[Tcpick-project] Possible Bug in tcpick When Writing to File
Status: Beta
Brought to you by:
duskdruid
Menu
▾
▴
[Tcpick-project] Possible Bug in tcpick When Writing to File
|
From: Mathew B. <mat...@fa...> - 2009-11-23 18:35:47
|
Hi, I'm currently running into an issue when trying to write the output of both sides (client and server) of a conversation into a single file. My example pcap file is: http://forensicscontest.com/contest02/evidence02.pcap When I run: tcpick -r evidence02.pcap -yR -C "port 587", it shows the client-server sequence correctly as shown below (take special note of the AUTH LOGIN to AUTHENTICATION SUCCESSFUL part): 220 cia-mc06.mx.aol.com ESMTP mail_cia-mc06.1; Sat, 10 Oct 2009 15:35:16 -0400 EHLO annlaptop 250-cia-mc06.mx.aol.com host-69-140-19-190.static.comcast.net 250-AUTH=LOGIN PLAIN XAOL-UAS-MB 250-AUTH LOGIN PLAIN XAOL-UAS-MB 250-STARTTLS 250-CHUNKING 250-BINARYMIME 250-X-AOL-FWD-BY-REF 250-X-AOL-DIV_TAG 250-X-AOL-OUTBOX-COPY 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 c25lYWt5ZzMza0Bhb2wuY29t 334 UGFzc3dvcmQ6 NTU4cjAwbHo= 235 AUTHENTICATION SUCCESSFUL MAIL FROM: <sne...@ao...> >From the above, the sequence is correct (verified also using Wireshark). Also, when I select to write to file using the -wR option, it writes each side of the conversation / stream correctly (but each one in a different file): tcpick -r ../evidence02.pcap -wP "port 587". However, I'm running into issues when I try to put both sides of the conversation into the same file using the u option: tcpick -r ../evidence02.pcap -wPu "port 587". I end up with part of the authentication sequence at the very end instead of the beginning, which is definitely wrong (see below). Again, note the AUTH LOGIN and AUTHENTICATION SUCCESSFUL messages and where they are. Any ideas? Thanks. 220 cia-mc07.mx.aol.com ESMTP mail_cia-mc07.1; Sat, 10 Oct 2009 15:37:56 -0400 EHLO annlaptop AUTH LOGIN c25lYWt5ZzMza0Bhb2wuY29t NTU4cjAwbHo= MAIL FROM: <sne...@ao...> 250-cia-mc07.mx.aol.com host-69-140-19-190.static.comcast.net 250-AUTH=LOGIN PLAIN XAOL-UAS-MB 250-AUTH LOGIN PLAIN XAOL-UAS-MB 250-STARTTLS 250-CHUNKING 250-BINARYMIME 250-X-AOL-FWD-BY-REF 250-X-AOL-DIV_TAG 250-X-AOL-OUTBOX-COPY 250 HELP RCPT TO: <mis...@ao...> DATA Message-ID: <001101ca49ae$e93e45b0$9f01a8c0@annlaptop> From: "Ann Dercover" <sne...@ao...> To: <mis...@ao...> Subject: rendezvous Date: Sat, 10 Oct 2009 07:38:10 -0600 MIME-Version: 1.0 ... ... AAAhAKVR8wbYAQAA2QMAABAAAAAAAAAAAAAAAAAA5iMDAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAA AA0ADQBEAwAA9CYDAAAA ------=_NextPart_000_000D_01CA497C.9DEC1E70-- . 334 VXNlcm5hbWU6 334 UGFzc3dvcmQ6 235 AUTHENTICATION SUCCESSFUL 250 OK 250 OK 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF 250 OK QUIT 221 SERVICE CLOSING CHANNEL -- Mathew Brown mat...@fa... -- http://www.fastmail.fm - Send your email first class |
