This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

extract HTTP transactions whose response body is a flash

0

In a pcap with many HTTP transactions, wonder if there is a way to extract the transactions whose response body starts with 3 characters "CWS" (Adobe flash). It is frequently used to deliver malware.

asked 19 Oct '15, 09:33

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

3 Answers:

0

Maybe something like this:

http.content_type == "application/x-shockwave-flash"

answered 19 Oct '15, 13:53

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for the idea. It works when server sent that in the HTTP response. But malware servers may not be that honest :-(

(19 Oct '15, 17:09) pktUser1001

@pktUser1001: Really ;)

(19 Oct '15, 23:52) Jaap ♦

0

You could use the folowing display filters finding the streams (maybe if you use tshark)

 media matches "CWS.*"

or the filter which Jaap has posted.

Also you can export the flash content with the following dialog: File -> Export objects -> HTTP

alt text This dialog shows you all the Obeject inside the HTTP streams and you are able to export(extract) their contents.

answered 19 Oct '15, 14:19

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 19 Oct '15, 14:20

Thanks @Christian_R for the tips, as mentioned earlier, it may not always have the right content-type in the server response since it's malware traffic.

(19 Oct '15, 17:11) pktUser1001

media matches "CWS.*" was able to catch the HTTP response, thanks for that! Wish it could catch the matching HTTP request as well.

(19 Oct '15, 17:29) pktUser1001

It is not so easy with just a blind filter. One way is to filter out the (ip.clientaddr)and (tcp.clientport) of the response to get the full session.

Other way is just to click at the Reletatd Request in the Response Packet at Packet Detail Pane.

It is that what you mean? Or have you meant any different?

(19 Oct '15, 21:43) Christian_R

Packet Detail Pane does give the packet number of the matching request. Thanks for the tip. Ideally I would like all the desired requests and response show up in the packet list pane.

(20 Oct '15, 07:21) pktUser1001

Http is sequential protocol. There for the combination of client ip and client port will show you the req and resp for sure. But of course it could be that it shows you too much.

(20 Oct '15, 07:25) Christian_R

0

wonder if there is a way to extract the transactions

well, please define 'extract'.

whose response body starts with 3 characters "CWS" (Adobe flash).

can you please try the following

http.response and data-text-lines matches "^CWS"

or case insensitive

http.response and data-text-lines matches "^(?i)cws"

Regards
Kurt

answered 19 Oct '15, 17:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks @kurt-knochner for the question. Clarification: "Extract" means filtering the packets in the pcap so that only the packets related to the desired HTTP transactions will remain, I can then save them to another (smaller) pcap. http.response and data-text-lines matches "^CWS" didn't catch it even though I saw the HTTP response body starts with it. See pcap https://www.cloudshark.org/captures/073d4570c609 (from malware-traffic-analysis.net) at packet 72.

(19 Oct '15, 17:26) pktUser1001

In your case, the best filter would be a 'media matches ...' as mentioned by @Christian_R, with a small change:

media matches "^(?i)CWS"

Then right click the frame and choose "Follow TCP Stream".

(20 Oct '15, 00:58) Kurt Knochner ♦

Yes @kurt-knochner, media matches "^(?i)CWS" works, thanks. Follow TCP stream works to a degree, I hope I would see all the desired requests and responses in the packet detailed pane.

(20 Oct '15, 07:24) pktUser1001