lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.33.0406030015300.27114-100000@mars.drinks.com>
From: brendan.gregg at tpg.com.au (Brendan Gregg)
Subject: PCAP and LP

G'Day Ian,

----- Original Message -----
> From: Ian Latter (Ian.Latter_at_mq.edu.au)
> Date: Jun 01 2004
>
> Hello Ali,
>
>    According to the FAQ, this doesn't look entirely possible;
>
>         [...]
>         4.10 Replaying Client Traffic to a Server
>
>         A common question on the tcpreplay-users list is how
>         [...]
>
>         From; http://tcpreplay.sourceforge.net/FAQ.html
>
>   I've had one other suggestion, and that is contacting the author
> of "chaosreader" (with greenback or source);
>
>   http://users.tpg.com.au/bdgcvb/chaosreader.html
>
> 's'cool ... I'll fish the web a little more and see what comes out ... if
> nothing comes out, and I can't make a quick contribution to
> chaosreader, then I'll probably change the target host to acquire
> the asset via another protocol (http/smtp/etc).
>

Chaosreader can retrieve print jobs with a little help,

# snoop -o /tmp/out1 port 515
  Using device /dev/hme (promiscuous mode)
  205 ^C
#
# ../chaosreader -v /tmp/out1
  Chaosreader ver 0.94

  Opening, /tmp/out1

  Reading file contents,
   100% (251376/251376)
  Reassembling packets,
   100% (205/205)

  Creating files...
     Num  Session (host:port <=> host:port)              Service
    0001  192.168.1.5:1021,192.168.1.1:515               printer

  index.html created.
#
# ls -l *.raw*
  -rw-r--r--   1 brendan   231678 Jun  3 00:21 session_0001.printer.raw
  -rw-r--r--   1 brendan        5 Jun  3 00:21 session_0001.printer.raw1
  -rw-r--r--   1 brendan   231673 Jun  3 00:21 session_0001.printer.raw2


Now if I "vi session_0001.printer.raw2" and remove the top 2 and bottom
9 lines, I have the original PostScript file (cksums ok). (Your capture
may vary a little, but it should be obvious where the PostScript begins
and ends).


Or if I didn't want to use vi,

# perl -e 'push(@A,$_) while(<>); print @A[2..($#A-10)]' \
	session_0001.printer.raw2 > lp.ps


It would be nice if Chaosreader automatically did this - I guess I
should add it for the next release.

If anyone would like to make a quick contribution you are welcome
to send me small sample capture files (snoop or tcpdump). :)

PS. the most stable link is,
http://www.brendangregg.com/chaosreader.html

no worries,

Brendan Gregg

[Sydney, Australia]


> ----- Original Message -----
> >From: "Ali-Reza Anghaie" <ali_at_packetknife.com>
> >To: "Ian Latter" <Ian.Latter_at_mq.edu.au>
> >Subject: Re: [Full-Disclosure] PCAP and LP
> >Date: Tue, 01 Jun 2004 23:12:19 -0400
> >
> > On Tue, 2004-06-01 at 23:32, Ian Latter wrote:
> > > Quick question, I'm going through the results of an investigation
> > > and have a PCAP file that contains Line Printing ... I'd like to
> > > reconstruct the postscript files (or just reprint them), is there a
> > tool that will allow this?
[...]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ