Ask Your Question
0

TFTP traffic not showing up in wireshark using tftp filter

asked 2024-01-10 20:17:51 +0000

kenn0 gravatar image

I have a single pcap file. If I load it in Wireshark version 3.0.5 and search for tftp traffic I get the initial read request and subsequent blocks. If I do the same thing in Wireshark version 4.2.0 I only get the initial read request. The subsequent tftp blocks show up as UDP traffic and not tftp.

As tftp uses port 69 and then subsequently changes to other dynamic ports for block transmission, I'm wondering if Wireshark 4.2.0 is only tracking port 69 and therefore looses the traffic when the port changes. Is this a bug in 4.2.0 or am I missing something? Thanks!

edit retag flag offensive close merge delete

Comments

There is a sample capture on the Wireshark Wiki:

tftp_rrq.pcap (libpcap) A TFTP Read Request.

Works ok for me in 4.2.0 (Version 4.2.0 (v4.2.0-0-g54eedfc63953)). What do you see?

Chuckc gravatar imageChuckc ( 2024-01-10 21:07:49 +0000 )edit

The tftp_rrq.pcap does work in my 4.2.0 version. Apparently there is an issue with my pcap that is preventing the blocks from showing up as tftp.

kenn0 gravatar imagekenn0 ( 2024-01-10 21:16:38 +0000 )edit

If you like, share a capture file (The Wireshark Q&A trace file sharing tutorial) and update the question with a link to it.

Chuckc gravatar imageChuckc ( 2024-01-10 21:21:45 +0000 )edit

Comparing the tftp packets in my pcap to the packet on the wiki I do notice that my pcap has the tftp types as netascii and the wiki types as octet. Maybe these different types are causing my issue.

kenn0 gravatar imagekenn0 ( 2024-01-10 21:22:01 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-01-10 22:14:21 +0000

Chuckc gravatar image

This looks like a bug in the tftp dissector (epan/dissectors/packet-tftp.c):

  const gchar* modes[] = {"netscii", "octet", "mail"};
  for(guint i = 0; i < array_length(modes); ++i) {
    if (g_ascii_strcasecmp(mode, modes[i]) == 0) return TRUE;
  }


Will you (please) open an issue for this on Wireshark Gitlab Issues?

netscii should probably be netascii

edit flag offensive delete link more

Comments

Issue submitted. Thank you Chuckc for your help!

kenn0 gravatar imagekenn0 ( 2024-01-11 16:17:52 +0000 )edit

19589: tftp dissector bug type listed as netscii instead of netascii doesn't show all tftp packets including tftp blocks

Chuckc gravatar imageChuckc ( 2024-01-11 17:56:48 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-01-10 20:17:51 +0000

Seen: 376 times

Last updated: Jan 10

Related questions

"No interfaces found" on Windows 10 laptop

Capture file appears to be damaged or corrupt

gtp.sai_sac field size limitation

What are possible reasons the source and destination showing as N/A in this PPP traffic?

Wireshark incorrectly interpreting the format of MQTT PUBLISH payload data

Command - Completion Event Association Bug in bthci dissectors

How can I visualize TFTP retransmits and/or duplicate ACKS?

Different statistic results of tshark and wireshark for the same pcap file

"Apply as Filter"/"Prepare as Filter" grayed out when selecting second time

TFTP packet size and MTU