Full Disclosure mailing list archives

Re: PCAP and LP

From: Brendan Gregg <brendan.gregg () tpg com au>
Date: Thu, 3 Jun 2004 00:49:52 +1000 (EST)

G'Day Ian,

----- Original Message -----

From: Ian Latter (Ian.Latter_at_mq.edu.au)
Date: Jun 01 2004

Hello Ali,

   According to the FAQ, this doesn't look entirely possible;

        [...]
        4.10 Replaying Client Traffic to a Server

        A common question on the tcpreplay-users list is how
        [...]

        From; http://tcpreplay.sourceforge.net/FAQ.html

  I've had one other suggestion, and that is contacting the author
of "chaosreader" (with greenback or source);

  http://users.tpg.com.au/bdgcvb/chaosreader.html

's'cool ... I'll fish the web a little more and see what comes out ... if
nothing comes out, and I can't make a quick contribution to
chaosreader, then I'll probably change the target host to acquire
the asset via another protocol (http/smtp/etc).


Chaosreader can retrieve print jobs with a little help,

# snoop -o /tmp/out1 port 515
  Using device /dev/hme (promiscuous mode)
  205 ^C
#
# ../chaosreader -v /tmp/out1
  Chaosreader ver 0.94

  Opening, /tmp/out1

  Reading file contents,
   100% (251376/251376)
  Reassembling packets,
   100% (205/205)

  Creating files...
     Num  Session (host:port <=> host:port)              Service
    0001  192.168.1.5:1021,192.168.1.1:515               printer

  index.html created.
#
# ls -l *.raw*
  -rw-r--r--   1 brendan   231678 Jun  3 00:21 session_0001.printer.raw
  -rw-r--r--   1 brendan        5 Jun  3 00:21 session_0001.printer.raw1
  -rw-r--r--   1 brendan   231673 Jun  3 00:21 session_0001.printer.raw2


Now if I "vi session_0001.printer.raw2" and remove the top 2 and bottom
9 lines, I have the original PostScript file (cksums ok). (Your capture
may vary a little, but it should be obvious where the PostScript begins
and ends).


Or if I didn't want to use vi,

# perl -e 'push(@A,$_) while(<>); print @A[2..($#A-10)]' \
        session_0001.printer.raw2 > lp.ps


It would be nice if Chaosreader automatically did this - I guess I
should add it for the next release.

If anyone would like to make a quick contribution you are welcome
to send me small sample capture files (snoop or tcpdump). :)

PS. the most stable link is,
http://www.brendangregg.com/chaosreader.html

no worries,

Brendan Gregg

[Sydney, Australia]

----- Original Message -----

From: "Ali-Reza Anghaie" <ali_at_packetknife.com>
To: "Ian Latter" <Ian.Latter_at_mq.edu.au>
Subject: Re: [Full-disclosure] PCAP and LP
Date: Tue, 01 Jun 2004 23:12:19 -0400

On Tue, 2004-06-01 at 23:32, Ian Latter wrote:

Quick question, I'm going through the results of an investigation
and have a PCAP file that contains Line Printing ... I'd like to
reconstruct the postscript files (or just reprint them), is there a

tool that will allow this?

[...]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

PCAP and LP Ian Latter (Jun 01)
- Re: PCAP and LP Ali-Reza Anghaie (Jun 01)
- <Possible follow-ups>
- Re: PCAP and LP Ian Latter (Jun 01)
- Re: PCAP and LP Brendan Gregg (Jun 02)