try tcpxtract or driftnet for images.
I collect data from my WEP-encrypted test network via:
And after I use that network for a bit, I decrypt and run the collected files through chaosreader, but the images are usually corrupted (I can see the top 10-25% of each image, then the lines below that get offset a bit, sometimes the colors change, and the last portion of the image is usually solid gray).Code:airodump-ng -c 11 --bssid (my bssid) wlan0
I could understand that if I didn't specify a channel, my collection would skip around a lot. And even if I specify a channel, if I don't specify a BSSID to collect on, there might be some collision to worry about ... but I think I've overcome those issues. So what am I doing wrong when viewing my collection in chaosreader?
Oh, and if it matters, thumbnails seem to work. They come in just fine, so I'm thinking this is a problem that happens after some number of bytes have been received. Small images appear in their entirety, just like the first few lines large images ... then the weirdness starts.
Last edited by eeepclover; 06-15-2010 at 01:15 AM. Reason: it helps when I type the commands correctly
try tcpxtract or driftnet for images.
Can you paste the exact commands you are using so that we can better help out.
In the interim check for more info in the readme on changing some options.
Right now, it's a simple:
Code:airodump-ng -c 11 --bssid %MyBSSID% wlan0Code:airdecap-ng -w %MyHexKey% /path/to/file.capAfter RTFMing, I'll probably change my chaosreader command to:Code:perl chaosreader0.94 /path/to/file-dec.cap -D /path/to/chaos-output
but I still don't think that'll help... Do you?Code:perl chaosreader0.94 /path/to/file-dec.cap -k -m 1k -D /path/to/chaos-output
ETA: If it helps ... airodump-ng reports PWR of between -83 and -77 and RXQ of between 10 and 96.
Last edited by eeepclover; 06-15-2010 at 12:45 AM. Reason: additional info
I did a bit of a test a while ago on extracting info from a capture file and had varied success with
image extraction (http://www.backtrack-linux.org/forum...-captures.html)
Try out the various possibilities as tried in the above video and see if you get similar results.
I would by the way, be very interested to see if you are able to get better results in Chaosreader.
Haven't tried it yet myself, but assuming the results are similar to what I got using foremost.
I don't think your options are going to work, not to mention I don't even see a -k option.
Further the type of traffic you are trying to view is not listed and this will generally make a difference. There is also a chance the the index.html is too large or that you are running out of memory while the app is running. Both errors I have had occur while using chaosreader.
Here are the commands I'm running now ...
Then I browse for a bit ...Code:airodump-ng -c 11 --bssid (my bssid) -w /path/to/file wlan0
Code:airdecap-ng -w (my key) /path/to/file.capOf the dozens of pictures on the pages I viewed, I see only about half that number in chaosreader's image.html. I am still collecting partial images (top of the images, then some weird offset and color changes, then gray at the bottom).Code:perl chaosreader0.94 /path/to/file-dec.cap -k -m 1k -D /path/to/chaos-output
And driftnet ...
Code:driftnet -i lo -d /path/to/tempDriftnet only shows one image, the only full image of the bunch. (i.e., I browsed a few dozen images, chaosreader showed partials for about half of them (but managed to show one full picture), and driftnet showed only the one complete picture).Code:tcpreplay -t -i lo /path/to/file-dec.cap
Just guessing here, but is this a signal strength issue? The WEP WAP is only a couple sheets of drywall away. During this test, PWR was around -81 and RXQ was about the same.
The full collection was 3.3MB and index.html is 63.2KB (if it matters, image.html is 5.0KB ... and the only images that have come through successfully are in the 2-5KB range, no full-screen images have yet been collected/displayed properly).
Last edited by eeepclover; 06-16-2010 at 02:44 AM. Reason: file sizes
Ok let me weigh in with some basic helldesk-type questions and things that you should always be trying before asking around.
Have you tried this with an unencrypted network (and with WPA)
Have you tried browsing to a website you have never ever been to before
Have you flushed your browser cache before visiting the website
Have you looked at the contents of, say, index.html to determine why the sizes are different
How well do the programs work when you run them live rather than from replay
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.