tcpflow icon indicating copy to clipboard operation
tcpflow copied to clipboard
verified publisher icon simsong

Unnecessary chunked HTTP header & footer remains in the output flow

Open pi3ch opened this issue 12 years ago • 3 comments

tcpflow leaves "Chunked HTTP transfer encoding" headers and footers in the output file. This is quite annoying as it leaves garbage data in the flow and a file carving tool like foremost does not ignore them. If your binary splits into for example three chunks, tcpflow output file leaves three instances of following pattern in the output.

0D 0A SIZE_OF_CURRENT_CHUNK_IN_HEX 0D 0A

Initial CRLF is from end of previous chunk.

As an example, use http://forensicscontest.com/contest05/infected.pcap (From Forensic Contest Puzzle 5) generate the flow and try to extract the binary file using foremost (dst port 1066). The final binary will not have correct checksum. NetworkMinner does extract the original binary without any garbage.

I tried this using tcpflow in the debian repository or the complied version off from github (v1.3 - v1.4).

p.s. some may say this is an issue with the file carving tool, however, tcpflow shouldn't leave unnecessary chunk data in the final flow.

pi3ch avatar Sep 01 '13 09:09 pi3ch

Thanks for the bug report. This is very useful information, and your providing of a pcap file is really helpful.

Would you like to submit a patch?

On Sep 1, 2013, at 5:12 AM, Pi3cH [email protected] wrote:

tcpflow leaves "Chunked HTTP transfer encoding" headers and footers in the output file. This is quite annoying as it leaves garbage data in the flow and a file carving tool like foremost does not ignore them. If your binary splits into for example three chunks, tcpflow output file leaves three instances of following pattern in the output.

0D 0A SIZE_OF_CURRENT_CHUNK_IN_HEX 0D 0A

Initial CRLF is from end of previous chunk.

As an example, use http://forensicscontest.com/contest05/infected.pcap (From Forensic Contest Puzzle 5) generate the flow and try to extract the binary file using foremost (dst port 1066). The final binary will not have correct checksum. NetworkMinner does extract the original binary without any garbage.

I tried this using tcpflow in the debian repository or the complied version off from github (v1.3 - v1.4).

p.s. some may say this is an issue with the file carving tool, however, tcpflow shouldn't leave unnecessary chunk data in the final flow.

— Reply to this email directly or view it on GitHub.

simsong avatar Sep 01 '13 13:09 simsong

FYI, this still appears to be a problem. Thanks @simsong

brettclark avatar Aug 31 '15 20:08 brettclark

So it is. Would you like to submit a patch?

simsong avatar Sep 01 '15 11:09 simsong