Save raw binary payload only using tcpdump

Question

How can I capture traffic with tcpdump and only save the full payload (application layer data, no tcp/ip headers) in a raw binary format?

score 4 · Accepted Answer · answered Mar 30 '14 at 01:00

After capturing traffic and writing it to disk in the PCAP format you can separate each flow into individual files using tcpflow and then run a file carving tool such as foremost on the flow files which can carve out specific file types from each stream. The following example will extract Window PE files and PDF's from the flows:

$ tcpflow -r traffic.pcap -o flows/
$ cat flows/* > big.flow
$ foremost -t exe,pdf -i big.flow

Another tool that is capable of extracting common file types is tcpxtract:

$ tcpxtract --file traffic.pcap -o output/

Other tools include ChaosReader and Bro's File Analyzer.

Tcpflow did the job I needed! Thanks! With the -B and -C flags I could write the raw binary data in the TCP payload to stdout. — user3207230, Mar 31 '14 at 06:43

Save raw binary payload only using tcpdump

1 Answers1