To fulfill my dream of automatic carving of files from network traffic, I wrote nftracker. The software is not 100% done, but well enough to deserve a blog post and to get a wider audience for testing! Some more file signatures could be added, especially for “Content-Type: ” in http or smtp traffic.
( I know I could have done something similar just writing snort/suricata rules. I could even write a snort preprocessor.. But hey! )
I also want to graph info from nftracker, such as how many files of type X traverse my network today, last week, month, year, etc..
A common first question from people is: Does it also carve out the files?
At this point, I just want to know whats on the wire. It would be cool to also carve out the file and dump it to disk (patches are welcome 😛 ), but for now I use other tools to do this. First of all, I use OpenFPC to do full packet capture. Mostly I have been using tcpxtract and I have also tested xtract.py. I see it as a bigger task to take on TCP reassembly and carving out the file correct, especially when I already have the pcap of the session, I can handle that offline. I also recommend xplico btw.
Default, nftracker logs to /var/log/nftracker-csv.log. The logfile looks like this:
# timestamp,[ session ],FILE_TYPE
I hope the tool is useful for someone, ideas/comments and such can be mailed to me.
I hope you try it out!