How to extract request data?

  • Andreas Greulich

    For malware analysis it is important for me not only to capture files that a client receives from a server , but also data that are SENT to the server as POST data. Example: In Wireshark I'd see a connection in slightly modified form using TCP-Follow like this:

    POST /blah.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla...
    Content-Length: 892
    Connection: Keep-Alive
    Pragma: no-cache

    .P=O.........!|C."...SP..p2HTTP/1.1 200 OK
    Date: ...
    Server: Apache/2
    X-Powered-By: PHP/5.2.6
    Vary: Accept-Encoding,User-Agent
    Content-Length: ..
    Keep-Alive: ..
    Connection: Keep-Alive
    Content-Type: text/html


    The first part is the request, and immediately afterward you see the "HTTP/1.1 200 OK" of the response. Network miner gives me the data of the response ("<R=...") - but unfortunately not the data of the request (".p=..."). Is there any way to get that a well?

    • Erik Hjelmvik

      Erik Hjelmvik - 2009-01-24

      The latest version of NetworkMiner (v 0.87) extracts the POST data you are interested in.

      The Form POST data variables you are referring to can be found under the "Parameters" tab in NetworkMiner. Look for rows with the value "Form POST" in the "Details" column, you can click the header of that column to sort on it if that will help you. The row will show ".P" as parameter name and "O..." as parameter value.

      Files uploaded with Form POSTs can also be found in the "Files" tab, just look for rows named "HttpPostMimeFileData" in the protocol column.

      I hope this will be of help! If not then please let me know so I can fix the error.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks