On Fri, Oct 26, 2001 at 01:08:44PM -0700, Guy Harris wrote:
> > I just loaded Ethereal and love how it works. Is there a way that I
> > can combine the packets back into the file that was downloaded? (i.e.
> > If I know someone on the network is downloading pictures can I combine
> > the packets to see what the picture is)?
>
> Not with Ethereal.
>
> However, ethereal uses the same libpcap format for packet capture files
> that tcpdump does; there are a number of tools that process libpcap
> files, and I seem to remember somebody mentioning some tool on this list
> that can do that sort of reassembly.
tcpflow:
http://www.circlemud.org/~jelson/software/tcpflow/
"tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores the data in a way that is convenient for
protocol analysis or debugging. A program like 'tcpdump' shows a
summary of packets seen on the wire, but usually doesn't store the data
that's actually being transmitted. In contrast, tcpflow reconstructs
the actual data streams and stores each flow in a separate file for
later analysis."
However, it reassembles TCP connections, meaning that if they're using
HTTP rather than, say, FTP to download the file, you'll get the HTTP
response and MIME headers for the file being downloaded, not just the
raw file data.
You could probably write a program or script that takes the file for the
flow in one directory and
reports the Content-Type header;
skips or reports the other headers;
saves the data to a file;
although if you want to handle persistent connections it'd also have to
take the Content-Length header into account, report each object's
Content-Type header, and save each object to a file.
You'd only get one side of a conversation in each file that tcpflow
writes, so you also wouldn't know the URL.
