In this article, we will focus on how to troubleshoot the common Trivial File Transfer Protocol (TFTP) issues with Wireshark between server and client.
What is TFTP?
TFTP is a file transfer protocol that enables a client to upload a file to a server or download a file from the server. The protocol is simple and designed to be implemented in ROM for booting diskless systems like X terminals, diskless workstations, and routers. It was planned to be small and easy to implement. Therefore, it lacks most of the features of a regular FTP. The protocol is only capable of reading and writing files (or mail) from/to a remote server. It cannot list directories, and currently has no provisions for user authentication.
TFTP Packet Types
TFTP packets are transferred over User Datagram Protocol (UDP), which is an unreliable transport protocol. In other words, UDP provides no recovery for lost packets. To fix this problem, TFTP uses a mechanism like TCP ACK and provides reliability in application layer. Any transfer begins with a request to read or write a file and then the data packets are sent in fixed length, which is called a block. Each data packet contains only one block of data, and is acknowledged by an acknowledgment packet before the next packet can be sent.
TFTP supports 6 packet types:
Following steps show a typical file transfer and packet types used between the client and server.
Packet flow of File Transfer between TFTP Server and Client
Step-1: The client sends a read request for “startup-config” file and asks server to use block size of 128 bytes.
Step-2: The server replies with an Option ACK packet, which includes the block size accepted by the server and the size of the file to be transferred.
Step-3: After acknowledging the options, the server sends the first block (packet) of the data.
Step-4: The client acknowledges the first block of the data and the file transfer follows the same pattern (sending data and expecting an ack) until it is transferred completely.
Troubleshooting TFTP Errors
During a file transfer, errors may occur and RFC 1350 defines 8 error codes for identifying the problems. The codes and their brief explanations are below.
TFTP errors are caused by three types of events:
- Not being able to satisfy the request (e.g., file not found, access violation, or no such user).
- Receiving a packet which cannot be explained by a delay or duplication in the network (e.g., an incorrectly formed packet).
- Losing access to a necessary resource (e.g., disk full or access denied during a transfer).
TFTP issues can be categorized into 2 groups:
- Client or server related issues
- Network related issues
We will mainly focus on the first category. TFTP peers use Opcode 5 to inform each other when they come across an error. Each error packet has an error code and error message. Following figure shows a typical error packet format.
Understanding different TFTP Error Codes
We will produce the TFTP errors and analyze them with Wireshark.
Error Code 0 (Not defined, see error message (if any))
This is a general error code. When the client or server can’t identify the error, it replies with this error code and includes more details in the error message. Following screenshot shows the error.
To produce this error, I dropped TFTP packets on the firewall purposely. The client (192.168.1.50) requested for “test.txt” file and did not receive any response from the server. Since the packet filtering on the network was the cause of the problem, the client could not categorize the error and sent this general error. Even though there is no error code in the RFC to define this problem, the client puts some reasonable information in the “Error message”, which is “timeout on receive” in this case. Unfortunately, not all TFTP clients send this error, which makes it hard to resolve the problems.
Error Code 1 (File not found)
The client receives this error code when the requested file does not exist. As seen below, the error message is also enough to define the problem. This is clearly not a network related problem. When getting this error, we should check the file path and name of the file to see if it is correct or not.
Error Code 2 (Access violation)
This error is seen when we ask for a file on which we do not have the right to read or write. I produced this error with trying to transfer (write) a file to the server while I did not have that right (writing). A TFTP server can let you change security settings like reading, writing or both of them.
Error Code 3 (Disk full or allocation exceeded)
TFTP client receives this error when there is limited storage area on the server. I produced this error with limiting the quota for the folder and then transferring a larger file than the reserved quota.
Error Code 4 (Unknown transfer ID)
Any TFTP packet does not follow the RFC is called illegal. A packet with an unknown opcode, a packet with a malformed payload, or a packet that is out of sequence with the normal flow of commands/responses would all be considered "illegal". I produced this error with crafting a TFP data packet and sending it to the server without sending a read or write request in the beginning.
Error Code 5 (Unknown transfer ID)
When a TFTP client sends a duplicate read request (typically this happens when the first read request times out), the requests may create an unexpected situation on the server. The server thinks it received different requests from the client and responds accordingly. When the client notices the server interpreted the duplicate packets as different requests, it sends this error to the server, which does not cause a termination. After receiving this error, the server immediately stops the other transferring. I was not be able to produce this error code.
Error Code 6 (File already exists)
This error is received when there is a file with the same name on the server. I produced this file with transferring the same file to the server.
Error Code 7 (No such user)
Once the protocol was first adopted, it supported three modes of transferring, which were netascii, octet and mail mode, which was used for sending files to an email address. This error is received when the recipient username does not exist on the server. This mode is not used anymore.
Error Code 8 (Terminate transfer due to option negotiation)
TFTP client and server negotiate options during a read or write request. When the negotiations fail, the peer sends this error code to terminate the transfer. I produced this error with sending some option that server did not support. As seen below, Wireshark is not able to decode this new error properly.
Network Related TFTP Issues
TFTP uses port 69 as its destination when making a read or write request. After receiving the request, the server uses a random port for the transfer instead of answering from port 69. Even if you allow port 69 on the firewall, the transfer may fail due to not inspecting TFTP as service (protocol). Most common network failures happen because of firewall policy. Following screenshot shows a typical file transfer in perspective of using ports.
TFTP server and client generally use block size of 512 bytes on default. For faster transmission, we may need to set the size to a higher value, which may fail the transfer when the data packets size exceeds the path MTU size.
Packet loss in the network is another factor that can disrupt TFTP transfer.
Final Thoughts
It is easy to troubleshoot when the problem caused by either TFTP client or server. With using Wireshark’s “tftp.opcode == 5” display filter, we can list all TFTP errors and inspect them. Some network issues may not be identified by only using this filter. We need a network trace file from both of the side to have a better observation.
References
https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch17_02.htm
https://datatracker.ietf.org/doc/html/rfc783
Related Keywords: Not defined, File not found, Access violation, Disk full or allocation exceeded, Unknown transfer ID, Unknown transfer ID, File already exists, No such user, Terminate transfer due to option negotiation, troubleshoot tftp errors with wireshark