From owner-freebsd-questions@FreeBSD.ORG Sat Jul 10 06:29:53 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C764106564A for ; Sat, 10 Jul 2010 06:29:53 +0000 (UTC) (envelope-from bill@celestial.com) Received: from dorsai-02.celestial.com (dorsai-02.celestial.com [192.136.111.19]) by mx1.freebsd.org (Postfix) with ESMTP id 60F888FC13 for ; Sat, 10 Jul 2010 06:29:53 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by dorsai-02.celestial.com (Postfix) with ESMTP id 2F832205A59D; Fri, 9 Jul 2010 23:00:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at celestial.com Received: from dorsai-02.celestial.com ([127.0.0.1]) by localhost (dorsai-02.celestial.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QJz+e8txrCJe; Fri, 9 Jul 2010 23:00:06 -0700 (PDT) Received: from ayn.mi.celestial.com (hayek.celestial.com [192.136.111.12]) by dorsai-02.celestial.com (Postfix) with ESMTP id B362E205A596; Fri, 9 Jul 2010 23:00:06 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ayn.mi.celestial.com (Postfix) with ESMTP id 84B8A68E7749F; Fri, 9 Jul 2010 23:00:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at mi.celestial.com Received: from ayn.mi.celestial.com ([127.0.0.1]) by localhost (ayn.mi.celestial.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id gCGuIMbKjx8l; Fri, 9 Jul 2010 23:00:06 -0700 (PDT) Received: by ayn.mi.celestial.com (Postfix, from userid 203) id 6299168950930; Fri, 9 Jul 2010 23:00:06 -0700 (PDT) Date: Fri, 9 Jul 2010 23:00:06 -0700 From: Bill Campbell To: freebsd-questions@freebsd.org, "questions@freebsd.org" Message-ID: <20100710060006.GA11325@ayn.mi.celestial.com> Mail-Followup-To: freebsd-questions@freebsd.org, "questions@freebsd.org" References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.19 OpenPKG/% (2009-01-05) Cc: Subject: Re: Reconstruct meaningful data from tcpdumps? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@celestial.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2010 06:29:53 -0000 On Fri, Jul 09, 2010, Modulok wrote: >Is there a way to reconstruct network traffic from a tcpdump file? Or >something similar? As in: analyze the dump file and attempt to >re-construct files transfered though http, ftp, known messenger >protocols, instant message conversations, http requests, web pages, >and so forth? I like the tcpflow program for things like this. Its command syntax is very similar to tcpdump, but I find it much more useful as it creates a file for each side of a tcp conversation containing the traffic. This can be very handy when debugging things like IMAP connections. I have also used it to capture web pages that I couldn't save in a browser to see what was actually being sent. Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 Guns are no more responsible for killing people than the spoon is responsible for making Rosie O'Donnell fat.