Reassemble files passed via SMB or TFTP?

[Richard Bejtlich <richard_bejtlich () yahoo com>]

Maybe someone can help with this or has a pointer to
someone who is familiar with this issue?

Here's this scenario: You perform full content
monitoring using tcpdump and see someone copy files
using SMB.  You have all of the traffic passed between
the Windows systems.  Imagine a client copies several
files to the "Z:" drive mapped via a SMB share.  Does
anyone know of a way to extract those files from the
traffic stream?

I'm familiar with using Ethereal or tcpflow to
reassemble TCP sessions.

On a related note, does anyone know how to reassemble
a TFTP session?

I'm hoping for an open source solution, but does
anyone know if there are commercial tools to do either
of these tasks?

Thank you,

Richard
http://taosecurity.com

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users