FTP: File Transfer Protocol
One of the oldest internet protocols, designed for transferring files between client and server over TCP. FTP introduced the dual-channel architecture that separates control commands from data transfer.
Type
Application Layer
Ports
21 (control) / 20 (data)
Mode
Active or Passive
Standard
RFC 959
What is FTP?
FTP (File Transfer Protocol) is a standard network protocol used to transfer files between a client and a server over a TCP connection. Defined in RFC 959 and published in 1985, FTP is one of the oldest application-layer protocols still in use on the internet. Its design predates the World Wide Web, and it was the primary method for moving files across networks for decades.
FTP operates on a client-server model. The client initiates a connection to the server, authenticates with a username and password, and then issues commands to navigate directories, upload files, download files, and manage remote file systems. The protocol relies on TCP for reliable, ordered delivery of both commands and file data.
Despite its age, FTP remains in use today in legacy enterprise systems, automated batch processing workflows, mainframe environments, and certain web hosting setups. However, because FTP transmits everything in cleartext (including credentials), it has been largely replaced by secure alternatives like SFTP and FTPS for any use case involving sensitive data or exposure to the public internet.
How FTP Works: Dual-Channel Architecture
The most distinctive feature of FTP is its use of two separate TCP connections to handle a single session. This dual-channel design separates the command-and-response flow from the actual file data, allowing the protocol to manage transfers and commands independently.
Control Channel (Port 21)
The control channel is established when the client first connects to the server on TCP port 21. This channel carries all FTP commands (such as USER, PASS, LIST, and RETR) and the corresponding server responses (numeric status codes like 220 and 230). The control channel remains open for the entire duration of the session, even when no file transfers are in progress.
Data Channel (Port 20 or Dynamic)
The data channel is a separate TCP connection used exclusively for transferring file contents and directory listings. Unlike the control channel, the data channel is opened and closed for each individual transfer. In active mode, the server initiates this connection from port 20 back to the client. In passive mode, the server opens a dynamic high-numbered port and the client connects to it. This separation means you can issue commands on the control channel while monitoring the progress of a data transfer.
This two-connection approach was practical when FTP was designed, but it creates complications in modern networks. Firewalls and NAT devices must be specially configured to allow the secondary data connection, which is one of the main reasons newer protocols like SFTP (which uses a single connection on port 22) have become preferred.
Active Mode vs Passive Mode
FTP supports two modes for establishing the data channel connection. The choice between them determines which side (client or server) initiates the data connection, and this has significant implications for firewall compatibility.
Active Mode (PORT Command)
In active mode, the client sends a PORTcommand over the control channel, telling the server which IP address and port number to connect back to. The server then opens a new TCP connection from its port 20 to the client's specified port. This was the original FTP behavior.
The problem with active mode is that the server initiates an inbound connection to the client. Most modern firewalls and NAT devices block unsolicited inbound connections by default. This means active mode frequently fails unless the client specifically configures its firewall to allow the incoming data connection from the server.
Passive Mode (PASV Command)
In passive mode, the client sends a PASV command instead of PORT. The server responds with an IP address and a high-numbered port that it is listening on. The client then opens a new TCP connection to that address and port. Because the client initiates both the control and data connections, passive mode works naturally through firewalls and NAT without any special configuration on the client side.
Passive mode is the default and recommended mode for nearly all modern FTP usage. The server-side firewall must still allow inbound connections on the dynamic port range, but this is a simpler configuration than requiring every client to open inbound ports.
FTP Commands Reference
FTP commands are sent as plaintext strings over the control channel. Each command consists of a short keyword, optionally followed by arguments. Here are the most commonly used FTP commands.
| Command | Purpose | Example |
|---|---|---|
USER | Send username | USER alice |
PASS | Send password | PASS secret123 |
LIST | List directory contents | LIST /pub |
RETR | Download a file | RETR report.pdf |
STOR | Upload a file | STOR backup.zip |
DELE | Delete a file | DELE old.txt |
MKD | Create directory | MKD /new-folder |
CWD | Change directory | CWD /pub/docs |
PWD | Print working directory | PWD |
PASV | Enter passive mode | PASV |
PORT | Specify data port (active) | PORT 192,168,1,1,4,1 |
QUIT | Close connection | QUIT |
TYPE | Set transfer type | TYPE I (binary) / TYPE A (ASCII) |
The TYPE command deserves special attention. FTP distinguishes between binary and ASCII transfer modes. Binary mode (TYPE I) transfers files byte-for-byte with no modification, which is correct for images, archives, executables, and most modern files. ASCII mode (TYPE A) translates line endings between platforms (for example, converting between Windows CRLF and Unix LF). Using the wrong transfer type can corrupt files, so binary mode is the safe default for nearly all transfers.
FTP Response Codes
Every FTP command receives a numeric response code from the server, followed by a human-readable message. The first digit of the code indicates the general category of the response.
| Code | Meaning |
|---|---|
150 | File status OK, opening data connection |
200 | Command OK |
220 | Service ready |
226 | Transfer complete, closing data connection |
230 | User logged in |
250 | Requested action completed |
331 | Username OK, need password |
425 | Cannot open data connection |
426 | Connection closed, transfer aborted |
450 | File unavailable (busy or permissions) |
500 | Syntax error, unrecognized command |
530 | Not logged in |
550 | File not found or no access |
The response code categories follow a consistent pattern. 1xx codes are positive preliminary replies, meaning the server has started processing and will send another reply when done. 2xx codes indicate positive completion, meaning the command succeeded. 3xx codes are positive intermediate replies, meaning the server needs additional information (such as a password after accepting a username). 4xx codes are transient negative replies, indicating a temporary failure that may succeed if retried. 5xx codes are permanent negative replies, meaning the command failed and should not be retried without changes.
FTP Security: FTPS and SFTP
Plain FTP has a fundamental security flaw: everything is transmitted in cleartext. This includes usernames, passwords, commands, and file data. Anyone with access to the network path between client and server can intercept credentials and file contents using basic packet capture tools. Two secure alternatives address this problem, but they work in very different ways.
FTPS (FTP over TLS)
FTPS adds TLS encryption to the standard FTP protocol. It comes in two forms. Explicit FTPS starts as a regular FTP connection on port 21, then upgrades to TLS when the client sends an AUTH TLS command. Implicit FTPS requires TLS from the start and uses a dedicated port, typically 990. FTPS retains the dual-channel architecture of FTP, which means it still requires dynamic ports for data connections and can be difficult to configure through firewalls.
SFTP (SSH File Transfer Protocol)
Despite the similar name, SFTP is not FTP with encryption added. It is a completely different protocol that runs as a subsystem of SSH on port 22. SFTP uses a single encrypted connection for both commands and data, which makes it straightforward to use through firewalls. It supports all the file operations you would expect: uploads, downloads, directory listings, file permissions, and resumable transfers.
| Feature | FTP | FTPS | SFTP |
|---|---|---|---|
| Encryption | None | TLS | SSH |
| Ports | 21 + 20 | 21 + dynamic (or 990) | 22 |
| Firewall Compatibility | Problematic | Still problematic (dynamic ports) | Single port, easy |
| Authentication | Username/password | Certificates + username/password | Keys + password |
| Recommendation | Avoid | Legacy systems only | Preferred |
For new deployments, SFTP is the clear recommendation. It provides strong encryption, simple firewall configuration (a single port), and support for key-based authentication. FTPS is acceptable when you need to maintain compatibility with existing FTP infrastructure that cannot be migrated. Plain FTP should not be used on any network where security is a concern.
Common Use Cases
While FTP is being phased out in favor of secure alternatives, it remains in active use across several domains.
- Legacy enterprise file transfers: many large organizations have automated workflows built on FTP that have been running for years or even decades, and migrating them carries operational risk
- Web hosting: some hosting providers still support FTP for uploading website files, though most have transitioned to SFTP or Git-based deployment
- Automated batch file processing: scheduled jobs that transfer files between systems at set intervals, common in finance, healthcare, and supply chain management
- Mainframe and AS/400 file exchange: older IBM systems often rely on FTP for file transfers because it was one of the first TCP/IP protocols implemented on these platforms
- Firmware updates on embedded devices: some industrial equipment, network appliances, and IoT devices use FTP for firmware distribution due to its simplicity and low resource requirements
Frequently Asked Questions About FTP
What is the difference between FTP and SFTP?
FTP and SFTP are completely different protocols. FTP (File Transfer Protocol) transmits data in cleartext over two TCP connections using ports 21 and 20. SFTP (SSH File Transfer Protocol) runs over an encrypted SSH connection on port 22, using a single channel for both commands and data. SFTP provides encryption, integrity checking, and key-based authentication that FTP lacks entirely. Despite the similar names, SFTP is not an extension of FTP. It is a subsystem of the SSH protocol.
Why does FTP use two ports?
FTP was designed in the early 1980s with a dual-channel architecture. Port 21 carries the control channel, which handles commands and responses. A separate data channel (port 20 in active mode, or a dynamic port in passive mode) transfers file contents and directory listings. This separation allows the client to send commands while a transfer is in progress, and it allows the server to send status updates on the control channel during long transfers. Modern protocols avoid this design because it complicates firewall configuration and NAT traversal.
Is FTP secure?
No. Plain FTP transmits everything in cleartext, including usernames, passwords, and file data. Anyone who can observe network traffic between the client and server can read all of this information. FTP should never be used to transfer sensitive data or authenticate with credentials that protect valuable resources. Use SFTP or FTPS instead.
What is the difference between active and passive FTP?
The difference lies in which side initiates the data connection. In active mode, the client tells the server its IP address and port number, and the server connects back to the client. In passive mode, the server tells the client an IP address and port number, and the client connects to the server. Passive mode is preferred because the client initiates both connections, which works naturally through firewalls and NAT devices. Active mode often fails because firewalls block the server's inbound connection to the client.
Should I still use FTP?
For new projects, no. SFTP is the recommended alternative for file transfers. It provides encryption, uses a single port (22), and supports key-based authentication. The only legitimate reason to continue using FTP is maintaining compatibility with legacy systems that cannot be upgraded. Even in those cases, you should investigate whether FTPS (FTP with TLS) is a viable option to at least add encryption to the existing FTP workflow.
What is the difference between FTPS and SFTP?
FTPS is the original FTP protocol with a TLS encryption layer added on top. It still uses the dual-channel architecture and requires multiple ports, making firewall configuration more complex. SFTP is an entirely separate protocol that runs over SSH. It uses a single port (22), supports SSH key authentication, and has a simpler network configuration. FTPS is typically chosen when organizations need to add encryption to existing FTP infrastructure. SFTP is preferred for new deployments because of its simpler setup and stronger security model.
Related Protocols
- TCP: the transport layer protocol that FTP relies on for reliable, ordered data delivery
- SSH: the secure protocol that SFTP runs on top of, providing encryption and key-based authentication
- HTTP: another application-layer protocol that largely replaced FTP for public file distribution via the web
- HTTPS: the encrypted version of HTTP, often used for secure file downloads as an alternative to FTP-based distribution