Hosting Provided By

Removing HTTP headers from tcpdump logs

From: Chris Mawer <chris_mawer(at)hotmail.com>
Date: Wed May 07 2003 - 10:32:49 EDT

List,

I have a recently acquired tcpdump logfile on my hands. It captured several megabytes of data, including several ftp, ssh and http sessions.

In trying to recover files from the sessions captured, Ive run into two problems.

The SSH data is encrypted, but was captured by a network-wide keystroke logger. (I don't wish to debate the ethics here..)
With the FTP sessions, running the tcpdump file through ethereal allowed me to "Follow TCP Stream" and recover the files transferred perfectly. However, trying to do the same with the HTTP sessions didnt work too well.

My question to the list: What tools/methods are used to manually remove the HTTP headers that prevent the (easy/quick) recovery of files over HTTP? RFC's on the issue, whilst informative are 20 years old. What does the modern-day homosapien forensics investigator do?

Many thanks,

Chris Mawer

It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu May 8 18:01:45 2003

This message: [ Message body ]
Next message: Amarante, Rodrigo P.: "RE: Finding root-kits on Windows"
Previous message: George W. Capehart: "Re: Removing HTTP headers from tcpdump logs"
Next in thread: Jarkko Turkulainen: "Re: Removing HTTP headers from tcpdump logs"
Reply: Jarkko Turkulainen: "Re: Removing HTTP headers from tcpdump logs"
Reply: shawnmer: "Re: Removing HTTP headers from tcpdump logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT