Enhance FTP packet handling to detect file downloads in RETR commands

2025-07-11 12:41:56 +02:00 · 2025-07-11 12:41:56 +02:00 · 2ea35d73fd
commit 2ea35d73fd
parent dee3108d70
1 changed files with 10 additions and 1 deletions
--- a/inquisitor/src/inquisitor.py
+++ b/inquisitor/src/inquisitor.py
@ -40,7 +40,16 @@ def ftp_packet_callback(packet):
    """
    if packet.haslayer('IP') and packet.haslayer('TCP'):
        if packet['TCP'].dport == 21 or packet['TCP'].sport == 21:
-            print(f"FTP Packet: {packet.summary()}")   
+            # print(f"FTP Packet: {packet.summary()}") 
+            if b"RETR" in bytes(packet['TCP'].payload):
+                # Extract filename from FTP RETR command
+                payload = bytes(packet['TCP'].payload).decode(errors='ignore')
+                parts = payload.split()
+                if "RETR" in parts:
+                    idx = parts.index("RETR")
+                    if idx + 1 < len(parts):
+                        filename = parts[idx + 1]
+                        print(f"FTP file download detected: {filename}")

 def start_sniffing(interface=conf.iface):
    """