-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Susan && list Please have a look at the opensource program 'tcpflow' which can extract datastreams from raw tcpdump data. It understands dates and sequencenumbers et al. We have succesfully used it in some of our investigations. It can be found on http://www.circlemud.org/~jelson/software/tcpflow/ - From the site: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly. tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like 'tcpdump' support. It should compile under most popular versions of UNIX; see the INSTALL file for details. tcpflow stores all captured data in files that have names of the form 128.129.130.131.02345-010.011.012.013.45103 where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103. Best regards, P. Vissers ./-----Oorspronkelijk bericht----- ./Van: Bryan Strong [mailto:bstrongat_private] ./Verzonden: vrijdag 20 december 2002 0:45 ./Aan: Susan Chan Lee ./CC: pen-testat_private; forensicsat_private; ./tcpdump-workersat_private ./Onderwerp: Re: TCP/UDP Data Streams - Packet Reassembly ./ ./ ./Susan Chan Lee wrote: ./ ./>Anyone know where to obtain information of re-assembling TCP/UDP data ./>streams. ./> ./>I mean I have captured data using Tcpdump (i.e. raw data), how to I ./>recombine the data into the orginal word attachment (or like)? Cannot ./>seem to find any information anywhere on the technical ./involved in this. ./> ./> ./> ./As others have already mentioned, ethereal is a terrific open source ./protocol analyzer with some abilities to do TCP session ./"playback" but ./out of the box it will not break. For commercial products, ./and I am in ./no way affiliated with any of these, I have heard of NetDetector, ./NetIntercept, and NetWitness all playing in this arena. ./ ./-Bryan Strong ./bstrongat_private ./ ./ ./ ./----------------------------------------------------------------- ./This list is provided by the SecurityFocus ARIS analyzer service. ./For more information on this free incident handling, management ./and tracking system please see: http://aris.securityfocus.com ./ ./ -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPgLUjwKI7XUs0Z/rEQJ28gCdERe7IVjpDkXf59OQEHWn32VgXaMAn0Au /Bn3Bge3x6EfL4borNEyESzt =NAPj -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:17:41 PST