tcpxtract version 1.0

| 1 Comment

Tcpxtract is a carver for network traffic, which means it extracts files out of captured data. In order to determine start and end positions of a file it searches for certain byte sequences. This procedure was inspired by foremost, a carver for filesystem data.

Tcpxtract did install almost flawlessly.
Got the file and untared it. ./configure --help shows the build options.

For example
./configure --sysconfdir="/etc"
will place the config file in /etc while the binary is stored in /usr/local/bin.

./configure
checks the environment for needed libraries and creates the Makefile.

make
then builds the binary. Here the first glitch appears:
make: *** No rule to make target `tcpxtract.1', needed by `all-am'. Stop.

The Makefile already contains instructions to build the man page, however the source is missing from the package.
To resolve the problem just edit the Makefile and replace
man_MANS = tcpxtract.1
with
man_MANS =

Make now executes without any problem, builds and installs the binary:

$ make
$ make check ; echo $?
0
$ sudo make install

For a first test I feeded some data from the HoneyLux Project into tcpxtract. The capture is 323 MB in size, which made me expect a high yield.

tcpxtract -f tcpdump-honeylux1-23-08-2002.pcap -o dump
The program runs, but nothing happens. Obviously it won't create a missing output directory on its own. It doesn't give a word of warning, though.

After I created the directory and restarted tcpxtract, the screen looks much better:

Found file of type "html" in session [192.91.75.211:20480 -> 192.168.1.2:30604], exporting to dump/00000000.html
Found file of type "gif" in session [192.91.75.211:20480 -> 192.168.1.2:30860], exporting to dump/00000001.gif
Found file of type "gif" in session [64.154.80.51:20480 -> 192.168.1.2:31116], exporting to dump/00000002.gif
Found file of type "html" in session [192.91.75.211:20480 -> 192.168.1.2:33932], exporting to dump/00000003.html
Found file of type "gif" in session [192.91.75.198:20480 -> 192.168.1.2:34188], exporting to dump/00000004.gif
Found file of type "gif" in session [64.154.80.51:20480 -> 192.168.1.2:34444], exporting to dump/00000005.gif
Found file of type "html" in session [192.91.75.211:20480 -> 192.168.1.2:35468], exporting to dump/00000006.html
Found file of type "gif" in session [192.91.75.198:20480 -> 192.168.1.2:35980], exporting to dump/00000007.gif
Found file of type "gif" in session [192.91.75.198:20480 -> 192.168.1.2:35724], exporting to dump/00000008.gif
Found file of type "gif" in session [192.91.75.198:20480 -> 192.168.1.2:36236], exporting to dump/00000009.gif
Found file of type "gif" in session [64.154.80.51:20480 -> 192.168.1.2:36492], exporting to dump/00000010.gif
Found file of type "gif" in session [216.239.39.101:20480 -> 192.168.1.2:37004], exporting to dump/00000011.gif
Found file of type "html" in session [193.231.236.40:20480 -> 192.168.1.2:48524], exporting to dump/00000012.html
Segmentation fault

Oops. My second attempt was a live capture of me browsing the web. This time tcpxtract worked as expected. Possibly the dump contains some nasties (retransmits?).

In summary tcpxtract still contains some minor issues, but its concept looks promising and even in version1.0 it's worth a try.

Update 10/13/2005: There's a problem with the dump from the honeypot. Data was recorded with a snaplen of 1500 bytes; about 34000 packets were truncated. Probably that caused the crash.

Update 10/14/2005: Version 1.0.1 now contains the man page.

1 Comment

Hi,

nice blog by the way.
You might want to check the following tool as well.

http://chaosreader.sourceforge.net/

Cheers.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12