5

I use

tcpdump -i wlan0 -s 0 dst 192.168.1.200 or src 192.168.1.200 -w output.pcap

to monitor for ex.: my HTTP traffic.

I upload a .zip file through HTTP.

How can I retrieve the .zip file from the output.pcap file? Is it possible to recover it from there?

LanceBaynes
  • 40,135
  • 97
  • 255
  • 351
  • 1
    I wouldn't be surprised if wireshark could do this, although I've never done it myself. Even if wireshark doesn't do it exactly I'd guess the answer to your second question is almost certainly "yes". See also this stackoverflow question which points to tshark. – jw013 Jan 04 '12 at 19:25
  • 1
    yes. you can. you just need a combination of tcpdump, tcpflow, and foremost. there's a good writeup of this at: http://www.debian-administration.org/articles/558 – Tim Kennedy Jan 04 '12 at 20:00
  • I will try a bounty if there aren't any authorative answers :P – LanceBaynes Jan 04 '12 at 22:48
  • @jw013 I am pretty sure wireshark can do this. But I never used it for that purpose (and have no time to test it). I extracted an XML content from a http stream - so I would say: Most propably, yes. But I don`t want to get your reputation for this.. – Nils Jan 05 '12 at 20:55

1 Answers1

2

This list from ISC (and its comments) has a number of tools, one of which may fit your use case.

From my research on the ones in that list, the one by Brendan Gregg (of DTrace fame) is called Chaosreader, and it seems to be popular. Its feature list explicitly mentions extracting files from HTTP streams, so I'd start there.

Royce Williams
  • 1,200