Honeypots mailing list archives
Removing HTTP headers from tcpdump logs
From: "Chris Mawer" <chris_mawer () hotmail com>
Date: Wed, 07 May 2003 14:32:49 +0000
List,I have a recently acquired tcpdump logfile on my hands. It captured several megabytes of data, including several ftp, ssh and http sessions.
In trying to recover files from the sessions captured, Ive run into two problems.
1. The SSH data is encrypted, but was captured by a network-wide keystroke logger. (I don't wish to debate the ethics here..) 2. With the FTP sessions, running the tcpdump file through ethereal allowed me to "Follow TCP Stream" and recover the files transferred perfectly. However, trying to do the same with the HTTP sessions didnt work too well.
My question to the list: What tools/methods are used to manually remove the HTTP headers that prevent the (easy/quick) recovery of files over HTTP? RFC's on the issue, whilst informative are 20 years old. What does the modern-day homosapien forensics investigator do?
Many thanks, Chris Mawer _________________________________________________________________It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
Current thread:
- Removing HTTP headers from tcpdump logs Chris Mawer (May 07)
- Re: Removing HTTP headers from tcpdump logs Jarkko Turkulainen (May 07)
- Re: Removing HTTP headers from tcpdump logs George W. Capehart (May 07)
- Re: Removing HTTP headers from tcpdump logs shawnmer (May 07)
- Re: Removing HTTP headers from tcpdump logs Bill McCarty (May 09)
- Re: Removing HTTP headers from tcpdump logs Jarkko Turkulainen (May 07)