user3207230
Reputation: 597
Save raw binary payload only using tcpdump
How can I capture traffic with tcpdump and only save the full payload (application layer data, no tcp/ip headers) in a raw binary format?
Upvotes: 5
Views: 5904
Answers (1)
jonschipp
Reputation: 841
After capturing traffic and writing it to disk in the PCAP format you can separate each flow into individual files using tcpflow and then run a file carving tool such as foremost on the flow files which can carve out specific file types from each stream. The following example will extract Window PE files and PDF's from the flows:
$ tcpflow -r traffic.pcap -o flows/
$ cat flows/* > big.flow
$ foremost -t exe,pdf -i big.flow
Another tool that is capable of extracting common file types is tcpxtract:
$ tcpxtract --file traffic.pcap -o output/
Other tools include ChaosReader and Bro's File Analyzer.
Upvotes: 5
Related Questions
- How can I have tcpdump write to file and standard output the appropriate data?
- How to convert raw packet data into a PCAP file?
- How to stop tcpdump from truncation http payload?
- How to filter tcpdump result by keeping socket recv() data only?
- Saving the displayed/filtered packets in wireshark
- How to get tcpdump to save to a file without using binary?
- Reading tcpdump header length command
- tcpdump PCAP file format payload bytes
- Generate tcpdump with raw ip encap
- Capturing HTTP packet body through tcpdump