Wireshark-users: [Wireshark-users] Perl script to extract files from dumps?
From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Wed, 6 Apr 2016 23:42:31 +0200
Hi tsharkers/Wiresharkers! I have been analyzing traffic since long. But only after I was told by a fine Gentooer [*], and after I was, by a Wireshark developer here on this ML [**[, pointed to: http://wiki.wireshark.org/SSL all the traffic was finally almost all open for my eyes. I think when it comes to figuring what happened during some events that have been caught by dumpcap or tcpdump or other such tool, among other things, it is important to be able to first take the streams out [***], and then, since some streams comprise even dozens of files, it is important to be able to take those streams apart, such as to compare what the streams have, with what, maybe (the most common case of one user trying to control what happens to him/her when he connects online and visits some web page) compare it with the screencast of the corresponding time [****]. I figured out the [***], the extracting of streams. See also [*****] for figuring out, e.g. for some more tricks useful. But I wanted to, along the sharing of my cheatsheat when I extract files from streams in my analyses, ask if anybody from more advanced users is willing to tell us, struggling tshark/Wireshark enthusiasts like me: Are there some Perl scripts available in public, under free license (of course any thinking user can imagine what details analyzing tools our surveillors use on us users, but that lore is in no way available to public...)... Are there such scripts that could take a stream, and extract all the files from it? in a separate folder? I have been using this cheatsheet to search for where to cut out with hexedit and save files from tshark extracted streams: #======= _tshark-dumps-extracting-cheatsheat =========================# ### Cheatsheat for extracting files from traffic dumps # ### taken with (the Wireshark's) dumpcap or tcpdump or similar # ### VERY INCOMPLETE, from my real extraction tentatives # #=======================================================================# # for Perl | for hexedit/hexdump/... | in ASCII | name x47x45x54x20 47 45 54 20 "GET " x3Cx21x44x4F 3C 21 44 4F <!DOCTYPE x48x54x54x50x2Fx31x2Ex31x20 48 54 54 50 2F 31 2E 31 20 "HTTP/1.1 " x47x49x46x38x39x61x14x00 47 49 46 38 39 61 14 00 GIF89a GIF xFFxD8xFFxE0 FF D8 FF E0 ÿØÿàJFIF JPG x89x50x4Ex47 89 50 4E 47 .PNG PNG x1Fx8Bx08 1F 8B 08 GZIP FD 37 7A 58 5A 00 00 04 XZ 50 4B 03 04 0A 00 00 00 ZIP #=======================================================================# I had spent many days, but it was a few months ago, I currently wish I could find such a script already made and freely published... I had spent long days learning Perl to cut streams at where every next file begins, but wasn't able to come up with such a script. I'm sure many users who struggle with analyzing and extracting files from streams like me, would find it very useful, as to some extent, I hope some of the scripts I put together are useful too. That's all I learned so far. Really struggling, (and not withholding any of my knowledge, very thankful to Wireshark devs!). Regards! --- [*] https://forums.gentoo.org/viewtopic-t-1029408.html#7818724 [**] https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html [***] https://github.com/miroR/tshark-streams [****] https://github.com/miroR/uncenz [*****] http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/tshark-http-uri.sh -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: PGP signature
- Follow-Ups:
- Re: [Wireshark-users] Perl script to extract files from dumps?
- From: Jaap Keuter
- Re: [Wireshark-users] Perl script to extract files from dumps?
- Next by Date: [Wireshark-users] command-W in Mac UI
- Next by thread: Re: [Wireshark-users] Perl script to extract files from dumps?
- Index(es):