Honeypots mailing list archives

Re: Removing HTTP headers from tcpdump logs

From: shawnmer <shawnmer () io com>
Date: Wed, 7 May 2003 16:45:28 -0500 (CDT)

Hi,

With respect to extractng the HTTP data, you might take a peek at tcpflow: 
http://www.circlemud.org/~jelson/software/tcpflow/

It can read in tcpdump files using -r

<snip>

tcpflow version 0.20 by Jeremy Elson <jelson () circlemud org>

usage: tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds]
          [-i iface] [-w file] [expression]

        -b: max number of bytes per flow to save
        -c: console print only (don't create files)
        -d: debug level; default is 1
        -f: maximum number of file descriptors to use
        -h: print this help message
        -i: network interface on which to listen
            (type "ifconfig -a" for a list of interfaces)
        -p: don't use promiscuous mode
        -r: read packets from tcpdump output file
        -s: strip non-printable characters (change to '.')
        -v: verbose operation equivalent to -d 10
expression: tcpdump-like filtering expression

</snip>

-scm


CM:Chris Mawer

CM>List,
CM>
CM>I have a recently acquired tcpdump logfile on my hands. It captured several 
CM>megabytes of data, including several ftp, ssh and http sessions.
CM>
CM>In trying to recover files from the sessions captured, Ive run into two 
CM>problems.
CM>
CM>1. The SSH data is encrypted, but was captured by a network-wide keystroke 
CM>logger. (I don't wish to debate the ethics here..)
CM>2. With the FTP sessions, running the tcpdump file through ethereal allowed 
CM>me to "Follow TCP Stream" and recover the files transferred perfectly. 
CM>However, trying to do the same with the HTTP sessions didnt work too well.
CM>
CM>My question to the list: What tools/methods are used to manually remove the 
CM>HTTP headers that prevent the (easy/quick) recovery of files over HTTP? 
CM>RFC's on the issue, whilst informative are 20 years old. What does the 
CM>modern-day homosapien forensics investigator do?
CM>
CM>Many thanks,
CM>
CM>Chris Mawer
CM>
CM>_________________________________________________________________
CM>It's fast, it's easy and it's free. Get MSN Messenger today! 
CM>http://www.msn.co.uk/messenger
CM>

Current thread:

Removing HTTP headers from tcpdump logs Chris Mawer (May 07)
- Re: Removing HTTP headers from tcpdump logs Jarkko Turkulainen (May 07)
  - Re: Removing HTTP headers from tcpdump logs George W. Capehart (May 07)
- Re: Removing HTTP headers from tcpdump logs shawnmer (May 07)
- Re: Removing HTTP headers from tcpdump logs Bill McCarty (May 09)