流量取证-流量中提取文件

以前整理的一些东西，拿出来做备忘

PCAP 报文就是抓取实际在网络中传输的图片，视频等数据，然后以PCAP 格式存储形成的文件。工作中对离线的数据包进行回溯分析，有时会遇到将 PCAP 中的码流还原成相应的图片、视频、邮件等原有格式的需求。

从流量中取证文件大部分情况下是为了提取流量中的可执行程序。

1、 tcpxtract
安装：
apt-get install tcpxtract
http://www.rpmfind.net/linux/rpm2html/search.php?query=tcpxtract # 下载对应版本

查看帮助：
root@kali:~# tcpxtract -h
Usage: tcpxtract [OPTIONS] [[-d ] [-f ]]
Valid options include:
--file, -f to specify an input capture file instead of a device 指定输入捕获文件
--device, -d to specify an input device (i.e. eth0) 指定输入设备(即eth0)
--config, -c use FILE as the config file 使用FILE作为配置文件
--output, -o dump files to DIRECTORY instead of current directory 将文件转储
--version, -v display the version number of this program
--help, -h display this lovely screen

下载 pcap 流量包：
wget http://forensicscontest.com/contest01/evidence01.pcap

查看要恢复的文件：
tcpxtract -f evidence01.pcap

查看恢复后的文件

打开文件：
leafpad 00000042.html

2、 NetworkMiner
安装 NetworkMiner：
从 http://sourceforge.net/projects/networkminer/files/latest/download 下载
或者
https://nchc.dl.sourceforge.net/project/networkminer/networkminer/NetworkMiner-1.6.1/NetworkMiner_1-6-1.zip

打开 PCAP 文件

查看提取出来的文件

3、wireshark 还原文件
查看帮助
root@kali:~# wireshark -h
Wireshark 2.6.6 (Git v2.6.6 packaged as 2.6.6-1)
Interactively dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: wireshark [options] ... [ ]

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: appropriate maximum)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B size of kernel buffer (def: 2MB)
-y link layer type (def: first appropriate)
--time-stamp-type timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r set the filename to read from (no pipes or stdin!)

Processing:
-R packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): "mnNtdv"
-d <layer_type>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port8888,http
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol

User interface:
-C start with specified configuration profile
-Y start with the given display filter
-g go to specified packet number after "-r"
-J jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after "-J"
-m set the font name used for most text
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X : eXtension options, see man page for details
-z show various statistics, see man page for details