

The screenshot above shows the flow of a write request (PUT). This ensures proper packet ordering and packet receipt without the overhead of a TCP connection. Each TFTP data packet contains a block number and is acknowledged by the recipient. While TFTP uses UDP, it has TCP-like features built in. Its header specifies an opcode (3 for data packet) and the block number, and the body contains the requested data.

The packet on the right shows the first data packet (packet 2). It includes the opcode (1 for read request), the desired filename and the type of content that it is requesting (octet). The image on the left is of the first packet in this sequence, a read request. This makes it difficult to filter for TFTP traffic in a live capture in Wireshark since the built-in ftp filter does not work and filtering for port 69 will only catch the initial request.Īs shown in the screenshots above, TFTP packets are designed to be extremely simple.
/do0bihdskp9dy.cloudfront.net/10-10-2022/t_1873117c255749509d2267fcc72f6466_name_file_1280x720_2000_v3_1_.jpg)
As shown in the packet capture above, the first TFTP request is made to port 69 (the TFTP server), but after that, the TFTP server selects another high-number port to send its responses. It is interesting to note that TFTP is unusual in that it has a well-known port but doesn’t use it for all traffic. The screenshot above shows an example of a TFTP read request (GET) in Wireshark. Instead, it has two main options: file read requests and file write requests. TFTP is designed to be a stripped-down file transfer protocol without authentication or many of the features that FTP and other protocols offer.
