Re: Removing HTTP headers from tcpdump logs

From: shawnmer (shawnmerat_private)
Date: Wed May 07 2003 - 14:45:28 PDT

Next message: Harlan Carvey: "RE: Finding root-kits on Windows"

Previous message: George W. Capehart: "Re: Removing HTTP headers from tcpdump logs"
In reply to: Chris Mawer: "Removing HTTP headers from tcpdump logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

With respect to extractng the HTTP data, you might take a peek at tcpflow: 
http://www.circlemud.org/~jelson/software/tcpflow/

It can read in tcpdump files using -r

<snip>

tcpflow version 0.20 by Jeremy Elson <jelsonat_private>

usage: tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds]
          [-i iface] [-w file] [expression]

        -b: max number of bytes per flow to save
        -c: console print only (don't create files)
        -d: debug level; default is 1
        -f: maximum number of file descriptors to use
        -h: print this help message
        -i: network interface on which to listen
            (type "ifconfig -a" for a list of interfaces)
        -p: don't use promiscuous mode
        -r: read packets from tcpdump output file
        -s: strip non-printable characters (change to '.')
        -v: verbose operation equivalent to -d 10
expression: tcpdump-like filtering expression

</snip>

-scm


CM:Chris Mawer

CM>List,
CM>
CM>I have a recently acquired tcpdump logfile on my hands. It captured several 
CM>megabytes of data, including several ftp, ssh and http sessions.
CM>
CM>In trying to recover files from the sessions captured, Ive run into two 
CM>problems.
CM>
CM>1. The SSH data is encrypted, but was captured by a network-wide keystroke 
CM>logger. (I don't wish to debate the ethics here..)
CM>2. With the FTP sessions, running the tcpdump file through ethereal allowed 
CM>me to "Follow TCP Stream" and recover the files transferred perfectly. 
CM>However, trying to do the same with the HTTP sessions didnt work too well.
CM>
CM>My question to the list: What tools/methods are used to manually remove the 
CM>HTTP headers that prevent the (easy/quick) recovery of files over HTTP? 
CM>RFC's on the issue, whilst informative are 20 years old. What does the 
CM>modern-day homosapien forensics investigator do?
CM>
CM>Many thanks,
CM>
CM>Chris Mawer
CM>
CM>_________________________________________________________________
CM>It's fast, it's easy and it's free. Get MSN Messenger today! 
CM>http://www.msn.co.uk/messenger
CM>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Harlan Carvey: "RE: Finding root-kits on Windows"
Previous message: George W. Capehart: "Re: Removing HTTP headers from tcpdump logs"
In reply to: Chris Mawer: "Removing HTTP headers from tcpdump logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 08 2003 - 15:01:01 PDT