从 WireShark pcaps 完全重建 TCP 会话(HTML 页面),有什么工具可以做到这一点?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6151417/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Complete reconstruction of TCP Session (HTML pages) from WireShark pcaps, any tools for this?
提问by
I wonder if there is a way in wireshark to reconstruct a complete TCP Session (HTML page(s)) if we have wireshark pcaps, can wireshark do the reconstruction? or is there any tool around that can do the reconstruction? Data streamed from a source could be compressed(Gzip) or uncompressed and the end result of reconstruction should be a valid complete HTML page with all of its contents.
我想知道如果我们有wireshark pcaps,wireshark是否有办法重建完整的TCP会话(HTML页面),wireshark可以重建吗?或者是否有任何工具可以进行重建?从源流式传输的数据可以被压缩 (Gzip) 或未压缩,重建的最终结果应该是一个有效的完整 HTML 页面及其所有内容。
采纳答案by user1444217
Use justniffer-grab-http-traffic.It is based on justniffer and it is an excellent tool for rebuilding tcp streams.
使用justniffer-grab-http-traffic 。它基于 justniffer,是重建 tcp 流的绝佳工具。
回答by mavam
You can also use Broif you prefer a command-line interface. Simply load it with the contentsscript:
如果您更喜欢命令行界面,也可以使用Bro。只需使用contents脚本加载它:
bro -r trace.pcap -f 'port 80' contents
(You can skip the optional BPF filter expression -f port 80.) This extracts the full TCP stream and writes it to files of the form:
(您可以跳过可选的 BPF 过滤器表达式-f port 80。)这会提取完整的 TCP 流并将其写入以下形式的文件:
contents.<sourceIP>.<sourcePORT>-<destinationIP>.<destinationPORT>
As Christian mentioned, the reassembly is highly robust and has been tested thoroughly.
正如 Christian 所提到的,重新组装非常坚固,并且已经过彻底的测试。
回答by rupello
TCPTracehas an option (-e) for this:
TCPTrace有一个选项 (-e):
Extracting: The -e option can be used to extract the contents (TCP data payload) of each connection into a separate data file.
For example,
Beluga:/Users/mani> tcptrace -e albus.dmp
generates files a2b_contents.dat, b2a_contents.dat; c2d_contents.dat, d2c_contents.dat if the file albus.dmp had 2 traced TCP connections. tcptrace is pretty smart in generating these contents files. It does not commit trivial mistakes like saving retransmissions multiple times in the file for example, and is aware of sequence space wrap-arounds. However, if you want the entire contents of the traffic, please make sure that packets are captured in their entirety (give suitable snaplen value with tcpdump for example).
提取: -e 选项可用于将每个连接的内容(TCP 数据负载)提取到单独的数据文件中。
例如,
白鲸:/Users/mani> tcptrace -e albus.dmp
生成文件 a2b_contents.dat, b2a_contents.dat; 如果文件 albus.dmp 有 2 个跟踪的 TCP 连接,则为 c2d_contents.dat、d2c_contents.dat。tcptrace 在生成这些内容文件方面非常聪明。它不会犯一些小错误,例如在文件中多次保存重传,并且知道序列空间环绕。但是,如果您想要流量的全部内容,请确保完整捕获数据包(例如,使用 tcpdump 提供合适的 snaplen 值)。
回答by Foon
Depending on what version of Wireshark you have, you should be able to do something along the lines of:
根据您拥有的 Wireshark 版本,您应该能够执行以下操作:
- Filter out the session you care about
- Do File->Export->Objects->Http
- Select a folder.
- 过滤掉你关心的会话
- 做文件->导出->对象->Http
- 选择一个文件夹。
Is there something more you need... this appears to do the gzip decompression etc... won't work if you're running SSL (it MIGHTbe able to if you can get the appropiate keys to make the SSL decode work, but that gets trickier and I'd suggest trying fiddler in that case)
有更多的东西需要...这似乎做的gzip压缩等..不会工作,如果你正在运行的SSL(它MIGHT能如果你能得到此时,相应键进行SSL解码工作,但这变得更加棘手,我建议在这种情况下尝试提琴手)
HTH
HTH
回答by vy32
I suggest tcpflow, a full-featured tcp/ip session reconstructor. It is very fast, will handle very large sessions, automatically decompresses gzip'ed connections, automatically breaks out MIME objects sent by HTTP, creates an XML file of what it's done, runs on MacOS, Linux and Windows, and more. It's a command-line tool.
我建议使用tcpflow,一个功能齐全的 tcp/ip 会话重建器。它非常快,将处理非常大的会话,自动解压缩 gzip 连接,自动分解由 HTTP 发送的 MIME 对象,创建它所做的事情的 XML 文件,在 MacOS、Linux 和 Windows 上运行,等等。它是一个命令行工具。
