need an idea on how to better determine a file's content/type.
here's the command-line scenario:

1. run tcpdump (or tshark, et. al.) to capture a transaction in .lpc (in this case, ftp)
2. run tcpflow to reconstruct the session
3. run "file" on appropriate, reconstructed portion (in other words, the actual data transfered).
for instance:
Code:
user@host:# file 011.111.011.111.51811-022.022.222.222.34162
011.111.011.111.51811-022.022.222.222.34162: data
4. or, possibly run "strings":
Code:
user@host:# strings 011.111.011.111.51811-022.022.222.222.34162
which is likely as not to feed you 40 pages of gibberish that you may be able to grep for a clue as to what you are looking at.

I know that you can get better results from these, you can even teach them... but i'm not sure that is really reliable enough here.

anyone have a bit more intuitive way of isolating what you are reconstructing (other than executing it on an isolated system)?

thnx in advance...
~k