Tutorial: Trivial File Transport Protocol (TFTP)

TFTP is a simple file transfer protocol with a basic idle repeat request procedure to assure ERROR control. This tutorial discusses the features of the plugin tftpDecode including its data carving capability.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates tftpDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: tftp_rrq.pcap. Now you’re all set.

tftpDecode

Let’s look at the plugin configuration first. As in all data carving capable plugins the user can enable TFTP_SAVE to save and choose the extracted content under TFTP_F_PATH. The other constants control the output of the TFTP commands and the length of file names in the flow file.

$ tftpDecode
$ vi src/tftpDecode.h

For the first test we leave everything as default and run t2 on the supplied pcap.

$ t2 -r ~/test_data/data/tftp/tftp_rrq.pcap -w ~/results/ -s
===============================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 12778
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: tftpDecode, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/data/tftp_rrq.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1367411051.972852 sec (Wed 01 May 2013 12:24:11 GMT)
Dump stop : 1367411052.258801 sec (Wed 01 May 2013 12:24:12 GMT)
Total dump duration: 0.285949 sec
Finished processing. Elapsed time: 0.001395 sec
Finished unloading flow memory. Time: 0.001432 sec
Percentage completed: 100.00%
Number of processed packets: 99
Number of processed bytes: 29855 (29.86 K)
Number of raw bytes: 29855 (29.86 K)
Number of pad bytes: 686
Number of pcap bytes: 31463 (31.46 K)
Number of IPv4 packets: 99 [100.00%]
Number of A packets: 50 [50.51%]
Number of B packets: 49 [49.49%]
Number of A bytes: 26915 (26.91 K) [90.15%]
Number of B bytes: 2940 (2.94 K) [9.85%]
Average A packet load: 538.30
Average B packet load: 60.00
--------------------------------------------------------------------------------
tftpDecode: Aggregated tftpStat=0x2001
tftpDecode: Number of TFTP packets: 99 [100.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of UDP packets: 99 [100.00%]
Number of UDP bytes: 29855 (29.86 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 3
Number of processed A flows: 2 [66.67%]
Number of processed B flows: 1 [33.33%]
Number of request     flows: 2 [66.67%]
Number of reply       flows: 1 [33.33%]
Total   A/B    flow asymmetry: 0.33
Total req/rply flow asymmetry: 0.33
Number of processed   packets/flows: 33.00
Number of processed A packets/flows: 25.00
Number of processed B packets/flows: 49.00
Number of processed total packets/s: 346.22
Number of processed A+B   packets/s: 346.22
Number of processed A     packets/s: 174.86
Number of processed   B   packets/s: 171.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 10.49
Average full raw bandwidth: 835254 b/s (835.25 Kb/s)
Average full bandwidth : 816062 b/s (816.06 Kb/s)
Max number of flows in memory: 3 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$

We have three flows, all TFTP. The aggregated tftpStat states that there is and additional passive TFTP flow.

$ tawk -V tftpStat=0x2001
The tftpStat column with value 0x2001 is to be interpreted as follows:

   bit | tftpStat | Description
   =============================================================================
     0 | 0x0001   | TFTP flow found
    13 | 0x2000   | TFTP passive

Looking at the flow file, the column tftpPFlow links the dependent flow, so flow 1 is linked with its passive flow 2 and vice versa. A similar feature like the plugin ftpDecode. It helps finding dependent flows. You see the list of commands and the downloaded file name: rfc1350.txt as octet.

$ cd ~/results
$ tcol tftp_rrq_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  tftpStat  tftpPFlow  tftpNumOpcode  tftpOpcode  tftpNumParam  tftpParam              tftpNumErr  tftpErrC
A     1        0x0400000000004000  1367411051.972852  1367411051.972852  0.000000  1           3        eth:ipv4:udp  00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800              192.168.0.253  07       "Private network"  50618    192.168.0.10   07       "Private network"  69       17       0x00             0x2001    2          1              RRQ         2             "rfc1350.txt";"octet"  0
A     2        0x0400000000004000  1367411052.077243  1367411052.256145  0.178902  1           3        eth:ipv4:udp  00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800              192.168.0.10   07       "Private network"  3445     192.168.0.253  07       "Private network"  50618    17       0x00             0x2001    1          1              DTA         0                                    0
B     2        0x0400000000004001  1367411052.081790  1367411052.258801  0.177011  1           3        eth:ipv4:udp  00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800              192.168.0.253  07       "Private network"  50618    192.168.0.10   07       "Private network"  3445     17       0x00             0x2001    1          1              ACK         0                                    0

The packet file shows the tftpStat and the commands including the whole l7Content. You realize the nature of TFTPs idle repeat request protocol, every packet is answered with an ACK. If you load the plugin basicStats you will notice this behaviour in the flow statistics. I leave that to the reader.

$ tcol tftp_rrq_packets.txt
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg         srcPort  dstIP          dstIPCC  dstIPOrg         dstPort  l4Proto  tcpStatesAFlags  tftpStat  tftpOpcode  l7Content
1       1        0x0400000000004000  1367411051.972852  0.000000  0.000000      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  69       17                        0x1001    RRQ         ..rfc1350.txt.octet.
2       2        0x0400000000004000  1367411052.077243  0.000000  0.000000      3        eth:ipv4:udp             00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800   192.168.0.10   07       Private network  3445     192.168.0.253  07       Private network  50618    17                        0x2001    DTA         ....\n\n\n\n\n\nNetwork Working Group                                         K. Sollins\nRequest For Comments: 1350                                           MIT\nSTD: 33                                                        July 1992\nObsoletes: RFC 783\n\n\n                     THE TFTP PROTOCOL (REVISION 2)\n\nStatus of this Memo\n\n   This RFC specifies an IAB standards track protocol for the Internet\n   community, and requests discussion and suggestions for improvements.\n   Please refer to the current edition of the "IA
3       2        0x0400000000004001  1367411052.081790  0.000000  0.000000      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  3445     17                        0x2001    ACK         ....
4       2        0x0400000000004000  1367411052.086300  0.009057  0.009057      3        eth:ipv4:udp             00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800   192.168.0.10   07       Private network  3445     192.168.0.253  07       Private network  50618    17                        0x2001    DTA         ....B Official Protocol\n   Standards" for the standardization state and status of this protocol.\n   Distribution of this memo is unlimited.\n\nSummary\n\n   TFTP is a very simple protocol used to transfer files.  It is from\n   this that its name comes, Trivial File Transfer Protocol or TFTP.\n   Each nonterminal packet is acknowledged separately.  This document\n   describes the protocol and its types of packets.  The document also\n   explains the reasons behind some of the design decisions.\n\nAcknowlegements\n\n   The
5       2        0x0400000000004001  1367411052.088961  0.007171  0.007171      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  3445     17                        0x2001    ACK         ....
6       2        0x0400000000004000  1367411052.088995  0.002695  0.011752      3        eth:ipv4:udp             00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800   192.168.0.10   07       Private network  3445     192.168.0.253  07       Private network  50618    17                        0x2001    DTA         ....protocol was originally designed by Noel Chiappa, and was\n   redesigned by him, Bob Baldwin and Dave Clark, with comments from\n   Steve Szymanski.  The current revision of the document includes\n   modifications stemming from discussions with and suggestions from\n   Larry Allen, Noel Chiappa, Dave Clark, Geoff Cooper, Mike Greenwald,\n   Liza Martin, David Reed, Craig Milo Rogers (of USC-ISI), Kathy\n   Yellick, and the author.  The acknowledgement and retransmission\n   scheme was inspired by TCP, and the erro
7       2        0x0400000000004001  1367411052.091646  0.002685  0.009856      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  3445     17                        0x2001    ACK         ....
8       2        0x0400000000004000  1367411052.091675  0.002680  0.014432      3        eth:ipv4:udp             00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800   192.168.0.10   07       Private network  3445     192.168.0.253  07       Private network  50618    17                        0x2001    DTA         ....r mechanism was suggested by\n   PARC's EFTP abort message.\n\n   The May, 1992 revision to fix the "Sorcerer's Apprentice" protocol\n   bug [4] and other minor document problems was done by Noel Chiappa.\n\n   This research was supported by the Advanced Research Projects Agency\n   of the Department of Defense and was monitored by the Office of Naval\n   Research under contract number N00014-75-C-0661.\n\n1. Purpose\n\n   TFTP is a simple protocol to transfer files, and therefore was named\n   the Trivial File Transfer
9       2        0x0400000000004001  1367411052.094383  0.002737  0.012593      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  3445     17                        0x2001    ACK         ....
10      2        0x0400000000004000  1367411052.094416  0.002741  0.017173      3        eth:ipv4:udp             00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800   192.168.0.10   07       Private network  3445     192.168.0.253  07       Private network  50618    17                        0x2001    DTA         .... Protocol or TFTP.  It has been implemented\n   on top of the Internet User Datagram protocol (UDP or Datagram) [2]\n\n\n\nSollins                                                         [Page 1]\n.\nRFC 1350                    TFTP Revision 2                    July 1992\n\n\n   so it may be used to move files between machines on different\n   networks implementing UDP.  (This should not exclude the possibility\n   of implementing TFTP on top of other datagram protocols.)  It is\n   designed to be small and easy to imp
11      2        0x0400000000004001  1367411052.096993  0.002610  0.015203      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  3445     17                        0x2001    ACK         ....
12      2        0x0400000000004000  1367411052.097021  0.002605  0.019778      3        eth:ipv4:udp             00:50:8d:d7:8b:43  00:0b:be:18:9a:40  0x0800   192.168.0.10   07       Private network  3445     192.168.0.253  07       Private network  50618    17                        0x2001    DTA         ....lement.  Therefore, it lacks most\n   of the features of a regular FTP.  The only thing it can do is read\n   and write files (or mail) from/to a remote server.  It cannot list\n   directories, and currently has no provisions for user authentication.\n   In common with other Internet protocols, it passes 8 bit bytes of\n   data.\n\n   Three modes of transfer are currently supported: netascii (This is\n   ascii as defined in "USA Standard Code for Information Interchange"\n   [1] with the modifications specified in "
13      2        0x0400000000004001  1367411052.099703  0.002710  0.017913      3        eth:ipv4:udp             00:0b:be:18:9a:40  00:50:8d:d7:8b:43  0x0800   192.168.0.253  07       Private network  50618    192.168.0.10   07       Private network  3445     17                        0x2001    ACK         ....
...

Now let’s see what is in the downloaded file.

Data Carving with tftpDecode

In order to enable the Data Carving mode set TFTP_SAVE=1 recompile and rerun the pcap.

$ t2conf tftpDecode -D TFTP_SAVE=1 && t2build tftpDecode
...
$ t2 -r ~/test_data/data/tftp/tftp_rrq.pcap -w ~/results/
...
--------------------------------------------------------------------------------
tftpDecode: Aggregated tftpStat=0x2001
tftpDecode: Number of TFTP packets: 99 [100.00%]
tftpDecode: Number of files extracted: 1
--------------------------------------------------------------------------------
...
$

Now the end report states that there is one file extracted. By default the extracted content resides under the /tmp/ folder with the same naming convention as ftpDecode, the findex and the flow direction added. So move to TFTP_F_PATH and look into the file.

$ cd /tmp/TFTPFILES/
$ ls
irfc1350.txt_1_A
$ head -17 rfc1350.txt_1_A


Network Working Group                                         K. Sollins
Request For Comments: 1350                                           MIT
STD: 33                                                        July 1992
Obsoletes: RFC 783


                     THE TFTP PROTOCOL (REVISION 2)

Status of this Memo

   This RFC specifies an IAB standards track protocol for the Internet
   community, and requests discussion and suggestions for improvements.
   Please refer to the current edition of the "IAB Official Protocol
   Standards" for the standardization state and status of this protocol.
   Distribution of this memo is unlimited.
$

Hmm, an RFC of the TFTP protocol. Try your own TFTP traffic. Maybe you find something more exciting.

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf tftpDecode --reset && t2build tftpDecode
...
$

Have fun analyzing.