Wireshark-users: Re: [Wireshark-users] Perl script to extract files from dumps?
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 8 Apr 2016 23:34:41 +0200
Hi, Have you looked through https://wiki.wireshark.org/Tools eg. Chaosreader seems to fit the bill. Thanks, Jaap On 06-04-16 23:42, Miroslav Rovis wrote: > Hi tsharkers/Wiresharkers! > > I have been analyzing traffic since long. But only after I was told by a fine > Gentooer [*], and after I was, by a Wireshark developer here on this ML [**[, > pointed to: > > http://wiki.wireshark.org/SSL > > all the traffic was finally almost all open for my eyes. > > I think when it comes to figuring what happened during some events that have > been caught by dumpcap or tcpdump or other such tool, among other things, it > is important to be able to first take the streams out [***], and then, since > some streams comprise even dozens of files, it is important to be able to take > those streams apart, such as to compare what the streams have, with what, > maybe (the most common case of one user trying to control what happens to > him/her when he connects online and visits some web page) compare it with the > screencast of the corresponding time [****]. > > I figured out the [***], the extracting of streams. See also [*****] for > figuring out, e.g. for some more tricks useful. > > But I wanted to, along the sharing of my cheatsheat when I extract files from > streams in my analyses, ask if anybody from more advanced users is willing to > tell us, struggling tshark/Wireshark enthusiasts like me: > > Are there some Perl scripts available in public, under free license (of course > any thinking user can imagine what details analyzing tools our surveillors use > on us users, but that lore is in no way available to public...)... > > Are there such scripts that could take a stream, and extract all the files > from it? in a separate folder? > > I have been using this cheatsheet to search for where to cut out with hexedit > and save files from tshark extracted streams: > > #======= _tshark-dumps-extracting-cheatsheat =========================# > ### Cheatsheat for extracting files from traffic dumps # > ### taken with (the Wireshark's) dumpcap or tcpdump or similar # > ### VERY INCOMPLETE, from my real extraction tentatives # > #=======================================================================# > # for Perl | for hexedit/hexdump/... | in ASCII | name > x47x45x54x20 47 45 54 20 "GET " > x3Cx21x44x4F 3C 21 44 4F <!DOCTYPE > x48x54x54x50x2Fx31x2Ex31x20 48 54 54 50 2F 31 2E 31 20 "HTTP/1.1 " > x47x49x46x38x39x61x14x00 47 49 46 38 39 61 14 00 GIF89a GIF > xFFxD8xFFxE0 FF D8 FF E0 ����JFIF JPG > x89x50x4Ex47 89 50 4E 47 .PNG PNG > x1Fx8Bx08 1F 8B 08 GZIP > FD 37 7A 58 5A 00 00 04 XZ > 50 4B 03 04 0A 00 00 00 ZIP > #=======================================================================# > > I had spent many days, but it was a few months ago, I currently wish I could > find such a script already made and freely published... > > I had spent long days learning Perl to cut streams at where every next file > begins, but wasn't able to come up with such a script. > > I'm sure many users who struggle with analyzing and extracting files from > streams like me, would find it very useful, as to some extent, I hope some of > the scripts I put together are useful too. That's all I learned so far. Really > struggling, (and not withholding any of my knowledge, very thankful to > Wireshark devs!). > > Regards! > > --- > [*] https://forums.gentoo.org/viewtopic-t-1029408.html#7818724 > [**] https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html > [***] https://github.com/miroR/tshark-streams > [****] https://github.com/miroR/uncenz > [*****] http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/tshark-http-uri.sh >
- Follow-Ups:
- Re: [Wireshark-users] Perl script to extract files from dumps?
- From: Miroslav Rovis
- Re: [Wireshark-users] Perl script to extract files from dumps?
- References:
- [Wireshark-users] Perl script to extract files from dumps?
- From: Miroslav Rovis
- [Wireshark-users] Perl script to extract files from dumps?
- Prev by Date: [Wireshark-users] command-W in Mac UI
- Next by Date: Re: [Wireshark-users] Perl script to extract files from dumps?
- Previous by thread: [Wireshark-users] Perl script to extract files from dumps?
- Next by thread: Re: [Wireshark-users] Perl script to extract files from dumps?
- Index(es):