I was wondering it its possible to reconstruct a binary file captured
with a utility like ethereal. I have been successful in
reconstructing files using a program call tcpflow using its -r option,
and for text this is fine, but I'm having trouble figuring out to take
the file generated by tcpflow and actually save it as it was
originally intended. Is this possible? What utilities can accomplish
this? BTW simply renaming the file does not seem to work for me.
Example of desired goal: capture traffic using a libpcap program
like ethereal, save the output to a file, process that file with
tcpflow -r file and receive many files named by ip source and
destination, take one of these files and actually view it, if say it
was a jpeg, or run it if it was an application, etc. Thank You.
In the Usenet newsgroup comp.security.misc, in article
<1125418260.893775.166380@o13g2000cwo.googlegroups .com>, ketema@gmail.com wrote:
>I was wondering it its possible to reconstruct a binary file captured
>with a utility like ethereal.
Possible? Yes. Practical? No
>I have been successful in reconstructing files using a program call
>tcpflow using its -r option, and for text this is fine, but I'm having
>trouble figuring out to take the file generated by tcpflow and actually
>save it as it was originally intended. Is this possible?
I'd rather doubt that it's PRACTICAL. Using a stream editor, you could
convert the stream of packets into a file, but you would have to know the
protocols involved, and how to convert TCP and IP header data (specifically
the Offset and Length data) and match up port numbers and IP addresses.
The data is in there, it's just not something that would be practical.
>Example of desired goal: capture traffic using a libpcap program
>like ethereal, save the output to a file, process that file with
>tcpflow -r file and receive many files named by ip source and
>destination, take one of these files and actually view it, if say it
>was a jpeg, or run it if it was an application, etc.
A more practical solution would be to set up a proxy server, and have
the system you want to snoop on use that instead of the real source.
You are posting from the USA. You may wish to consult an attorney, as
this action may violate local, state, or federal law relating to
privacy, and intercepting data (especially if the data is from/to
"out of state").
> I'd rather doubt that it's PRACTICAL. Using a stream editor, you could
> convert the stream of packets into a file, but you would have to know the
> protocols involved, and how to convert TCP and IP header data (specifically
> the Offset and Length data) and match up port numbers and IP addresses.
> The data is in there, it's just not something that would be practical.
You mean like Ethereal's "Follow TCP Stream" operation does?
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Moe Trin <ibuprofin@painkiller.example.tld> wrote:
> >I was wondering it its possible to reconstruct a binary file captured
> >with a utility like ethereal.
> Possible? Yes. Practical? No
With an Ethereal dump it's possible to replay the traffic. Therefore
it's possible and practical to restore transported binary files, if
there was no encryption.
Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
ketema@gmail.com wrote:
>
> I was wondering it its possible to reconstruct a binary file captured
> with a utility like ethereal.
It is certainly possible. But it sounds like you want to extract
several files from a stream, and that might be a mess.
I have extracted JPEG files myself. However, later on I discovered that
these can be picked up from the cache if you run Mozilla. All you have
to do is find the right file. Maybe other binary files can also be
found in Mozilla's cache.
--
Tore
Thanks, for all the reply's I appreciate teh help, but so far no has
supplied an answer. Perhaps this attachment will help. It is a
reconstruction of a simple free executable that can be downloaded from www.downloads.com. The file is what was recontrsucted from the tcpflow
-r opton. notice that it is a binary file, but it has a header that to
me appears to be added by the tcp flow program. Can anyone get this
file to execute like the original? The file is i_view32.exe which is a
free graphic viewer made my a guy named Irfan, it should be easily
verifiable by downloading it either from his website or from
downloads.com or tucows. Since Google doesn't allow me to attach, the
tcpflow file can be found here on my website http://www.ketema.net/stream
the entire ethereal log file can be downloaded too http://www.ketema.net/tcpdump_ethereal.log
In the Usenet newsgroup comp.security.misc, in article
<barmar-568064.19190331082005@comcast.dca.giganews.com>, Barry Margolin wrote:
> ibuprofin@painkiller.example.tld (Moe Trin) wrote:
>
>> I'd rather doubt that it's PRACTICAL. Using a stream editor, you could
>> convert the stream of packets into a file, but you would have to know the
>> protocols involved, and how to convert TCP and IP header data (specifically
>> the Offset and Length data) and match up port numbers and IP addresses.
>> The data is in there, it's just not something that would be practical.
>
>You mean like Ethereal's "Follow TCP Stream" operation does?
I think the O/P wants something more 'turn-key'. The paragraph that followed
wanted packet-capture all the way to displaying the file contents, or running
the file if it were an application.
>>> I was wondering it its possible to reconstruct a binary file captured
>>> with a utility like ethereal.
>> Possible? Yes. Practical? No
>
>With an Ethereal dump it's possible to replay the traffic. Therefore
>it's possible and practical to restore transported binary files, if
>there was no encryption.
Have you an application that the O/P can use? He's already got a means to
replay the traffic - what he wants is something to rebuild it and then
display/run the result (which sounds like passing it to OE without concern
for any security).
Moe Trin has stated it exactly. What is "passing it to OE" is OE some
sort of program to actually rebuild the original file? If so that is
what I'm looking for.
> In the Usenet newsgroup comp.security.misc, in article
> <barmar-568064.19190331082005@comcast.dca.giganews.com>, Barry Margolin wrote:
>
> > ibuprofin@painkiller.example.tld (Moe Trin) wrote:
> >
> >> I'd rather doubt that it's PRACTICAL. Using a stream editor, you could
> >> convert the stream of packets into a file, but you would have to know the
> >> protocols involved, and how to convert TCP and IP header data (specifically
> >> the Offset and Length data) and match up port numbers and IP addresses.
> >> The data is in there, it's just not something that would be practical.
> >
> >You mean like Ethereal's "Follow TCP Stream" operation does?
>
> I think the O/P wants something more 'turn-key'. The paragraph that followed
> wanted packet-capture all the way to displaying the file contents, or running
> the file if it were an application.
I just meant that it's PRACTICAL (to copy your emphasis) to write a tool
that uses the same technique as Ethereal's Follow TCP Stream to do what
he wants.
In some cases it would have to do a little more than what Follow TCP
Stream does, though. For FTP, all it has to do is get the stream from
the data connection, but for HTTP it would have to recognize the request
and response header, so that it can skip over them and find the end of
the data (and in the case of chunked encoding, it will have to recognize
the individual chunks).
None of this is incredibly challenging, it's just some pattern matching.
I don't know offhand of any turn-key application to do it, but
Ethereal's Follow TCP Stream code should provide a good head start.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
tcpdump file recovery 
Linear Mode
