Complete reconstruction of TCP Session (HTML pages) from WireShark pcaps, any tools for this?

后端 未结 5 1573
滥情空心
滥情空心 2020-12-08 12:26

I wonder if there is a way in wireshark to reconstruct a complete TCP Session (HTML page(s)) if we have wireshark pcaps, can wireshark do the reconstruction? or is there any

相关标签:
5条回答
  • 2020-12-08 12:36

    TCPTrace has an option (-e) for this:

    Extracting: The -e option can be used to extract the contents (TCP data payload) of each connection into a separate data file.

    For example,

    Beluga:/Users/mani> tcptrace -e albus.dmp

    generates files a2b_contents.dat, b2a_contents.dat; c2d_contents.dat, d2c_contents.dat if the file albus.dmp had 2 traced TCP connections. tcptrace is pretty smart in generating these contents files. It does not commit trivial mistakes like saving retransmissions multiple times in the file for example, and is aware of sequence space wrap-arounds. However, if you want the entire contents of the traffic, please make sure that packets are captured in their entirety (give suitable snaplen value with tcpdump for example).

    0 讨论(0)
  • 2020-12-08 12:41

    I suggest tcpflow, a full-featured tcp/ip session reconstructor. It is very fast, will handle very large sessions, automatically decompresses gzip'ed connections, automatically breaks out MIME objects sent by HTTP, creates an XML file of what it's done, runs on MacOS, Linux and Windows, and more. It's a command-line tool.

    0 讨论(0)
  • 2020-12-08 12:48

    Use justniffer-grab-http-traffic .It is based on justniffer and it is an excellent tool for rebuilding tcp streams.

    0 讨论(0)
  • 2020-12-08 12:53

    Depending on what version of Wireshark you have, you should be able to do something along the lines of:

    1. Filter out the session you care about
    2. Do File->Export->Objects->Http
    3. Select a folder.

    Is there something more you need... this appears to do the gzip decompression etc... won't work if you're running SSL (it MIGHT be able to if you can get the appropiate keys to make the SSL decode work, but that gets trickier and I'd suggest trying fiddler in that case)

    HTH

    0 讨论(0)
  • 2020-12-08 12:57

    You can also use Bro if you prefer a command-line interface. Simply load it with the contents script:

    bro -r trace.pcap -f 'port 80' contents
    

    (You can skip the optional BPF filter expression -f port 80.) This extracts the full TCP stream and writes it to files of the form:

    contents.<sourceIP>.<sourcePORT>-<destinationIP>.<destinationPORT>
    

    As Christian mentioned, the reassembly is highly robust and has been tested thoroughly.

    0 讨论(0)
提交回复
热议问题