Method for extraction and presentation of image content from captured wireless traffic

Published: Wed 23 April 2014

Intro

Here I present a simple method, using command-line utilities wrapped up in shell scripts, for extracting JPG/GIF/PNG images from captured wireless traffic and presenting them in a browser.

This is something similar to that done live by standalone software like driftnet, which I modified for use in my Foehnseher project, but being a C program and a bit awkward to work with I wanted to document a clean and adaptable solution built around a shell script. This is also the basis for an improvement to the image-processing part of server-side code I use for the Transparency Grenade, which works with archived (uploaded) data packets anyway.

I also wanted an excuse to document some interesting ‘glitches’ that occur when foremost, the forensics utility I use here, is reassembling image data from incomplete TCP streams, ‘reflowed’ by another utility I work with tcpflow.

Almost
Almost

Incidentally, both these tools are taught in the Critical Engineering Workshop Intensive NETworkshop.

Example code

Here’s a shell script that will generate montages and GIF animations from captured network traffic. See the comments for more details:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/bash
# Extract JPG/PNG/GIF images from captured network traffic, 
# generate GIF animations and montages.
#
# Requires aircrack-ng, foremost, tcpflow and ImageMagick on a UNIX host
# (tested with Debian GNU/Linux).

HELP="\n
********************************************************\n
Extract JPG/PNG/GIF images from captured network traffic 
USAGE: ./almost.sh <pcap file>\n
********************************************************\n"

# Test for input argument (here a PCAP file)
if [ ! "$1" ]
    then
        echo $HELP
else
    # Ensure the file exists and is readable
    if [ -r $1 ]
        then 
            PCAP=$1
            echo $PCAP

            # We have to remove the outer 802.11 (wireless) headers from
            # each packet or we won't be able to reach those data packets
            # deep inside. airdecap-ng, normally used for decrypting WEP/WPA
            # packets, is great at this:
            airdecap-ng $PCAP

            # Tricky, but we need to guess the filename of the decapped file
            # as airdecap-ng doesn't let us choose a filename to write out
            # to. We can't rely on a timestamp.
            # Thankfully airdecap-ng always writes using the same form.
            DCAP=${PCAP%.*}-dec.$(echo $PCAP | awk -F . '{print $NF}')

            echo $DCAP

            # Create a directory based on the decap file name
            DIR=$(echo $(basename $DCAP) | cut -d '.' -f 1)

            # Make the directory and move into it.
            mkdir $DIR && cd $DIR

            # Run tcpflow on the decapped pcap data. This 'flows' out-of-order 
            # packets into TCP streams for each Local IP:PORT <-> Remote IP:PORT
            # session. It then writes out binary blobs for each session to the 
            # current directory. These blobs contain the data.
            tcpflow -r ../$DCAP

            # Make a data directory
            mkdir data

            # Run foremost on the flowed stream and move to that directory,
            # extracting any data types it finds on the way and writing them
            # to a 'data' folder.
            foremost -i * -o data
            cd data

            # Iterate through 'gif', 'jpg', 'png', anticipating directories of the same name:
            for t in {gif,png,jpg} 
                do
                # Test if these directories actually exist
                if [ -d $t ]
                    then 
                           # Create a black image to use as a background in our GIF animations
                           convert -size 600x600 xc:black black.gif
                           # Make a montage of all the GIFs, JPEGs, PNGs
                           # extracted:
                           montage -geometry +1+1 $t/* montage.$t;

                           # Make GIF animations from any GIFs, JPEGs, PNGs extracted:
                           convert +antialias -filter box -resize 600 -delay 20 -page +300 \
                           -dispose previous black.gif $t/* -loop 0 +antialias animation-$t.gif

                           # Remove black image
                           rm black.gif

                fi
            done
            # Open up this working directory in Firefox 
            firefox `pwd`
    fi
fi

GIF animations automatically generated from extracted image content

Here’s a GIF animation made from extracted from JPEG data captured on an open wireless network in a library in Copenhagen, by a participant of a 5-day NETworkshop taught there:

Almost

Montages…

Here’s a montage of that same content, also generated by the above script. Click on it to see the large version:

And finally here’s a much larger montage of JPEG data extracted from a 500Mb capture outside a MacDonalds in Brussels:

Affiliated