TFTPgrab extracts streams from TFTP (Trivial File Transfer Protocol) and can be summarized as TFTP stream extractor.
Packet Handling in TFTPgrab is based on the UDP-based file transfer protocol (RFCs: 1350, 2347, 2348, 2349). Through lock-step data and acknowledgement exchanges, TFTPgrab reconstructs files by tracking corresponding data and acknowledgement packets. The reconstruction process involves identifying client read or write requests. These requests are made to a well-known server port, typically port 69, and the server responds from a (usually) randomly chosen port. The algorithm employed by TFTPgrab implements checksum verification of IP and UDP. It also supports basic IP fragment re-assembly, with the '-B' command line option allowing users to process a file with bad checksum checking.
TFTPgrab outputs re-constructed files to the current directory in the format 'src_ip.src_port-dst_ip.dst_port-filename'. For example, '192.168.000.001.32768-192.168.001.100.00069-vmlinuz' or '206.229.221.082.01754-172.016.114.050.01364-_etc_passwd'. The software replaces non-alphanumeric characters in filenames with underscores. Users can exclude filenames using the '-E' command line option or print file contents to the console using the '-c' option. A BPF filtering expression can be specified using any other command line options, with the 'udp' expression included automatically.
To use TFTPgrab, users enter 'tftpgrab [OPTION]... [-r FILE] [EXPRESSION]'. If there is no FILE or when the file is '-', TFTPgrab reads standard input. Available options include: '-r' for specifying the PCAP file to read, '-f' for overwriting existing files, '-c' for printing TFTP file contents to the console, '-E' for excluding TFTP filename when reconstructing, '-v' for printing verbose TFTP exchanges (up to three times), '-X' for dumping TFTP packet contents, and '-d' for specifying debugging level.
Version 0.2: N/A