07 Nov

Get files from your capture file

It’s awesome how easily you can reconstruct files from a dump ( wireshark / tcpdump / etc. ) file. We can use two methods.

Wireshark natively supports object extraction. This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk.

Just go under File-> Export Objects –> HTTP, and save the files.


The feature also supports CIFS/SMB and DICOM data stream.

Another way is to use Tshark and foremost:

First extract the data from the capture file:

root@deepspace:/tmp# tshark -r test.pcap -T fields -e data -w test.raw

Use foremost to extract the files/data:

root@deepspace:/tmp# foremost -v -i test.raw

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Thu Nov  7 12:11:13 2013
Invocation: foremost -v -i test.raw
Output directory: /tmp/output
Configuration file: /etc/foremost.conf
Processing: test.raw
File: test.raw
Start: Thu Nov  7 12:11:13 2013
Length: 1 MB (1948323 bytes)
Num      Name (bs=512)         Size      File Offset     Comment

0:      00000175.jpg           4 KB           89809     
1:      00003495.jpg           3 KB         1789881     
2:      00000165.gif           42 B           84784       (1 x 1)
3:      00000352.gif           42 B          180499       (1 x 1)
4:      00000367.gif           42 B          188271       (1 x 1)
5:      00003026.gif           4 KB         1549677       (336 x 39)
6:      00003248.gif           35 B         1663451       (1 x 1)
7:      00003252.gif           35 B         1665185       (1 x 1)
8:      00003257.gif           35 B         1668021       (1 x 1)
9:      00003423.gif           42 B         1752940       (1 x 1)
10:     00003440.gif           42 B         1761706       (1 x 1)
11:     00000003.htm          44 KB            1847     
12:     00000112.htm          22 KB           57821     
13:     00000212.htm          40 KB          108754     
14:     00000297.htm          21 KB          152265     
15:     00000374.htm         190 KB          191511     
16:     00003250.htm           64 B         1664225     
17:     00003444.htm          314 B         1763629     
18:     00000109.png          886 B           56122       (111 x 26)
19:     00000780.png           1 KB          399486       (24 x 24)
20:     00000817.png          889 B          418579       (24 x 24)
21:     00003452.pdf         175 KB         1767649     
Finish: Thu Nov  7 12:11:13 2013


jpg:= 2
gif:= 9
htm:= 7
png:= 3
pdf:= 1

Foremost finished at Thu Nov  7 12:11:13 2013

root@deepspace:/tmp cd output/
audit.txt  gif/       htm/       jpg/       pdf/       png/


So another reason why everybody shall use secure connections (i.e.: IPSEC / TLS / etc.)

Thanks packetlife and evilrouters for the info!

03 Nov

Cisco CCIEv5 is here?

Well this was a rumor for a while, but it seems that it is here now. I currently scheduled my lab to 28 Feb, 2014, but I would like to postpone it to May. The question is now, should I?

According to the new INE post, it’s not a good idea.

There are others out there, who tell us not to Panic:

..and, Lindsay Hill create a nice summary post.

So, what the f…? I already contact with the Cert Support Team, and waiting for a specific answer: Should Cisco Systems announce the CCIE exam version change 6 months prior to the implementation of the new exam format, or not?

If the answer is yes, then we don’t need to panic, yet…


Dear Gabor,
Officially Cisco is not obligated to give any notice when retiring an exam, as a courtesy Cisco tries to announce the retirement or change within 6 months of the actual change date.

CCIE Support Specails


08 Sep

Interoperability of Loop Guard with Other STP Features

Just a quick refresh about the Loop guard STP feature interoperability. We can read about this topic in the  Spanning-Tree Protocol Enhancements using Loop Guard and BPDU Skew Detection Features whitepaper:

The root guard is mutually exclusive with the loop guard. The root guard is used on designated ports, and it does not allow the port to become non-designated. The loop guard works on non-designated ports and does not allow the port to become designated through the expiration of max_age. The root guard cannot be enabled on the same port as the loop guard. When the loop guard is configured on the port, it disables the root guard configured on the same port.

Once you configure loop guard on a root guard enabled port, the switch will happily disable the root guard feature:

Sep  8 10:16:02.943: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/13.

What about the Uplink/Backbone fast features?

Both uplink fast and backbone fast are transparent to the loop guard. When max_age is skipped by backbone fast at the time of reconvergence, it does not trigger the loop guard.