Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

How to extract request data?

Help
2009-01-24
2013-04-29
  • For malware analysis it is important for me not only to capture files that a client receives from a server , but also data that are SENT to the server as POST data. Example: In Wireshark I'd see a connection in slightly modified form using TCP-Follow like this:

    POST /blah.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla...
    Host: 1.2.3.4
    Content-Length: 892
    Connection: Keep-Alive
    Pragma: no-cache

    .P=O.........!|C."...SP..p2HTTP/1.1 200 OK
    Date: ...
    Server: Apache/2
    X-Powered-By: PHP/5.2.6
    Vary: Accept-Encoding,User-Agent
    Content-Length: ..
    Keep-Alive: ..
    Connection: Keep-Alive
    Content-Type: text/html

    <R=O.....

    The first part is the request, and immediately afterward you see the "HTTP/1.1 200 OK" of the response. Network miner gives me the data of the response ("<R=...") - but unfortunately not the data of the request (".p=..."). Is there any way to get that a well?

     
    • Erik Hjelmvik
      Erik Hjelmvik
      2009-01-24

      The latest version of NetworkMiner (v 0.87) extracts the POST data you are interested in.

      The Form POST data variables you are referring to can be found under the "Parameters" tab in NetworkMiner. Look for rows with the value "Form POST" in the "Details" column, you can click the header of that column to sort on it if that will help you. The row will show ".P" as parameter name and "O..." as parameter value.

      Files uploaded with Form POSTs can also be found in the "Files" tab, just look for rows named "HttpPostMimeFileData" in the protocol column.

      I hope this will be of help! If not then please let me know so I can fix the error.