4

I have multiple browsers and I want save all images with size more than 30KB and save to specified address.

What is best way?

  • listen to tcpdump and read the content, and then save to a file, or

  • use something like squid

I think tcpdump is better but I don't know how to find out whether the content is an image and of what size (and other attributes) to save it in a file.

Mohammad Efazati
  • 792
  • 8
  • 16
  • 2
    Duplicate? ["*How to recover a file from a `tcpdump`*"](http://unix.stackexchange.com/questions/28321/how-to-recover-a-file-from-a-tcpdump) (The answer there should provide what you need, I suppose.) Oh, and there's [`driftnet`](http://linux.die.net/man/1/driftnet), the perfect fit. – sr_ May 09 '12 at 08:51
  • there is diffrent between this and that page. i want save from all addres – Mohammad Efazati May 09 '12 at 17:56
  • 1
    For example `driftnet` takes a `libpcap`-filter expression; but maybe I misunderstood you... – sr_ May 09 '12 at 18:23
  • @sr_ so answer this question ;) i want all saw images in net with more 30kb size save in /opt/pics/ – Mohammad Efazati May 09 '12 at 18:32
  • If you're using Debian and like `driftnet`, please consider [adopting it](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616451). – sr_ May 10 '12 at 09:27
  • @sr_ i saw this package in github too, and build from source in arch. i think new adopting is awesome. – Mohammad Efazati May 10 '12 at 09:31

4 Answers4

3

Thanks to sr_, I used driftnet:

sudo driftnet -i eth0 -a -d ./browserPic
Community
  • 1
Mohammad Efazati
  • 792
  • 8
  • 16
0

you can use justniffer-grab-http-traffics a python script shipped with justniffer for capturing all files in HTTP traffic

user18630
  • 1
0

I also have some small tutorial on tcpdump, I hope it will be useful.

Use tcpdump to capture in a pcap file (wireshark dump)

Remote packet capture using WireShark & tcpdump

Mat
  • 51,578
  • 10
  • 158
  • 140
linuxexplore
  • 9
  • 2
  • Posting only links to external sources is frowned upon here. Your posts should contain enough information to stand on there own without the links. Having links for extra information is fine though. – Mat Nov 29 '12 at 13:33
0

You can use IPS (Intrusion protection) File store option.

Simplewall uses Suricata IPS latest stable integration is very simple and easy to with nice web user interface.

Files signatures :

Simply store all files to disk:-

alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

Store all files with extension pdf:-

alert http any any -> any any (msg:"FILE PDF file claimed"; fileext:"pdf"; filestore; sid:2; rev:1;)
drop ip any 443 -> 192.168.3.38 any (msg:"File extension => swf block for User38 "; fileext:"swf"; filestore ;sid:96676215;rev:1;)
drop ip any 443 -> 192.168.3.38 any (msg:"File extension => flv block for User38 "; fileext:"flv"; filestore ;sid:45369914;rev:1;)
drop ip any 443 -> 192.168.3.38 any (msg:"File extension => mp3 block for User38 "; fileext:"mp3"; filestore ;sid:87448154;rev:1;)
Aditya
  • 904
  • 10
  • 18
Chetan Muneshwar
  • 9
  • 2