Wireshark-users: Re: [Wireshark-users] Perl script to extract files from dumps?

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 8 Apr 2016 23:34:41 +0200
Hi,

Have you looked through https://wiki.wireshark.org/Tools
eg. Chaosreader seems to fit the bill.

Thanks,
Jaap


On 06-04-16 23:42, Miroslav Rovis wrote:
> Hi tsharkers/Wiresharkers!
> 
> I have been analyzing traffic since long. But only after I was told by a fine
> Gentooer [*], and after I was, by a Wireshark developer here on this ML [**[,
> pointed to:
> 
> http://wiki.wireshark.org/SSL
> 
> all the traffic was finally almost all open for my eyes.
> 
> I think when it comes to figuring what happened during some events that have
> been caught by dumpcap or tcpdump or other such tool, among other things, it
> is important to be able to first take the streams out [***], and then, since
> some streams comprise even dozens of files, it is important to be able to take
> those streams apart, such as to compare what the streams have, with what,
> maybe (the most common case of one user trying to control what happens to
> him/her when he connects online and visits some web page) compare it with the
> screencast of the corresponding time [****].
> 
> I figured out the [***], the extracting of streams. See also [*****] for
> figuring out, e.g. for some more tricks useful.
> 
> But I wanted to, along the sharing of my cheatsheat when I extract files from
> streams in my analyses, ask if anybody from more advanced users is willing to
> tell us, struggling tshark/Wireshark enthusiasts like me:
> 
> Are there some Perl scripts available in public, under free license (of course
> any thinking user can imagine what details analyzing tools our surveillors use
> on us users, but that lore is in no way available to public...)... 
> 
> Are there such scripts that could take a stream, and extract all the files
> from it? in a separate folder?
> 
> I have been using this cheatsheet to search for where to cut out with hexedit
> and save files from tshark extracted streams:
> 
> #=======  _tshark-dumps-extracting-cheatsheat  =========================#
> ###     Cheatsheat for extracting files from traffic dumps              #
> ###     taken with (the Wireshark's) dumpcap or tcpdump or similar      #
> ###        VERY INCOMPLETE, from my real extraction tentatives          #
> #=======================================================================#
> # for Perl                 | for hexedit/hexdump/...   | in ASCII   | name
> x47x45x54x20                47 45 54 20                  "GET "
> x3Cx21x44x4F                3C 21 44 4F                  <!DOCTYPE
> x48x54x54x50x2Fx31x2Ex31x20 48 54 54 50  2F 31 2E 31 20  "HTTP/1.1 " 
> x47x49x46x38x39x61x14x00    47 49 46 38  39 61 14 00     GIF89a      GIF
> xFFxD8xFFxE0                FF D8 FF E0                  ����JFIF    JPG
> x89x50x4Ex47                89 50 4E 47                  .PNG        PNG
> x1Fx8Bx08                   1F 8B 08                                 GZIP
>                             FD 37 7A 58  5A 00 00 04                 XZ
>                             50 4B 03 04  0A 00 00 00                 ZIP
> #=======================================================================#
> 
> I had spent many days, but it was a few months ago, I currently wish I could
> find such a script already made and freely published...
> 
> I had spent long days learning Perl to cut streams at where every next file
> begins, but wasn't able to come up with such a script.
> 
> I'm sure many users who struggle with analyzing and extracting files from
> streams like me, would find it very useful, as to some extent, I hope some of
> the scripts I put together are useful too. That's all I learned so far. Really
> struggling, (and not withholding any of my knowledge, very thankful to
> Wireshark devs!).
> 
> Regards!
> 
> ---
> [*] https://forums.gentoo.org/viewtopic-t-1029408.html#7818724
> [**] https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html
> [***] https://github.com/miroR/tshark-streams
> [****] https://github.com/miroR/uncenz
> [*****] http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/tshark-http-uri.sh
>