Posted by thomasl on Fri 2 Nov 2007 at 10:48
If you're like me you want to know whats going through your home network. Here is how to use tcpdump, tcpflow and foremost to intercept and extract unencrypted files.
I've never seen a tutorial on this subject before, so I figured I'd try to give a little something back to the GNU/Linux community that has taught me so much over the years.
If you're familiar with the programs mentioned then you can probably stop reading now, as the last sentence just gave you all the information you need. Anyone who isn't familiar with these programs, I urge you to look at the man pages (or search Google) for the three utilities previously mentioned.
Now I urge you to be a responsible administrator and not go off invading your user's or little brother's privacy. However if you are a parent then this is a fine way of finding out what kind of images are coming over your child's ethernet cable. All-in-all what you do with this information is your own business, and not my problem.
First off, run tcpdump on a computer that can sniff the packets of interest. I can do this on my Linux router named dunmer (after the elves in Elder Scrolls).
$ sudo tcpdump -i eth1 -s0 -w rawdump host picard
After a while of browsing the internet upon picard (my main desktop) I go back to dunmer and stop the dumping. I download the rawdump file to picard and put it in it's own directory. (I do this just to make it easier.)
Packets of course will often arrive to the interface out of order, or duplicated. Also there's the problem of packets from one file transfer arriving inter-mixed with packets from another data transfer. Many other problems also exist to make files harder to find, so I use tcpflow to order the data.
I create a temporary directory and change into it. Then I run the tcpflow command...
$ tcpflow -r ../rawdump
Now the data has been broken down, and at this point we could actually go into every flow file and extract the data from it, but to make it easier I'll just put everything into one file. So I cd to the previous directory and use a for loop for that purpose. Why a for loop? Because it's very possible that there will be "too many arguments" if you do it more directly. EDIT: Use "find" instead of a "for loop", thanks to an Anonymous commenter.
$ for i in temp/*; do cat $i >> dump; done$ find ./ -exec cat '{}' \; > dump
Now that everything is nicely ordered together, just run foremost and wait for it to extract the data. I could have just run foremost on the rawdump file, but that would result in incomplete and corrupted data.
Any suggestions or improvements are welcome!
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2007 thomasl - please ask for permission to republish or translate.