Extract files from TFTP

Hey,
I’m new to zeek and spicy. I just did the tutorial on TFTP and wondered how to extract the rfc file.
Could anyone help me and explain how it is done?
Thanks in advance and have a nice day everyone.

The example TFTP analyzer simply counts the blocks exchanged, but does not forward actual data into Zeek’s file analysis framework which in turn could be instructed do save all files to disk by loading an optional policy:

@load policy/frameworks/files/extract-all-files

One way to pass the file data into Zeek would be to forward in the Spicy parser. For each file one would open a new handle with zeek::file_begin, feed data with e.g., zeek::file_data_in and close the handle with zeek::file_end.

1 Like

Thank you for your answer! After a bit of work I figured it out with the provided function calls.

Hello, :wave:
In my opinion, you’ll need to analyze the TFTP protocol logs generated by Zeek. Look for the file transfers in the logs and extract the content from there.
I hope this will help you.