TFTPgrab is a TFTP (Trivial File Transfer Protocol) stream extractor. It reads from tcpdump/libpcap capture files and attempts to reconstruct data that has been transferred via TFTP.
TFTPgrab may be useful in some network forensics situations. See the README in the distribution for more information. It is distributed under the revised BSD license.
TFTPgrab should compile on modern UNIX systems that have libpcap available.
TFTP is a UDP based file transfer protocol (RFCs: 1350, 2347, 2348,
2349) that utilizes lock-step data and acknowledgement exchanges.
tftpgrab reconstructs the files by looking for client read or write
requests and tracking corresponding data and acknowledgement packets.
Client requests are made to a well-known server port (typically 69).
The server responds from a (usually) randomly chosen port. These two
ports are used for the remainder of the transfer.
Checksum verification of IP and UDP is implemented. To process a file
with checking for bad checksums use the '-B' command line option.
Basic IP fragment re-assembly is also implemented. The algorithm is
simplistic so excessive resource usage, evasion or inaccurate
re-assembly is possible.
A BPF filtering expression can be specified following any other
command line options. The expression 'udp' is automatically included.
Re-constructed files are written to the current directory using the
Non-alphanumeric characters in the filename are replaced with '_'.
The filename can be excluded by using the '-E' command line option.
Instead of writing to the local directory, the file contents can be
written to the console by using the '-c' command line option.
tftpgrab [OPTION]... [-r FILE] [EXPRESSION]
Reconstruct TFTP file contents from PCAP capture file.
With no FILE, or when FILE is -, read standard input.
-r PCAP file to read
-f overwrite existing files
-c print TFTP file contents to console
-E exclude TFTP filename when reconstructing
-v print verbose TFTP exchanges (repeat up to three times)
-X dump TFTP packet contents
-B check packets for bad checksums
-d specify debugging level