need an idea on how to better determine a file's content/type.
here's the command-line scenario:
1. run tcpdump (or tshark, et. al.) to capture a transaction in .lpc (in this case, ftp)
2. run tcpflow to reconstruct the session
3. run "file" on appropriate, reconstructed portion (in other words, the actual data transfered).
4. or, possibly run "strings":Code:user@host:# file 011.111.011.111.51811-022.022.222.222.34162 011.111.011.111.51811-022.022.222.222.34162: data
which is likely as not to feed you 40 pages of gibberish that you may be able to grep for a clue as to what you are looking at.Code:user@host:# strings 011.111.011.111.51811-022.022.222.222.34162
I know that you can get better results from these, you can even teach them... but i'm not sure that is really reliable enough here.
anyone have a bit more intuitive way of isolating what you are reconstructing (other than executing it on an isolated system)?
thnx in advance...