Shulou(Shulou.com)06/01 Report--

The following is mainly quoted from an experimental case in Hetian Network Security: * * A uses ARP to deceive and uses Wireshark to obtain network traffic information in the entire LAN. Unwittingly, he found that someone had uploaded a document on a website. But he does not know how to restore this file through Wireshark, there is no way, he will monitor the packet as a Wireshark monitoring record, is going to ask you for advice. Can you help him find the uploaded file?

We can prepare a picture test.jpg by ourselves, find any website that allows upload, and then use Wireshark to capture the upload process. Here I have saved my package results as a file catchme.pcapng and provide download in the attachment.

After opening the capture file, you will find that there are a total of 344 data records. If you simply audit from the beginning to the end, it is a very laborious thing.

Here we use the display filter to filter, because the uploaded file uses the HTTP protocol, so we use the filter rule "http". After filtering, we find that the number of packets has changed from 344 to 137, so it is easy to help us analyze. After careful analysis, we will see the word upload in the info of the 209th packet, which we suspect is related to the uploaded packet.

Since files are uploaded using the POST method, we can also use the filter rule "http.request.method==POST" to filter more accurately, so there are only 47 packets. Therefore, mastering packet filtering is one of the necessary skills to master Wireshark.

Although we see the upload keyword and the POST method, we are not sure if it is really the request to upload the file. Double-click packet 209 for special analysis, and you can see that the file is indeed uploaded in the application layer data, and the file name is test.jpg.

In the transport layer, we can see that because the file is relatively large, the TCP protocol divides it into 16 data segments Segment, each segment is an independent data packet, click on each Frame, you can see the contents of the packet.

But the problem is that each packet contains only part of the uploaded file, and if you want to restore the uploaded file, you must reassemble these fragmented packets into a whole. You can accomplish this task by providing a "data flow tracking" function in Wireshark.

Go back to the main interface of Wireshark, right-click on packet 209 and select "trace stream / TCP stream"

At this point, the entire TCP flow is displayed in a separate window, and we notice that the files in this window are displayed in two colors, where red is used to indicate traffic from the source to the destination, and blue is used to distinguish traffic from the destination to the source in the opposite direction. The color mark here is based on which party starts the communication first. in general, the client initiates the connection with the server actively, so most of the client communication is shown in red.

Because the uploaded files are submitted in the data sent by the client, we can filter out the response information sent back by the server. Select the flow from the client to the server in the data flow below, and no response appears.

Save the data stream to the original file for further processing. It is important to note that before saving, be sure to set the display format of the data to "raw data".

Here, the file extension is specified as .bin to save the file in binary form.

In the next blog post, we will use WinHex to restore the uploaded image from this original file.

Attachment: http://down.51cto.com/data/2367336

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.