Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Removing HTTP headers from tcpdump logs

From: "Chris Mawer" <chris_mawer () hotmail com>
Date: Wed, 07 May 2003 14:32:49 +0000
List,
I have a recently acquired tcpdump logfile on my hands. It captured several megabytes of data, including several ftp, ssh and http sessions.
In trying to recover files from the sessions captured, Ive run into two problems.
1. The SSH data is encrypted, but was captured by a network-wide keystroke logger. (I don't wish to debate the ethics here..) 2. With the FTP sessions, running the tcpdump file through ethereal allowed me to "Follow TCP Stream" and recover the files transferred perfectly. However, trying to do the same with the HTTP sessions didnt work too well.
My question to the list: What tools/methods are used to manually remove the HTTP headers that prevent the (easy/quick) recovery of files over HTTP? RFC's on the issue, whilst informative are 20 years old. What does the modern-day homosapien forensics investigator do? 

Many thanks,

Chris Mawer

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
Previous By Date Next
Previous By Thread Next

Current thread: