On Thu, Dec 19, 2002 at 12:08:27AM +0800, Susan Chan Lee wrote: > Anyone know where to obtain information of re-assembling TCP/UDP data > streams. > > I mean I have captured data using Tcpdump (i.e. raw data), how to I > recombine the data into the orginal word attachment (or like)? There's more to it than just "re-assembling TCP/UDP data streams"; as you said "word attachment", it sounds as if you're talking about e-mail, in which case, for example, reassembling a TCP data stream for an SMTP session would give you the SMTP traffic - but you'd have to extract the stuff sent with the "DATA" command, and then de-MIMEify it to extract the attachments. Similarly, for a document downloaded with HTTP, reassembly would give you only the HTTP traffic; you'd have to extract the document from that. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:29:03 PST