Hello,
Thanks for your help in advance. I am trying to use foremost extract
*exe, DLL's and zip files from ethreal logs and I am having issues.
First of all, I have ethereal configured to capture 1500 byte packet
size. When I run foremost I have tried to use both the built in
config file and then using foremost.conf file. I am running the
command with the -i -o and have tried the -t to specify the file type
to grab. What happens when I run the file is that I do get files
exctraced broken out into the different extention folders, however in
testing I have compared the file that I pulled down (say via the web-
resulting in the ethereal logs) and that file that foremost pulled out
from the logs. They have different file size and different md5. Its
odd that the foremost file (0000605.zip) would be larger than the one
pulled down from the website (foo.zip).
There is not much documentation (other than the man page and config
file) and I have gone through them and can't see to address my issue.
Thanks again.
Mark
mwade,
For extracting files from network captures, what I've done in the past is use tcpextract and/or tcpflow. I particularly like tcpflow because it breaks out the flows based on a BPF input and you'll get what you're looking for that way. You may be picking up excess tcp header info(giving you different file sizes), instead of just extracting the binary you're looking for.
Thanks for the insight. I will give this a try.
Mark