Pcapcat is a simple perl script that can dump the contents of a tcp stream. The script gives an index of the tcp streams that it identifies (by default shows only new tcp connection streams, those initialize by syn packets but you have the option to show all already established connections as well) and you would use this index to indentify which stream you would like to dump.
usage:
# perl pcapcat -r pcap_file // displays new connection streams. Already established connections would be ignored
# perl pcapcat -r pcap_file -a // '-a' displays already established connections. Useful in many cases where the initial communication had already commenced like a conversation.
# perl pcapcat -h // gives you a listing of all the options used with pcapcat
Resources/Good reading:
http://blog.kiddaland.net/2009/09/network-forensics-puzzle/
No comments:
Post a Comment