Pages

Showing posts with label Packet Capture. Show all posts
Showing posts with label Packet Capture. Show all posts

Saturday, March 07, 2015

TCPExtract (or TCPxtract) Installation Discrepancies on Mac - Step-by-Step !

TCPExtract (or TCPxtract) is used for extracting specific set of files from the PCAPs by looking into TCP sessions. During object extraction or file analysis in the network traffic, this tool is used. Installation of this tool on the Mac is tricky and several issues need to be debugged before it installs appropriately. I spent sometime on this tool during installation and  thought to share the complete solution. The step by step approach installation steps are discussed below:

My Mac is configured with brew (you can repeat the same steps with ports also).

1. you need to install libnet : brew install libnet.
2. you need to install libnids : brew install libnids
3. you need to install pynids : wget https://jon.oberheide.org/pynids/downloads/pynids-0.6.1.tar.gz --no-check-certificate
4. Download tcpxtract from source forge:  http://tcpxtract.sourceforge.net/
  • extract the tcpxtract files into a folder using - tar zxvf tcpxtract.tar.xz
  • ./configure
  • Before doing make (try one of the steps)
    • cd /usr/lib  and sudo ln -s libl.a libfl.a (Flex issue, need to link the libraries - http://www.linuxfromscratch.org/lfs/view/6.4/chapter06/flex.html)
    • add ldl flag after object files : gcc -D_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -g -O2   -o tcpxtract  tcpxtract.o sessionlist.o util.o confy.o confl.o conf.o search.o extract.o  -lpcap -lfl
  • make
  • sudo make install
How it goes:

$ ./tcpxtract -f ~/malware_pcaps_repository/botnet_cc_pcaps/Keylogger_Limlspy.A.pcap -o dump/
Found file of type "html" in session [50.116.98.95:20480 -> 172.31.2.41:14528], exporting to dump/00000001.html
Found file of type "png" in session [50.116.98.95:20480 -> 172.31.2.41:14528], exporting to dump/00000002.png
Found file of type "html" in session [50.116.98.95:20480 -> 172.31.2.41:14272], exporting to dump/00000003.html
Found file of type "png" in session [50.116.98.95:20480 -> 172.31.2.41:14272], exporting to dump/00000004.png

You can also check extending TCPExtract in Python:

1. http://nullege.com/codes/search/TcpExtract.FileExtractor
2. Another solution : http://computer.forensikblog.de/en/2005/10/tcpxtract-version-10.html