*Description* TFTPgrab is a TFTP (Trivial File Transfer Protocol) stream extractor. It is a simple utility that reads a tcpdump capture file and attempts to re-construct files that have been transferred via TFTP. *Packet Handling* TFTP is a UDP based file transfer protocol (RFCs: 1350, 2347, 2348, 2349) that utilizes lock-step data and acknowledgement exchanges. TFTPgrab reconstructs the files by looking for client read or write requests and tracking corresponding data and acknowledgement packets. Client requests are made to a well-known server port (typically 69). The server responds from a (usually) randomly chosen port. These two ports are used for the remainder of the transfer. Checksum verification of IP and UDP is implemented. To process a file with checking for bad checksums use the '-B' command line option. Basic IP fragment re-assembly is also implemented. The algorithm is simplistic so excessive resource usage, evasion or inaccurate re-assembly is possible. A BPF filtering expression can be specified following any other command line options. The expression 'udp' is automatically included. *Output* Re-constructed files are written to the current directory using the format, src_ip.src_port-dst_ip.dst_port-filename For example, 192.168.000.001.32768-192.168.001.100.00069-vmlinuz 206.229.221.082.01754-172.016.114.050.01364-_etc_passwd Non-alphanumeric characters in the filename are replaced with '_'. The filename can be excluded by using the '-E' command line option. Instead of writing to the local directory, the file contents can be written to the console by using the '-c' command line option. *Usage* tftpgrab [OPTION]... [-r FILE] [EXPRESSION] Reconstruct TFTP file contents from PCAP capture file. With no FILE, or when FILE is -, read standard input. -r PCAP file to read -f overwrite existing files -c print TFTP file contents to console -E exclude TFTP filename when reconstructing -v print verbose TFTP exchanges (repeat up to three times) -X dump TFTP packet contents -B check packets for bad checksums -d specify debugging level * COPYING * Distributed under a BSD license. See the LICENSE file for details.