Created
April 9, 2020 01:29
-
-
Save u0m3/3c46ef0f3471001b1f92feb0dfca6a33 to your computer and use it in GitHub Desktop.
Extract data from TCP streams
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Extract SMTP DATA to files | |
| # References: | |
| # - https://stackoverflow.com/questions/17364951/remove-all-lines-before-a-match-with-sed | |
| # - https://stackoverflow.com/questions/5227295/how-do-i-delete-all-lines-in-a-file-starting-from-after-a-matching-line/24160984 | |
| for file in /tmp/dump*.txt ; | |
| do | |
| # Assumes DATA starts afer a '354 End data with <CR><LF>.<CR><LF>' line | |
| sed -i -e '1,/^354/d' -ne '/^\..$/q;p' $file ; | |
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Extract TCP streams to files | |
| # References: | |
| # - https://osqa-ask.wireshark.org/questions/53747/scripting-follow-tcp-stream-save-as-raw | |
| infile=in.pcap | |
| outfile=out | |
| ext=txt | |
| for stream in $(tshark -nlr $infile -Y tcp.flags.syn==1 -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//') | |
| do | |
| echo "Processing stream $stream: ${outfile}_${stream}.${ext}" | |
| tshark -nlr $infile -qz "follow,tcp,raw,$stream" | tail -n +7 | sed 's/^\s\+//g' | xxd -r -p > ${outfile}_${stream}.${ext} | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment