I have monitored a TFTP session of a file being transfered. Is there any way to extract the file from the capture? asked 19 Sep '12, 05:05  Vlad edited 20 Sep '12, 10:07  cmaynard ♦♦ |
One Answer:
Hi, you can do it as follows:
Regards answered 19 Sep '12, 15:29  Kurt Knochner ♦ 1 Hi. Thanks for the tip. It might work for a regular txt file but it doesn't for an *.gz file. Any idea why? (20 Sep '12, 00:28) Vlad 1 Actually, this doesn't work for any file because "Follow UDP Stream" will include the entire UDP payload including the TFTP header, which you don't want. The closest you can get with Wireshark today (that I know of) would be to use Kurt's method to save the data side of the conversation, and then use an external tool/method to find/remove the TFTP header bytes from it. But even that won't work in all cases, such as if there is packet loss, retries, etc. I would recommend filing an enhancement bug request to add a TFTP reassembly feature to Wireshark. (20 Sep '12, 09:49) cmaynard ♦♦ |
The current development version of Wireshark (post 1.12) now does let you export files transferred over TFTP. See 'File | Export Objects | TFTP'. I'm thinking that a lot of the time you would really only use this to check which version of a file was transferred, so being able to see the length, and possibly also an MD5 digest of the whole file would be almost as useful as recovering the whole file.