Hi, With respect to extractng the HTTP data, you might take a peek at tcpflow: http://www.circlemud.org/~jelson/software/tcpflow/ It can read in tcpdump files using -r <snip> tcpflow version 0.20 by Jeremy Elson <jelsonat_private> usage: tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds] [-i iface] [-w file] [expression] -b: max number of bytes per flow to save -c: console print only (don't create files) -d: debug level; default is 1 -f: maximum number of file descriptors to use -h: print this help message -i: network interface on which to listen (type "ifconfig -a" for a list of interfaces) -p: don't use promiscuous mode -r: read packets from tcpdump output file -s: strip non-printable characters (change to '.') -v: verbose operation equivalent to -d 10 expression: tcpdump-like filtering expression </snip> -scm CM:Chris Mawer CM>List, CM> CM>I have a recently acquired tcpdump logfile on my hands. It captured several CM>megabytes of data, including several ftp, ssh and http sessions. CM> CM>In trying to recover files from the sessions captured, Ive run into two CM>problems. CM> CM>1. The SSH data is encrypted, but was captured by a network-wide keystroke CM>logger. (I don't wish to debate the ethics here..) CM>2. With the FTP sessions, running the tcpdump file through ethereal allowed CM>me to "Follow TCP Stream" and recover the files transferred perfectly. CM>However, trying to do the same with the HTTP sessions didnt work too well. CM> CM>My question to the list: What tools/methods are used to manually remove the CM>HTTP headers that prevent the (easy/quick) recovery of files over HTTP? CM>RFC's on the issue, whilst informative are 20 years old. What does the CM>modern-day homosapien forensics investigator do? CM> CM>Many thanks, CM> CM>Chris Mawer CM> CM>_________________________________________________________________ CM>It's fast, it's easy and it's free. Get MSN Messenger today! CM>http://www.msn.co.uk/messenger CM> ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 15:01:01 PDT