Extracting files from a capture file aka. intercepting files
Just learned a cool thing that I’d like to share. Imagine you’re running a packet sniffer and you want to extract the files that you’ve sniffed. It can be a .pdf, .jpg or whatever. There’s two tools for this once you’ve got the capture file in hand. Namely, tcpflow and foremost.
TCP segments might arrive out of order and needs to be put into the right sequence before you can extract the files from the capture. Else they will probably be corrupted. The reasons why we need to do this is because packet sniffers, or protocol analyzers if you so will, only will display data as they arrive on the interface(s). TCP segments might arrive out of order at the destination and therefore TCP uses something called sequence numbers to keep track of where the data should be put. tcpflow will read your capture file’s TCP sequence numbers and put the segments in the correct order for “convenient protocol analysis or debugging”. The following command do this:
tcpflow -r sniffed.cap
This will create several output files for all the connections you’ve captured. One file per connection. The output will be in your current working directory. So it’s recommended to create a new folder and run the command from that folder to avoid mayhem. The output files can be a pain to work with so we’ll put them together into one single file with the help of concatenate:
cat * > sniffed_organised.cap
Now we can use foremost to extract the files.
foremost -t all -i sniffed_organised.cap
The -t option let’s you choose which file types to extract. The man page will tell you which file formats you can choose from. Unless you specify otherwise, the files will be put into a folder called output. Good luck!