Exam CS0-003 topic 1 question 35 discussion

To see the entire contents of the downloaded files in the FTP session captured in Wireshark, the analyst should perform the following steps: C. Change the display filter to ftp-data and follow the TCP streams. By changing the display filter to "ftp-data" and then following the TCP streams, the analyst can access and view the entire data transfer, which includes the contents of the downloaded files. This method allows you to reconstruct and view the files being transferred over FTP

I chose and was confused, for everyone else who picked D here is the explanation from ChatGPT. It's pretty good. Option D (Navigate to the File menu and select FTP from the Export objects option) is not a direct method for viewing the file contents in the packet list pane. It's more related to extracting files from the capture, which might be useful but doesn't directly address the issue of viewing the file transfer in the current context.

In Wireshark, when dealing with FTP sessions, the control commands (such as RETR, STOR, and responses like 226 Transfer complete) are visible with the ftp filter. However, the actual file transfer data is sent over a separate data channel and is not displayed by default with just the ftp filter, as that mainly captures the control messages. To access the files transferred during the session, the analyst can go to File → Export Objects → FTP. This feature allows Wireshark to reconstruct and display any files transferred via FTP during the session, including those downloaded using RETR commands.

https://adrinanthony.wordpress.com/2019/07/19/how-to-extract-http-and-ftp-files-from-wireshark-pcap-file/