For malware analysis it is important for me not only to capture files that a client receives from a server , but also data that are SENT to the server as POST data. Example: In Wireshark I'd see a connection in slightly modified form using TCP-Follow like this:
POST /blah.php HTTP/1.1
.P=O.........!|C."...SP..p2HTTP/1.1 200 OK
The first part is the request, and immediately afterward you see the "HTTP/1.1 200 OK" of the response. Network miner gives me the data of the response ("<R=...") - but unfortunately not the data of the request (".p=..."). Is there any way to get that a well?
The latest version of NetworkMiner (v 0.87) extracts the POST data you are interested in.
The Form POST data variables you are referring to can be found under the "Parameters" tab in NetworkMiner. Look for rows with the value "Form POST" in the "Details" column, you can click the header of that column to sort on it if that will help you. The row will show ".P" as parameter name and "O..." as parameter value.
Files uploaded with Form POSTs can also be found in the "Files" tab, just look for rows named "HttpPostMimeFileData" in the protocol column.
I hope this will be of help! If not then please let me know so I can fix the error.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.