.

authentication-method :is the method of authentication used. Can be one of:
0 :none
1 :RFC931 Authentication

authenticated-user-id : is the user id returned by the authentication method. A * is used if an authenticated user id is not available.

completion-status :is a single character indicating the status of the transfer. Can be one of:

c : complete transfer
i : incomplete transfer

Comments are closed.