My Mac is configured with brew (you can repeat the same steps with ports also).
1. you need to install libnet : brew install libnet.
2. you need to install libnids : brew install libnids
3. you need to install pynids : wget https://jon.oberheide.org/pynids/downloads/pynids-0.6.1.tar.gz --no-check-certificate
- ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future python setup.py build (Clang issue due to updates by Apple related to XCode : https://langui.sh/2014/03/10/wunused-command-line-argument-hard-error-in-future-is-a-harsh-mistress/)
- sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future python setup.py install
- extract the tcpxtract files into a folder using - tar zxvf tcpxtract.tar.xz
- ./configure
- Before doing make (try one of the steps)
- cd /usr/lib and sudo ln -s libl.a libfl.a (Flex issue, need to link the libraries - http://www.linuxfromscratch.org/lfs/view/6.4/chapter06/flex.html)
- add ldl flag after object files : gcc -D_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -g -O2 -o tcpxtract tcpxtract.o sessionlist.o util.o confy.o confl.o conf.o search.o extract.o -lpcap -lfl
- make
- sudo make install
$ ./tcpxtract -f ~/malware_pcaps_repository/
Found file of type "html" in session [50.116.98.95:20480 -> 172.31.2.41:14528], exporting to dump/00000001.html
Found file of type "png" in session [50.116.98.95:20480 -> 172.31.2.41:14528], exporting to dump/00000002.png
Found file of type "html" in session [50.116.98.95:20480 -> 172.31.2.41:14272], exporting to dump/00000003.html
Found file of type "png" in session [50.116.98.95:20480 -> 172.31.2.41:14272], exporting to dump/00000004.png
You can also check extending TCPExtract in Python:
1. http://nullege.com/codes/search/TcpExtract.FileExtractor
2. Another solution : http://computer.forensikblog.de/en/2005/10/tcpxtract-version-10.html
