Capturing Files from Network Streams

		Print
		Email weblog link
		Discuss
		Blog this

Nitesh Dhanjani
Oct. 10, 2005 04:01 PM
Permalink

Eric Chavez, a good friend of mine, alerted me to a new tool called tcpxtract. The purpose of this tool is to extract files from network dump files. I have been looking at ways to capture files from HTTP streams, so I thought I’d give it a try. It wouldn’t compile right away (misplaced #endif), but I found the solution on the Bugs section of the project website. I tried running it on OS-X, but it didn’t seem to capture any images. When I get a chance, I will probably look at the source code for tcpxtract.c to see where the problem is.

This reminded me of driftnet, a similar tool, but limited to extracting images (and now MPEG audio streams) from the network. Always a fun tool to try when at a coffee shop or airport. Here is a screenshot of driftnet successfully capturing images on my network (while I was visiting oreilly.com):

One useful option in driftnet is –a, which causes drifnet to save the images into a temporary location instead of displaying it on-the-fly.

On a related note, I came across another interesting tool: Foremost – this tool can recover files from a given stream of data. I tried it with network dump files that I created with Ettercap, and it worked surprisingly well.

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.

Comment on this weblog
You must be logged in to the O'Reilly Network to post a comment.

Showing messages 1 through 3 of 3.

Best file extraction
2006-04-26 03:32:52 TimVincent [Reply | View]

You *really* need to check out Unsniff Network analyzer. You can extract all kinds of files transferred via HTTP, FTP, SMB - even voice over IP.

The best feature is the ability to fully reconstruct HTTP streams. Even rich websites using complex stylesheets, Flash, or video are rendered perfectly offline.

Unfortunately, Unsniff doesnt work on Macs or Linux.

tcpflow
2005-10-12 09:31:12 infoape [Reply | View]

tcpflow is a very useful tool that will reconstruct data streams from the network or from saved network captures (with full packet).
http://www.circlemud.org/~jelson/software/tcpflow/

http://www.etherpeg.org/
2005-10-10 16:54:02 Jonathan Wellons | [Reply | View]

Driftnet sounds almost exactly like Etherpeg, which dynamically builds images of all the pictures going by on the network.

Showing messages 1 through 3 of 3.

Return to weblogs.oreilly.com.

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.

This work is licensed under a Creative Commons License.

-->

Capturing Files from Network Streams

Sponsored Resources

Related to this Article