Penetration Testing mailing list archives
Re: Packet Capture Rebuilding Utility
From: Rogan Dawes <lists () dawes za net>
Date: Wed, 28 Jan 2009 10:45:47 +0200
Justin Smith wrote:
On Tue, Jan 27, 2009 at 6:59 PM, Felonious Fish <feloniousfish () gmail com> wrote:Greetings all - I have recently been banging my head against the wall in search of an Open Source tool that can take Wireshark capture (e.g. http) and rebuild them into a website. The purpose of this request is to add value within my deliverable reports. Instead of showing a just one packet from a website, I believe it would be a greater impact to show the complete page that was sniffed. Much appreciated FF
Does the stream rebuilding inside Wireshark not provide enough of that for you? If you know the website and/or the client that you have gathered capture data from you can just create a filter to include just those two nodes and HTTP packets only. Then go to Analyze->Follow TCP Stream and it should rebuild the entire conversation between those two nodes from any packet.
It's not quite as simple as that. Each TCP stream may contain multiple request and response pairs, which each need to be stripped out. Stripping them out requires parsing the HTTP requests to determine if there is a request body or not, and similarly for the response. Once you determine that there is a body, you need to determine how long it is, based either on a Content-Length: header, a Transfer-Encoding: chunked header, or the end of the stream. Also, keep in mind that the message body may be compressed (gzipped). The OP also then needs to decide which resource is going to be the top level of the page (i.e the URL in the location bar of his browser), then convince the browser to load the resources from wherever they were extracted to. This might be achieved by rewriting the pages saved to the disk to change the <base href=""> tag to refer to the disk copy, or through some other means. So, not trivial, but still doable with a bit of work. The OWASP Proxy library has a number of classes which may be useful as a basis to build on. See http://www.owasp.org/index.php/Category:OWASP_Proxy for details. Rogan
Current thread:
- Packet Capture Rebuilding Utility Felonious Fish (Jan 27)
- Re: Packet Capture Rebuilding Utility Justin Smith (Jan 28)
- Re: Packet Capture Rebuilding Utility Rogan Dawes (Jan 28)
- Re: Packet Capture Rebuilding Utility Chris Brenton (Jan 28)
- Re: Packet Capture Rebuilding Utility Hermann Arens (Jan 28)
- Re: Packet Capture Rebuilding Utility Eric Kollmann (Jan 28)
- Re: Packet Capture Rebuilding Utility Justin Smith (Jan 28)