TFTPgrab iconTFTPgrab 0.2

TFTPgrab is a TFTP (Trivial File Transfer Protocol) stream extractor.
TFTPgrab is a TFTP (Trivial File Transfer Protocol) stream extractor. It reads from tcpdump/libpcap capture files and attempts to reconstruct data that has been transferred via TFTP.

TFTPgrab may be useful in some network forensics situations. See the README in the distribution for more information. It is distributed under the revised BSD license.

TFTPgrab should compile on modern UNIX systems that have libpcap available.

Packet Handling

TFTP is a UDP based file transfer protocol (RFCs: 1350, 2347, 2348,
2349) that utilizes lock-step data and acknowledgement exchanges.
tftpgrab reconstructs the files by looking for client read or write
requests and tracking corresponding data and acknowledgement packets.

Client requests are made to a well-known server port (typically 69).
The server responds from a (usually) randomly chosen port. These two
ports are used for the remainder of the transfer.

Checksum verification of IP and UDP is implemented. To process a file
with checking for bad checksums use the '-B' command line option.

Basic IP fragment re-assembly is also implemented. The algorithm is
simplistic so excessive resource usage, evasion or inaccurate
re-assembly is possible.

A BPF filtering expression can be specified following any other
command line options. The expression 'udp' is automatically included.

Output

Re-constructed files are written to the current directory using the
format,

src_ip.src_port-dst_ip.dst_port-filename

For example,

192.168.000.001.32768-192.168.001.100.00069-vmlinuz
206.229.221.082.01754-172.016.114.050.01364-_etc_passwd

Non-alphanumeric characters in the filename are replaced with '_'.

The filename can be excluded by using the '-E' command line option.

Instead of writing to the local directory, the file contents can be
written to the console by using the '-c' command line option.

Usage

tftpgrab [OPTION]... [-r FILE] [EXPRESSION]

Reconstruct TFTP file contents from PCAP capture file.
With no FILE, or when FILE is -, read standard input.
-r PCAP file to read
-f overwrite existing files
-c print TFTP file contents to console
-E exclude TFTP filename when reconstructing
-v print verbose TFTP exchanges (repeat up to three times)
-X dump TFTP packet contents
-B check packets for bad checksums
-d specify debugging level

last updated on:
November 2nd, 2007, 15:02 GMT
price:
FREE!
developed by:
Gregory Fleischer
license type:
BSD License 
category:
ROOT \ Security

FREE!

In a hurry? Add it to your Download Basket!

user rating 17

UNRATED
3.8/5
 

0/5

1 Screenshot
TFTPgrab

Add your review!

SUBMIT