First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

TFTP traffic not showing up in wireshark using tftp filter

I have a single pcap file. If I load it in Wireshark version 3.0.5 and search for tftp traffic I get the initial read request and subsequent blocks. If I do the same thing in Wireshark version 4.2.0 I only get the initial read request. The subsequent tftp blocks show up as UDP traffic and not tftp.

As tftp uses port 69 and then subsequently changes to other dynamic ports for block transmission, I'm wondering if Wireshark 4.2.0 is only tracking port 69 and therefore looses the traffic when the port changes. Is this a bug in 4.2.0 or am I missing something? Thanks!

kenn0's avatar
1
kenn0
asked 2024-01-10 20:17:51 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There is a sample capture on the Wireshark Wiki:

tftp_rrq.pcap (libpcap) A TFTP Read Request.

Works ok for me in 4.2.0 (Version 4.2.0 (v4.2.0-0-g54eedfc63953)). What do you see?

Chuckc's avatar Chuckc (2024-01-10 21:07:49 +0000) edit
more
  • delete

The tftp_rrq.pcap does work in my 4.2.0 version. Apparently there is an issue with my pcap that is preventing the blocks from showing up as tftp.

kenn0's avatar kenn0 (2024-01-10 21:16:38 +0000) edit
more
  • delete

If you like, share a capture file (The Wireshark Q&A trace file sharing tutorial) and update the question with a link to it.

Chuckc's avatar Chuckc (2024-01-10 21:21:45 +0000) edit
more
  • delete

Comparing the tftp packets in my pcap to the packet on the wiki I do notice that my pcap has the tftp types as netascii and the wiki types as octet. Maybe these different types are causing my issue.

kenn0's avatar kenn0 (2024-01-10 21:22:01 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

This looks like a bug in the tftp dissector (epan/dissectors/packet-tftp.c):

  const gchar* modes[] = {"netscii", "octet", "mail"};
  for(guint i = 0; i < array_length(modes); ++i) {
    if (g_ascii_strcasecmp(mode, modes[i]) == 0) return TRUE;
  }


Will you (please) open an issue for this on Wireshark Gitlab Issues?

netscii should probably be netascii

Chuckc's avatar
3k
Chuckc
answered 2024-01-10 22:14:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Issue submitted. Thank you Chuckc for your help!

kenn0's avatar kenn0 (2024-01-11 16:17:52 +0000) edit
more
  • delete

19589: tftp dissector bug type listed as netscii instead of netascii doesn't show all tftp packets including tftp blocks

Chuckc's avatar Chuckc (2024-01-11 17:56:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer