Honeypots mailing list archives
Re: Removing HTTP headers from tcpdump logs
From: shawnmer <shawnmer () io com>
Date: Wed, 7 May 2003 16:45:28 -0500 (CDT)
Hi, With respect to extractng the HTTP data, you might take a peek at tcpflow: http://www.circlemud.org/~jelson/software/tcpflow/ It can read in tcpdump files using -r <snip> tcpflow version 0.20 by Jeremy Elson <jelson () circlemud org> usage: tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds] [-i iface] [-w file] [expression] -b: max number of bytes per flow to save -c: console print only (don't create files) -d: debug level; default is 1 -f: maximum number of file descriptors to use -h: print this help message -i: network interface on which to listen (type "ifconfig -a" for a list of interfaces) -p: don't use promiscuous mode -r: read packets from tcpdump output file -s: strip non-printable characters (change to '.') -v: verbose operation equivalent to -d 10 expression: tcpdump-like filtering expression </snip> -scm CM:Chris Mawer CM>List, CM> CM>I have a recently acquired tcpdump logfile on my hands. It captured several CM>megabytes of data, including several ftp, ssh and http sessions. CM> CM>In trying to recover files from the sessions captured, Ive run into two CM>problems. CM> CM>1. The SSH data is encrypted, but was captured by a network-wide keystroke CM>logger. (I don't wish to debate the ethics here..) CM>2. With the FTP sessions, running the tcpdump file through ethereal allowed CM>me to "Follow TCP Stream" and recover the files transferred perfectly. CM>However, trying to do the same with the HTTP sessions didnt work too well. CM> CM>My question to the list: What tools/methods are used to manually remove the CM>HTTP headers that prevent the (easy/quick) recovery of files over HTTP? CM>RFC's on the issue, whilst informative are 20 years old. What does the CM>modern-day homosapien forensics investigator do? CM> CM>Many thanks, CM> CM>Chris Mawer CM> CM>_________________________________________________________________ CM>It's fast, it's easy and it's free. Get MSN Messenger today! CM>http://www.msn.co.uk/messenger CM>
Current thread:
- Removing HTTP headers from tcpdump logs Chris Mawer (May 07)
- Re: Removing HTTP headers from tcpdump logs Jarkko Turkulainen (May 07)
- Re: Removing HTTP headers from tcpdump logs George W. Capehart (May 07)
- Re: Removing HTTP headers from tcpdump logs shawnmer (May 07)
- Re: Removing HTTP headers from tcpdump logs Bill McCarty (May 09)
- Re: Removing HTTP headers from tcpdump logs Jarkko Turkulainen (May 07)