Reconstructing a file from a packet dump

skyknight has asked for the wisdom of the Perl Monks concerning the following question:

I have a packet dump of an ISO file being sent over an HTTP request, and I would like to reconstruct the actual image. I am familiar with the Net::Pcap and NetPacket::* modules and have used them for extracting other statistical data from the stream, but there is no readily apparent way to take the TCP conversation that I have and translate it into the resultant file as it would have been reassambled on the end host. Are there any good libraries for accomplishing this task?

Update: I managed to successfully extract the HTTP conversation using tcpflow, and then to extract the ISO from that by writing a simple Perl script to strip off the leading headers. The recovered ISO seems to be good. Thanks to kvale for the tip.

Comment on Reconstructing a file from a packet dump

Replies are listed 'Best First'.
Re: Reconstructing a file from a packet dump by kvale (Monsignor) on Mar 29, 2004 at 16:35 UTC
Assuming you have all the packets needed, the procedure is as follows: 1. get 'tcpflow' program 2. run it - all individual connections are saved into separate files 3. run a 'file' on the above files to id file types you want to recover. 4. if download was done over HTTP, manual header removal is needed as well. steps 1)-3) can also be done by ethereal ("Follow TCP stream" functionality) -Mark	[reply]
Re: Re: Reconstructing a file from a packet dump by skyknight (Hermit) on Mar 29, 2004 at 16:56 UTC
I tried something like that, and it would seem that ethereal barfed because the file was too large for its likes. The iso that I'm trying to reconstruct is ~200M. As a sanity check, I sent a small jpeg over HTTP (just a few K), used the "Follow TCP Stream" functionality in Ethereal, and the wrote a Perl script to strip the headers off the top of the file. The jpeg image came out looking fine. When I say that ethereal "barfed" in the former case, what I mean is that for some reason it exported a file that was only 2.5M in size when it ought to have been 100x larger. I wonder if I've bumped up against a buffer size for ethereal... I'll look into using tcpflow to successfully perform exportation. Thanks.	[reply]
Re: Re: Re: Reconstructing a file from a packet dump by traveler (Parson) on Mar 29, 2004 at 19:02 UTC
I am one of the developers of Ethereal. Would it be alright for me to forward the basic details to the Ethereal developers' list?	[reply]
Re: Re: Re: Re: Reconstructing a file from a packet dump by skyknight (Hermit) on Apr 12, 2004 at 16:04 UTC
Re: Reconstructing a file from a packet dump by Fletch (Bishop) on Mar 29, 2004 at 18:03 UTC
Keep in mind that unless told differently most network utilities like ethereal and tcpdump will only capture the first n bytes of each packet (n being somewhere around 50-60 bytes, just enough to catch all of the headers but not necessarily all of the data). The HTTP requests were probably sending a full MTU's worth of data, so you probably only have 50-60 bytes of about 1400 for each packet, which would explain why you're only seeing about 1% when you try and reassemble it.	[reply]
Re: Re: Reconstructing a file from a packet dump by skyknight (Hermit) on Mar 29, 2004 at 18:14 UTC
Nah, the packet capture is definitely complete. The length of the capture is a parameter that you can specify, and indeed if you set it too short you will not get the whole packet. I know that the capture is complete because I verified the size with the senders of the data. This is an academic project, so I at least know what it was that was supposed to be captured. The purpose of the exercise is to extract a covert channel from it.	[reply]