RE: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly

From: Joe Elliott (joeat_private)
Date: Wed Dec 18 2002 - 12:41:39 PST

Next message: Johnny Walker: "Win2k audit logs - HELP!"

Previous message: Pieter-Bas IJdens: "Re: Ascertaining UDF and ISO CD time zone?"
In reply to: Guy Harris: "Re: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Next in thread: Simon Patarin: "RE: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Reply: Simon Patarin: "RE: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
	Our commercial product ContExt (Content Extractor) will create images/docs
from a raw packet stream 7x24 in real-time and handle frags, out of sequence
packets etc. It creates web reports of the content and allows searches and
tracking of addresses. Its a hardware/software solution packaged as a
device. It handles GIG ethernet and 20,000+ concurrent connections.

It supports JPEG/GIF/PNG/Word/Excel/MP3/PDF/PS/POP3/MBOX/PPT/ZIP etc etc
formats that you can view from a web page.

See http://www.inetd.com for details. It supports PCAP recordings as well as
live traffic.

Its not free, so maybe thats no use to you.

Joe.

-----Original Message-----
From: owner-tcpdump-workersat_private
[mailto:owner-tcpdump-workersat_private]On Behalf Of Guy
Harris
Sent: Wednesday, December 18, 2002 11:59 AM
To: Susan Chan Lee
Cc: pen-testat_private; forensicsat_private;
tcpdump-workersat_private
Subject: Re: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly

On Thu, Dec 19, 2002 at 12:08:27AM +0800, Susan Chan Lee wrote:
> Anyone know where to obtain information of re-assembling TCP/UDP data
> streams.
>
> I mean I have captured data using Tcpdump (i.e. raw data), how to I
> recombine the data into the orginal word attachment (or like)?

There's more to it than just "re-assembling TCP/UDP data streams"; as
you said "word attachment", it sounds as if you're talking about e-mail,
in which case, for example, reassembling a TCP data stream for an SMTP
session would give you the SMTP traffic - but you'd have to extract the
stuff sent with the "DATA" command, and then de-MIMEify it to extract
the attachments.

Similarly, for a document downloaded with HTTP, reassembly would give
you only the HTTP traffic; you'd have to extract the document from that.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use
mailto:tcpdump-workers-requestat_private?body=unsubscribe

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johnny Walker: "Win2k audit logs - HELP!"
Previous message: Pieter-Bas IJdens: "Re: Ascertaining UDF and ISO CD time zone?"
In reply to: Guy Harris: "Re: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Next in thread: Simon Patarin: "RE: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Reply: Simon Patarin: "RE: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:29:21 PST