|
1
|
# TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350
|
|
2
|
# Pattern attributes: marginal fast fast
|
|
3
|
# Protocol groups: document_retrieval ietf_internet_standard
|
|
4
|
# Wiki: http://www.protocolinfo.org/wiki/TFTP
|
|
5
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
|
6
|
#
|
|
7
|
# usually runs on port 69
|
|
8
|
#
|
|
9
|
# This pattern is unconfirmed.
|
|
10
|
|
|
11
|
tftp
|
|
12
|
# The first packet from the initiating host should either be a Read Request
|
|
13
|
# or a Write Request. In the other direction, it should be data packet with
|
|
14
|
# block number one or an ACK with block number zero. We only attempt to match
|
|
15
|
# the initiating host's packets, because the only identifying features of
|
|
16
|
# the responses to them are two byte sequences (which isn't specific enough).
|
|
17
|
# (\x01|\x02) = Read Request or Write Request
|
|
18
|
# [ -~]* = the file name
|
|
19
|
# the rest = netascii|octet|mail (case insensitivity done by the kernel)
|
|
20
|
|
|
21
|
^(\x01|\x02)[ -~]*(netascii|octet|mail)
|