willem/inquisitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance FTP packet callback to detect file downloads and server responses

Browse Source
This commit is contained in:
whaffman 2025-07-11 13:46:28 +02:00
parent 85f38b389d
commit 0da3ed1490
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
inquisitor/src/inquisitor.py
View File

@ -41,7 +41,7 @@ def ftp_packet_callback(packet):
This function would handle FTP packets, if needed. This function would handle FTP packets, if needed.
""" """
if packet.haslayer('IP') and packet.haslayer('TCP'): if packet.haslayer('IP') and packet.haslayer('TCP'):
if packet['TCP'].dport == 21: if packet['TCP'].dport == 21 or packet['TCP'].sport == 21:
if b"RETR" in bytes(packet['TCP'].payload): if b"RETR" in bytes(packet['TCP'].payload):
# Extract filename from FTP RETR command # Extract filename from FTP RETR command
payload = bytes(packet['TCP'].payload).decode(errors='ignore') payload = bytes(packet['TCP'].payload).decode(errors='ignore')
@ -51,6 +51,10 @@ def ftp_packet_callback(packet):
if idx + 1 < len(parts): if idx + 1 < len(parts):
filename = parts[idx + 1] filename = parts[idx + 1]
print(f"\033[92mFTP file download detected: {filename} \033[0m") print(f"\033[92mFTP file download detected: {filename} \033[0m")
# Also print when server sends a 150 response (file status okay; about to open data connection)
payload = bytes(packet['TCP'].payload).decode(errors='ignore')
if payload.startswith("150 "):
print(f"\033[94mFTP server response: {payload.strip()} \033[0m")
def start_sniffing(interface=conf.iface): def start_sniffing(interface=conf.iface):
""" """