Tutorial: Trivial File Transport Protocol (TFTP)
TFTP is a simple file transfer protocol with a basic idle repeat request procedure to assure ERROR control. This tutorial discusses the features of the plugin tftpDecode including its data carving capability.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$Then compile the following plugins
$ t2build tranalyzer2 basicFlow tcpStates tftpDecode txtSink
...
BUILD SUCCESSFUL
$If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:
$ mkdir ~/data ~/results
$Download the sample pcap here: tftp_rrq.pcap. Now you’re all set.
tftpDecode
Let’s look at the plugin configuration first. As in all data carving capable plugins the user can enable TFTP_SAVE to save and choose the extracted content under TFTP_F_PATH. The other constants control the output of the TFTP commands and the length of file names in the flow file.
$ tftpDecode
$ vi src/tftpDecode.h...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TFTP_SAVE 0 // save content to TFTP_F_PATH
#define TFTP_RMDIR 1 // empty TFTP_F_PATH before starting (require TFTP_SAVE=1)
#define TFTP_CMD_AGGR 1 // Aggregate TFTP commands/errors
#define TFTP_BITFIELD 0 // Bitfield coding of TFTP commands/errors
#define TFTP_MXNMLN 15 // maximal name length
#define TFTP_MAXCNM 4 // maximal length of command field
#define TFTP_F_PATH "/tmp/TFTPFILES/" // Path for extracted content
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...For the first test we leave everything as default and run t2 on the supplied pcap.
$ t2 -r ~/test_data/data/tftp_rrq.pcap -w ~/results/ -s================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 4820
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: tcpStates, 0.8.14
03: tftpDecode, 0.8.14
04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/tftp_rrq.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1367411051.972852 sec (Wed 01 May 2013 12:24:11 GMT)
Dump stop : 1367411052.258801 sec (Wed 01 May 2013 12:24:12 GMT)
Total dump duration: 0.285949 sec
Finished processing. Elapsed time: 0.001216 sec
Finished unloading flow memory. Time: 0.001253 sec
Percentage completed: 100.00%
Number of processed packets: 99
Number of processed bytes: 29855 (29.86 K)
Number of raw bytes: 29855 (29.86 K)
Number of pad bytes: 686
Number of pcap bytes: 31463 (31.46 K)
Number of IPv4 packets: 99 [100.00%]
Number of A packets: 50 [50.51%]
Number of B packets: 49 [49.49%]
Number of A bytes: 26915 (26.91 K) [90.15%]
Number of B bytes: 2940 (2.94 K) [9.85%]
Average A packet load: 538.30
Average B packet load: 60.00
--------------------------------------------------------------------------------
tftpDecode: Aggregated tftpStat=0x2001
tftpDecode: Number of TFTP packets: 99 [100.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of UDP packets: 99 [100.00%]
Number of UDP bytes: 29855 (29.86 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 3
Number of processed A flows: 2 [66.67%]
Number of processed B flows: 1 [33.33%]
Number of request flows: 2 [66.67%]
Number of reply flows: 1 [33.33%]
Total A/B flow asymmetry: 0.33
Total req/rply flow asymmetry: 0.33
Number of processed packets/flows: 33.00
Number of processed A packets/flows: 25.00
Number of processed B packets/flows: 49.00
Number of processed total packets/s: 346.22
Number of processed A+B packets/s: 346.22
Number of processed A packets/s: 174.86
Number of processed B packets/s: 171.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 10.49
Average full raw bandwidth: 835254 b/s (835.25 Kb/s)
Average full bandwidth : 816062 b/s (816.06 Kb/s)
Max number of flows in memory: 3 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$We have three flows, all TFTP. The aggregated tftpStat states that there is and additional passive TFTP flow.
$ tawk -V tftpStat=0x2001The tftpStat column with value 0x2001 is to be interpreted as follows:
bit | tftpStat | Description
=============================================================================
0 | 0x0001 | TFTP flow found
13 | 0x2000 | TFTP passiveLooking at the flow file, the column tftpPFlow links the dependent flow, so flow 1 is linked with its passive flow 2 and vice versa. A similar feature like the plugin ftpDecode. It helps finding dependent flows. You see the list of commands and the downloaded file name: rfc1350.txt as octet.
$ cd ~/results
$ tcol tftp_rrq_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags tftpStat tftpPFlow tftpNumOpcode tftpOpcode tftpNumParam tftpParam tftpNumErr tftpErrC
A 1 0x0400000000004000 1367411051.972852 1367411051.972852 0.000000 1 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 "Private network" 50618 192.168.0.10 07 "Private network" 69 17 0x00 0x2001 2 1 RRQ 2 "rfc1350.txt";"octet" 0
A 2 0x0400000000004000 1367411052.077243 1367411052.256145 0.178902 1 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 "Private network" 3445 192.168.0.253 07 "Private network" 50618 17 0x00 0x2001 1 1 DTA 0 0
B 2 0x0400000000004001 1367411052.081790 1367411052.258801 0.177011 1 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 "Private network" 50618 192.168.0.10 07 "Private network" 3445 17 0x00 0x2001 1 1 ACK 0 0The packet file shows the tftpStat and the commands including the whole l7Content. You realize the nature of TFTPs idle repeat request protocol, every packet is answered with an ACK. If you load the plugin basicStats you will notice this behaviour in the flow statistics. I leave that to the reader.
$ tcol tftp_rrq_packets.txt%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags tftpStat tftpOpcode l7Content
1 1 0x0400000000004000 1367411051.972852 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 69 17 0x1001 RRQ ..rfc1350.txt.octet.
2 2 0x0400000000004000 1367411052.077243 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x2001 DTA ....\n\n\n\n\n\nNetwork Working Group K. Sollins\nRequest For Comments: 1350 MIT\nSTD: 33 July 1992\nObsoletes: RFC 783\n\n\n THE TFTP PROTOCOL (REVISION 2)\n\nStatus of this Memo\n\n This RFC specifies an IAB standards track protocol for the Internet\n community, and requests discussion and suggestions for improvements.\n Please refer to the current edition of the "IA
3 2 0x0400000000004001 1367411052.081790 0.000000 0.004547 0.000000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x2001 ACK ....
4 2 0x0400000000004000 1367411052.086300 0.009057 0.004510 0.009057 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x2001 DTA ....B Official Protocol\n Standards" for the standardization state and status of this protocol.\n Distribution of this memo is unlimited.\n\nSummary\n\n TFTP is a very simple protocol used to transfer files. It is from\n this that its name comes, Trivial File Transfer Protocol or TFTP.\n Each nonterminal packet is acknowledged separately. This document\n describes the protocol and its types of packets. The document also\n explains the reasons behind some of the design decisions.\n\nAcknowlegements\n\n The
5 2 0x0400000000004001 1367411052.088961 0.007171 0.002661 0.007171 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x2001 ACK ....
6 2 0x0400000000004000 1367411052.088995 0.002695 0.000034 0.011752 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x2001 DTA ....protocol was originally designed by Noel Chiappa, and was\n redesigned by him, Bob Baldwin and Dave Clark, with comments from\n Steve Szymanski. The current revision of the document includes\n modifications stemming from discussions with and suggestions from\n Larry Allen, Noel Chiappa, Dave Clark, Geoff Cooper, Mike Greenwald,\n Liza Martin, David Reed, Craig Milo Rogers (of USC-ISI), Kathy\n Yellick, and the author. The acknowledgement and retransmission\n scheme was inspired by TCP, and the erro
7 2 0x0400000000004001 1367411052.091646 0.002685 0.002651 0.009856 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x2001 ACK ....
8 2 0x0400000000004000 1367411052.091675 0.002680 0.000029 0.014432 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x2001 DTA ....r mechanism was suggested by\n PARC's EFTP abort message.\n\n The May, 1992 revision to fix the "Sorcerer's Apprentice" protocol\n bug [4] and other minor document problems was done by Noel Chiappa.\n\n This research was supported by the Advanced Research Projects Agency\n of the Department of Defense and was monitored by the Office of Naval\n Research under contract number N00014-75-C-0661.\n\n1. Purpose\n\n TFTP is a simple protocol to transfer files, and therefore was named\n the Trivial File Transfer
9 2 0x0400000000004001 1367411052.094383 0.002737 0.002708 0.012593 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x2001 ACK ....
10 2 0x0400000000004000 1367411052.094416 0.002741 0.000033 0.017173 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x2001 DTA .... Protocol or TFTP. It has been implemented\n on top of the Internet User Datagram protocol (UDP or Datagram) [2]\n\n\n\nSollins [Page 1]\n.\nRFC 1350 TFTP Revision 2 July 1992\n\n\n so it may be used to move files between machines on different\n networks implementing UDP. (This should not exclude the possibility\n of implementing TFTP on top of other datagram protocols.) It is\n designed to be small and easy to imp
11 2 0x0400000000004001 1367411052.096993 0.002610 0.002577 0.015203 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x2001 ACK ....
12 2 0x0400000000004000 1367411052.097021 0.002605 0.000028 0.019778 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x2001 DTA ....lement. Therefore, it lacks most\n of the features of a regular FTP. The only thing it can do is read\n and write files (or mail) from/to a remote server. It cannot list\n directories, and currently has no provisions for user authentication.\n In common with other Internet protocols, it passes 8 bit bytes of\n data.\n\n Three modes of transfer are currently supported: netascii (This is\n ascii as defined in "USA Standard Code for Information Interchange"\n [1] with the modifications specified in "
13 2 0x0400000000004001 1367411052.099703 0.002710 0.002682 0.017913 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x2001 ACK ....
...Now let’s see what is in the downloaded file.
Data Carving with tftpDecode
In order to enable the Data Carving mode set TFTP_SAVE=1 recompile and rerun the pcap.
$ t2conf tftpDecode -D TFTP_SAVE=1 && t2build tftpDecode
...
$ t2 -r ~/test_data/data/tftp/tftp_rrq.pcap -w ~/results/
...
--------------------------------------------------------------------------------
tftpDecode: Aggregated tftpStat=0x2001
tftpDecode: Number of TFTP packets: 99 [100.00%]
tftpDecode: Number of files extracted: 1
--------------------------------------------------------------------------------
...
$Now the end report states that there is one file extracted. By default the extracted content resides under the /tmp/ folder with the same naming convention as ftpDecode, the findex and the flow direction added. So move to TFTP_F_PATH and look into the file.
$ cd /tmp/TFTPFILES/
$ ls
irfc1350.txt_1_A
$ head -n 21 rfc1350.txt_1_A
Network Working Group K. Sollins
Request For Comments: 1350 MIT
STD: 33 July 1992
Obsoletes: RFC 783
THE TFTP PROTOCOL (REVISION 2)
Status of this Memo
This RFC specifies an IAB standards track protocol for the Internet
community, and requests discussion and suggestions for improvements.
Please refer to the current edition of the "IAB Official Protocol
Standards" for the standardization state and status of this protocol.
Distribution of this memo is unlimited.
$A RFC of the TFTP protocol. Try your own TFTP traffic. Maybe you find something more exciting.
Don’t forget to reset the plugin configuration for the next tutorial.
$ t2conf tftpDecode --reset && t2build tftpDecode
...
$Have fun analyzing.