This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save TFTP transferred file from capture

0

I have monitored a TFTP session of a file being transfered. Is there any way to extract the file from the capture?

asked 19 Sep '12, 05:05

Vlad's gravatar image

Vlad
1111
accept rate: 0%

edited 20 Sep '12, 10:07

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

1

The current development version of Wireshark (post 1.12) now does let you export files transferred over TFTP. See 'File | Export Objects | TFTP'. I'm thinking that a lot of the time you would really only use this to check which version of a file was transferred, so being able to see the length, and possibly also an MD5 digest of the whole file would be almost as useful as recovering the whole file.

(05 Jun '14, 15:31) MartinM

One Answer:

0

Hi,

you can do it as follows:

  • use this display filter: tftp
  • then select the first data packet. You will see the following text in the info column: Data Packet, Block: 1
  • right click on that packet and select: Follow UDP Stream
  • in the pop-up window select the conversation with the file. Use the drop down menu above the button labeled "Find". The data conversation should be colored blue.
  • then save that content in raw format (radio button) with "save as"

Regards
Kurt

answered 19 Sep '12, 15:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

1

Hi. Thanks for the tip. It might work for a regular txt file but it doesn't for an *.gz file. Any idea why?

(20 Sep '12, 00:28) Vlad
1

Actually, this doesn't work for any file because "Follow UDP Stream" will include the entire UDP payload including the TFTP header, which you don't want. The closest you can get with Wireshark today (that I know of) would be to use Kurt's method to save the data side of the conversation, and then use an external tool/method to find/remove the TFTP header bytes from it. But even that won't work in all cases, such as if there is packet loss, retries, etc.

I would recommend filing an enhancement bug request to add a TFTP reassembly feature to Wireshark.

(20 Sep '12, 09:49) cmaynard ♦♦