Get files from your capture file

November 7th, 2013 | Tags: , ,

It’s awesome how easily you can reconstruct files from a dump ( wireshark / tcpdump / etc. ) file. We can use two methods.

Wireshark natively supports object extraction. This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk.

Just go under File-> Export Objects –> HTTP, and save the files.

image

The feature also supports CIFS/SMB and DICOM data stream.

Another way is to use Tshark and foremost:

First extract the data from the capture file:

root@deepspace:/tmp# tshark -r test.pcap -T fields -e data -w test.raw

Use foremost to extract the files/data:

root@deepspace:/tmp# foremost -v -i test.raw

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Thu Nov  7 12:11:13 2013
Invocation: foremost -v -i test.raw
Output directory: /tmp/output
Configuration file: /etc/foremost.conf
Processing: test.raw
|——————————————————————
File: test.raw
Start: Thu Nov  7 12:11:13 2013
Length: 1 MB (1948323 bytes)
 
Num      Name (bs=512)         Size      File Offset     Comment

0:      00000175.jpg           4 KB           89809     
1:      00003495.jpg           3 KB         1789881     
2:      00000165.gif           42 B           84784       (1 x 1)
3:      00000352.gif           42 B          180499       (1 x 1)
4:      00000367.gif           42 B          188271       (1 x 1)
5:      00003026.gif           4 KB         1549677       (336 x 39)
6:      00003248.gif           35 B         1663451       (1 x 1)
7:      00003252.gif           35 B         1665185       (1 x 1)
8:      00003257.gif           35 B         1668021       (1 x 1)
9:      00003423.gif           42 B         1752940       (1 x 1)
10:     00003440.gif           42 B         1761706       (1 x 1)
11:     00000003.htm          44 KB            1847     
12:     00000112.htm          22 KB           57821     
13:     00000212.htm          40 KB          108754     
14:     00000297.htm          21 KB          152265     
15:     00000374.htm         190 KB          191511     
16:     00003250.htm           64 B         1664225     
17:     00003444.htm          314 B         1763629     
18:     00000109.png          886 B           56122       (111 x 26)
19:     00000780.png           1 KB          399486       (24 x 24)
20:     00000817.png          889 B          418579       (24 x 24)
21:     00003452.pdf         175 KB         1767649     
*|
Finish: Thu Nov  7 12:11:13 2013

22 FILES EXTRACTED

jpg:= 2
gif:= 9
htm:= 7
png:= 3
pdf:= 1
——————————————————————

Foremost finished at Thu Nov  7 12:11:13 2013

root@deepspace:/tmp cd output/
audit.txt  gif/       htm/       jpg/       pdf/       png/
      

 

So another reason why everybody shall use secure connections (i.e.: IPSEC / TLS / etc.)

Thanks packetlife and evilrouters for the info!

(Visited 85 times, 1 visits today)
No comments yet.