This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have monitored a TFTP session of a file being transfered. Is there any way to extract the file from the capture?

asked 19 Sep '12, 05:05

Vlad's gravatar image

Vlad
1111
accept rate: 0%

edited 20 Sep '12, 10:07

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142

1

The current development version of Wireshark (post 1.12) now does let you export files transferred over TFTP. See 'File | Export Objects | TFTP'. I'm thinking that a lot of the time you would really only use this to check which version of a file was transferred, so being able to see the length, and possibly also an MD5 digest of the whole file would be almost as useful as recovering the whole file.

(05 Jun '14, 15:31) MartinM

Hi,

you can do it as follows:

  • use this display filter: tftp
  • then select the first data packet. You will see the following text in the info column: Data Packet, Block: 1
  • right click on that packet and select: Follow UDP Stream
  • in the pop-up window select the conversation with the file. Use the drop down menu above the button labeled "Find". The data conversation should be colored blue.
  • then save that content in raw format (radio button) with "save as"

Regards
Kurt

permanent link

answered 19 Sep '12, 15:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

1

Hi. Thanks for the tip. It might work for a regular txt file but it doesn't for an *.gz file. Any idea why?

(20 Sep '12, 00:28) Vlad
1

Actually, this doesn't work for any file because "Follow UDP Stream" will include the entire UDP payload including the TFTP header, which you don't want. The closest you can get with Wireshark today (that I know of) would be to use Kurt's method to save the data side of the conversation, and then use an external tool/method to find/remove the TFTP header bytes from it. But even that won't work in all cases, such as if there is packet loss, retries, etc.

I would recommend filing an enhancement bug request to add a TFTP reassembly feature to Wireshark.

(20 Sep '12, 09:49) cmaynard ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×91
×42
×9

question asked: 19 Sep '12, 05:05

question was seen: 9,326 times

last updated: 05 Jun '14, 15:31

p​o​w​e​r​e​d by O​S​Q​A