Pentester's Blog: TCPExtract (or TCPxtract) Installation Discrepancies on Mac

Saturday, March 07, 2015

TCPExtract (or TCPxtract) Installation Discrepancies on Mac - Step-by-Step !

TCPExtract (or TCPxtract) is used for extracting specific set of files from the PCAPs by looking into TCP sessions. During object extraction or file analysis in the network traffic, this tool is used. Installation of this tool on the Mac is tricky and several issues need to be debugged before it installs appropriately. I spent sometime on this tool during installation and thought to share the complete solution. The step by step approach installation steps are discussed below:

My Mac is configured with brew (you can repeat the same steps with ports also).

1. you need to install libnet : brew install libnet.
2. you need to install libnids : brew install libnids
3. you need to install pynids : wget https://jon.oberheide.org/pynids/downloads/pynids-0.6.1.tar.gz --no-check-certificate

ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future python setup.py build (Clang issue due to updates by Apple related to XCode : https://langui.sh/2014/03/10/wunused-command-line-argument-hard-error-in-future-is-a-harsh-mistress/)
sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future python setup.py install

4. Download tcpxtract from source forge: http://tcpxtract.sourceforge.net/

extract the tcpxtract files into a folder using - tar zxvf tcpxtract.tar.xz
./configure
Before doing make (try one of the steps)

cd /usr/lib and sudo ln -s libl.a libfl.a (Flex issue, need to link the libraries - http://www.linuxfromscratch.org/lfs/view/6.4/chapter06/flex.html)
add ldl flag after object files : gcc -D_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -g -O2 -o tcpxtract tcpxtract.o sessionlist.o util.o confy.o confl.o conf.o search.o extract.o -lpcap -lfl

make
sudo make install

How it goes:

$ ./tcpxtract -f ~/malware_pcaps_repository/botnet_cc_pcaps/Keylogger_Limlspy.A.pcap -o dump/

Found file of type "html" in session [50.116.98.95:20480 -> 172.31.2.41:14528], exporting to dump/00000001.html

Found file of type "png" in session [50.116.98.95:20480 -> 172.31.2.41:14528], exporting to dump/00000002.png

Found file of type "html" in session [50.116.98.95:20480 -> 172.31.2.41:14272], exporting to dump/00000003.html

Found file of type "png" in session [50.116.98.95:20480 -> 172.31.2.41:14272], exporting to dump/00000004.png

You can also check extending TCPExtract in Python:

1. http://nullege.com/codes/search/TcpExtract.FileExtractor
2. Another solution : http://computer.forensikblog.de/en/2005/10/tcpxtract-version-10.html

2 comments:

Anonymous said...: I have followed these instructions and can compile tcpxtract, thanks! However, I get 'Segmentation fault: 11' when running "tcpxtract -f pcap -o ./". Running on OSX 10.9.2.; Monday, March 9, 2015 at 7:52:00 AM PDT
Aditya K Sood said...: That's because TCPxtract finds it hard to properly extract files or objects from pcap files which are distorted (few packets are not captured properly and TCP session streams are not complete).

I also see this behavior very often.; Monday, March 9, 2015 at 10:11:00 AM PDT

Pentester's Blog

Pages

Saturday, March 07, 2015

TCPExtract (or TCPxtract) Installation Discrepancies on Mac - Step-by-Step !

2 comments:

About Me !

Website Network!

Book !

Disclaimer !

Malware at Stake

Blog Archive

Twitter Feed !

Labels