Re: Reconstructing a file from a packet dump

Keep in mind that unless told differently most network utilities like ethereal and tcpdump will only capture the first n bytes of each packet (n being somewhere around 50-60 bytes, just enough to catch all of the headers but not necessarily all of the data). The HTTP requests were probably sending a full MTU's worth of data, so you probably only have 50-60 bytes of about 1400 for each packet, which would explain why you're only seeing about 1% when you try and reassemble it.

Comment on Re: Reconstructing a file from a packet dump

Replies are listed 'Best First'.
Re: Re: Reconstructing a file from a packet dump by skyknight (Hermit) on Mar 29, 2004 at 18:14 UTC
Nah, the packet capture is definitely complete. The length of the capture is a parameter that you can specify, and indeed if you set it too short you will not get the whole packet. I know that the capture is complete because I verified the size with the senders of the data. This is an academic project, so I at least know what it was that was supposed to be captured. The purpose of the exercise is to extract a covert channel from it.	[reply]

Replies are listed 'Best First'.

Re: Re: Reconstructing a file from a packet dump
by skyknight (Hermit) on Mar 29, 2004 at 18:14 UTC

Nah, the packet capture is definitely complete. The length of the capture is a parameter that you can specify, and indeed if you set it too short you will not get the whole packet. I know that the capture is complete because I verified the size with the senders of the data. This is an academic project, so I at least know what it was that was supposed to be captured. The purpose of the exercise is to extract a covert channel from it.

[reply]