How to capture images transferred via HTTP?

Question

I have multiple browsers and I want save all images with size more than 30KB and save to specified address.

What is best way?

listen to tcpdump and read the content, and then save to a file, or
use something like squid

I think tcpdump is better but I don't know how to find out whether the content is an image and of what size (and other attributes) to save it in a file.

Duplicate? "How to recover a file from a tcpdump" (The answer there should provide what you need, I suppose.) Oh, and there's driftnet, the perfect fit. — sr_, May 09 '12 at 08:51
there is diffrent between this and that page. i want save from all addres — Mohammad Efazati, May 09 '12 at 17:56
For example driftnet takes a libpcap-filter expression; but maybe I misunderstood you... — sr_, May 09 '12 at 18:23
@sr_ so answer this question ;) i want all saw images in net with more 30kb size save in /opt/pics/ — Mohammad Efazati, May 09 '12 at 18:32
If you're using Debian and like driftnet, please consider adopting it. — sr_, May 10 '12 at 09:27
@sr_ i saw this package in github too, and build from source in arch. i think new adopting is awesome. — Mohammad Efazati, May 10 '12 at 09:31

score 3 · Accepted Answer · edited Apr 13 '17 at 12:37

3

Thanks to sr_, I used driftnet:

sudo driftnet -i eth0 -a -d ./browserPic

edited Apr 13 '17 at 12:37

Community

1

answered May 09 '12 at 20:04

Mohammad Efazati

812

score 0 · Answer 2 · answered May 11 '12 at 10:36

0

you can use justniffer-grab-http-traffics a python script shipped with justniffer for capturing all files in HTTP traffic

answered May 11 '12 at 10:36

user18630

1

score 0 · Answer 3 · edited Nov 29 '12 at 13:32

0

I also have some small tutorial on tcpdump, I hope it will be useful.

Use tcpdump to capture in a pcap file (wireshark dump)

Remote packet capture using WireShark & tcpdump

edited Nov 29 '12 at 13:32

Mat

52,586

answered Nov 29 '12 at 12:15

linuxexplore

9

Posting only links to external sources is frowned upon here. Your posts should contain enough information to stand on there own without the links. Having links for extra information is fine though. – Mat Nov 29 '12 at 13:33

score 0 · Answer 4 · edited Mar 07 '13 at 20:09

You can use IPS (Intrusion protection) File store option.

Simplewall uses Suricata IPS latest stable integration is very simple and easy to with nice web user interface.

Files signatures :

Simply store all files to disk:-

alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

Store all files with extension pdf:-

alert http any any -> any any (msg:"FILE PDF file claimed"; fileext:"pdf"; filestore; sid:2; rev:1;)
drop ip any 443 -> 192.168.3.38 any (msg:"File extension => swf block for User38 "; fileext:"swf"; filestore ;sid:96676215;rev:1;)
drop ip any 443 -> 192.168.3.38 any (msg:"File extension => flv block for User38 "; fileext:"flv"; filestore ;sid:45369914;rev:1;)
drop ip any 443 -> 192.168.3.38 any (msg:"File extension => mp3 block for User38 "; fileext:"mp3"; filestore ;sid:87448154;rev:1;)

How to capture images transferred via HTTP?

4 Answers4