From 2ea35d73fd83855ff10f23ca1369e0892dcb166d Mon Sep 17 00:00:00 2001
From: whaffman <whaffman@student.codam.nl>
Date: Fri, 11 Jul 2025 12:41:56 +0200
Subject: [PATCH] Enhance FTP packet handling to detect file downloads in RETR
 commands

---
 inquisitor/src/inquisitor.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/inquisitor/src/inquisitor.py b/inquisitor/src/inquisitor.py
index 6be3a3a..1833b56 100755
--- a/inquisitor/src/inquisitor.py
+++ b/inquisitor/src/inquisitor.py
@@ -40,7 +40,16 @@ def ftp_packet_callback(packet):
     """
     if packet.haslayer('IP') and packet.haslayer('TCP'):
         if packet['TCP'].dport == 21 or packet['TCP'].sport == 21:
-            print(f"FTP Packet: {packet.summary()}")   
+            # print(f"FTP Packet: {packet.summary()}") 
+            if b"RETR" in bytes(packet['TCP'].payload):
+                # Extract filename from FTP RETR command
+                payload = bytes(packet['TCP'].payload).decode(errors='ignore')
+                parts = payload.split()
+                if "RETR" in parts:
+                    idx = parts.index("RETR")
+                    if idx + 1 < len(parts):
+                        filename = parts[idx + 1]
+                        print(f"FTP file download detected: {filename}")
 
 def start_sniffing(interface=conf.iface):
     """