Open/Accessible TFTP Report

LAST UPDATED: 2022-08-29

This report identifies hosts that have the TFTP service running and accessible on the Internet.

Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. Note, we are not testing to see if file upload is enabled.

Also note that unlike other UDP services that we test for, the response from TFTP is often received on a port that is different than what was queried! Probes sent to a host on port 69/UDP may generate responses that source from ephemeral high ports.

For more details behind the scan methodology and a daily update of global TFTP scan statistics please visit our dedicated TFTP  scan page.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_tftp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the TFTP response came on (always UDP)
  • port
    Port that the TFTP response came from (usually 69/UDP, but the response may come on any port >1024/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be TFTP
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • opcode
    This will be either a "3" or a "5" — a "3" means that the file requested exists (in this case "a.pdf") and a "5" means that the TFTP server returned an error code
  • errorcode
    This is the error code that is returned along with the opcode per RFC1350/RFC2347
  • error
    Human readable version of the error code — in the case of an opcode 3 response, this is "No Error"
  • errormessage
    The actual error message that the TFTP server returned in addition to the errorcode — in the case of an opcode 3 response, this is "File Exists"
  • size
    Payload response size in bytes — it is really only relevant in opcode 3 responses; if the file is actually there, the response will be >4 bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","opcode","errorcode","error","errormessage","size","amplification"
"2010-02-10 00:00:00",192.168.0.1,udp,32779,node01.example.com,tftp,64512,ZZ,Region,City,0,0,5,2,"Access violation","Access violation",21,1.50
"2010-02-10 00:00:01",192.168.0.2,udp,32824,node02.example.com,tftp,64512,ZZ,Region,City,0,0,5,2,"Access violation","Access violation",21,1.50
"2010-02-10 00:00:02",192.168.0.3,udp,69,node03.example.com,tftp,64512,ZZ,Region,City,0,0,5,0,"Not defined","permission denied!",23,1.64

Our 119 Report Types

« Back to Network Reporting