Tutorial: Data Carving

In order to assure that no old or unnecessary plugins are being loaded please clean your plugin directory by

$ t2build -e
Plugin folder emptied
$

then recompile T2:

$ t2build tranalyzer2 basicFlow tcpStates txtSink

As being noted in previous plugins, make sure you have a data and a results directory which is good practice to separate original data from processed flows.

$ mkdir data results

Now you are all set for the following tutorial.

Plugins and Configuration

In the good old times, before 2012, a lot of traffic was not encrypted, so content could be extracted from the packets defining the flow. This process is called data carving. Tranalyzer (T2) has this ability, but each plugin operating on unencrypted data has to implement it. Hence, the following plugins provide a data caving mode:

  • httpSniffer
  • telnetDecode
  • ftpDecode
  • tftpDecode
  • popDecode
  • smtpDecode
  • voipDetector

To illustrate the configuration and application of the data carving mode lets have a look at the more complex plugin httpSniffer.

First move to directory

$ cd httpSniffer/src
$ vi httpSniffer.h

then move to the following block

If any of these defines is toggled to 1 the plugin will save all pictures, videos, audio, etc to the HTTP_PATH defined below. If you like to keep the data, even after turning off your computer, choose another directory, e.g. in your home path. Note, that considerable amount of data will be placed onto your storage, if your pcap is of larger nature.

The resulting file name of each item occurring for the specific packet and flow is defined as follows:

Filename_Flow-Dir(0/1)_findex_#Packet-in-Flow_#Mimetype-in-Flow

Hence, a extracted content can be directly linked to the very flow, direction, packet and the mime-type. This facilitates automated search and correlation between content and flow meta data.

Imagine you see only the B flow, thus you can extract the content, but you do not have the filename. In this case HTTP_NONAME defines a default name followed by the same information as denote above.

Let’s pick experiment with some plugins.

Let’s Datacarve

Prepare a directory where your pcaps are residing and one where T2 should store the flow files. If you do not have a pcap, download this file (Source: malware-traffic-analysis.net) and copy the pcap under your data directory. Start with the httpSniffer and run T2 on that pcap:

$ t2build httpSniffer
...
$ t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results
================================================================================
Tranalyzer 0.8.7 (Anteater), Tarantula. PID: 17343
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.7
    02: tcpStates, 0.8.7
    03: httpSniffer, 0.8.7
    04: txtSink, 0.8.7
[INF] basicFlow: IPv4 Ver: 3, Rev: 01072019, Range Mode: 0, subnet ranges loaded: 312766 (312.77 K)
[INF] basicFlow: IPv6 Ver: 3, Rev: 01072019, Range Mode: 0, subnet ranges loaded: 21494 (21.49 K)
Processing file: /home/wurst/data/2015-05-08-traffic-analysis-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1431031896.723375 sec (Thu 07 May 2015 20:51:36 GMT)
Dump stop : 1431032021.842982 sec (Thu 07 May 2015 20:53:41 GMT)
Total dump duration: 125.119607 sec (2m 5s)
Finished processing. Elapsed time: 0.002953 sec
Finished unloading flow memory. Time: 0.003636 sec
Percentage completed: 100.00%
Number of processed packets: 761
Number of processed bytes: 495665 (495.67 K)
Number of raw bytes: 495665 (495.67 K)
Number of pcap bytes: 507865 (507.87 K)
Number of IPv4 packets: 761 [100.00%]
Number of A packets: 305 [40.08%]
Number of B packets: 456 [59.92%]
Number of A bytes: 34638 (34.64 K) [6.99%]
Number of B bytes: 461027 (461.03 K) [93.01%]
Average A packet load: 113.57
Average B packet load: 1011.02
--------------------------------------------------------------------------------
tcpStates: Aggregated anomaly flags: 0x42
httpSniffer: Number of HTTP packets: 415 [54.53%]
httpSniffer: Number of HTTP GET  requests: 28 [6.75%]
httpSniffer: Number of HTTP POST requests: 9 [2.17%]
httpSniffer: HTTP GET/POST ratio: 3.11
httpSniffer: Aggregated status flags : 0x003c
httpSniffer: Aggregated anomaly flags: 0x1103
httpSniffer: Aggregated content flags: 0x0010
httpSniffer: Aggregated mime type    : 0x0045
httpSniffer: Aggregated Content Cnts img_vid_aud_txt_msg_app_unk: 13_0_0_22_0_10_0
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 745 [97.90%]
Number of TCP bytes: 493885 (493.88 K) [99.64%]
Number of UDP packets: 16 [2.10%]
Number of UDP bytes: 1780 (1.78 K) [0.36%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 68
Number of processed A flows: 34 [50.00%]
Number of processed B flows: 34 [50.00%]
Number of request     flows: 34 [50.00%]
Number of reply       flows: 34 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 11.19
Number of processed A packets/flows: 8.97
Number of processed B packets/flows: 13.41
Number of processed total packets/s: 6.08
Number of processed A+B packets/s: 6.08
Number of processed A   packets/s: 2.44
Number of processed   B packets/s: 3.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.54
Average full raw bandwidth: 31692 b/s (31.69 Kb/s)
Average full bandwidth : 31574 b/s (31.57 Kb/s)
Max number of flows in memory: 56 [0.02%]
Memory usage: 0.06 GB [0.08%]
Aggregate flow status: 0x0000000000004000
[INF] IPv4

Look at the plugin report httpSniffer:

httpSniffer: Aggregated Content Cnts img_vid_aud_txt_msg_app_unk: 13_0_0_22_0_10_0

T2 found 13 images, 22 text and 10 application files.

$ tawk '{ split($httpImg_Vid_Aud_Msg_Txt_App_Unk, A, "_"); if (A[1] || A[5] || A[6]) print }' 2015-05-08-traffic-analysis-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPWho                       srcPort  dstIP            dstIPCC  dstIPWho                       dstPort  l4Proto  tcpStates  httpStat  httpAFlags  httpMethods  httpHeadMimes  httpCFlags  httpGet_Post  httpRSCnt  httpRSCode  httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim  httpImg_Vid_Aud_Msg_Txt_App_Unk  httpHosts                          httpURL                                                        httpMimes                               httpCookies                                                                    httpImages                                                                                 httpVideos  httpAudios  httpMsgs  httpAppl                                                                httpText                                                                httpPunk  httpBdyURL  httpUsrAg                                                                                                                                                         httpXFor  httpRefrr                                         httpVia  httpLoc  httpServ                                          httpPwr
B     2        0x0000000000004001  1431031897.090353  1431031897.467080  0.376727   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49184    6        0x00       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__285a4d4e4e5a4d4d4649584c5d43064b4745_1_2_1_0"                                                                                                                                                                                                                                                                                              "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     7        0x0000000000004001  1431031898.870027  1431031899.146185  0.276158   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49188    6        0x00       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_aa25f5fe2875e3d0a244e6969e589cc4_1_7_1_0"                                                                                                                                                                                                                                                                                                   "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     21       0x0000000000004000  1431031903.508284  1431031905.661649  2.153365   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49198    72.34.49.86      us       "IHNetworks"                   80       6        0x00       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg"        "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_0_21_1_0"                                                                                                      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     21       0x0000000000004001  1431031903.559171  1431031905.661533  2.102362   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                   80       192.168.138.158  09       "Private network"              49198    6        0x00       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_1_21_1_0"                                                                                                                                                                                                                                                                              "Apache"                                          "PHP/5.3.29"
A     23       0x0000000000004000  1431031905.838183  1431031908.624824  2.786641   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49200    72.34.49.86      us       "IHNetworks"                   80       6        0x00       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42"        "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_0_23_1_0"                                                                                                      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     23       0x0000000000004001  1431031905.940902  1431031908.624779  2.683877   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                   80       192.168.138.158  09       "Private network"              49200    6        0x00       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_1_23_1_0"                                                                                                                                                                                                                                                                              "Apache"                                          "PHP/5.3.29"
B     15       0x0000000000004001  1431031902.907008  1431031903.049134  0.142126   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              188.165.164.184  fr       "OVH SAS"                      80       192.168.138.158  09       "Private network"              49195    6        0x02       0x0078    0x0100      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/plain"                                                                                                                                                                                                                                                                                                                "__1_15_1_0"                                                                                                                                                                                                                                                                                                                                  "DYNAMIC+"
A     27       0x0000000000004000  1431031915.188019  1431031917.179846  1.991827   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49204    72.34.49.86      us       "IHNetworks"                   80       6        0x00       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9"          "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_0_27_1_0"                                                                                                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     27       0x0000000000004001  1431031915.292307  1431031917.179749  1.887442   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                   80       192.168.138.158  09       "Private network"              49204    6        0x00       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_1_27_1_0"                                                                                                                                                                                                                                                                                "Apache"                                          "PHP/5.3.29"
B     6        0x0000000000004001  1431031897.801147  1431031961.652768  63.851621  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49186    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__1_6_1_0"                                                                                                                                                                                                                                                                                                                                   "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     32       0x0000000000004001  1431031946.186389  1431031950.230839  4.044450   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"          80       192.168.138.158  09       "Private network"              49208    6        0x02       0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          2_0_0_0_0_0_0                                                                                                                      "image/png"                                                                                                            "_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_1_32_1_0";"_img_rb.png_1_32_3_1"                                                                                                                                                                                                                                                                                                                                                                                                                                                          "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     5        0x0000000000004001  1431031897.787957  1431031898.067694  0.279737   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49185    6        0x02       0x0068    0x0000      0x00         0x0001         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_0_1_0                                                                                                                      "application/x-shockwave-flash"                                                                                                                                                                                                                     "__1_5_1_0"                                                                                                                                                                                                                                                                                                                                                                                                           "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     8        0x0000000000004001  1431031899.272356  1431031900.101930  0.829574   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49189    6        0x02       0x0068    0x1000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__b514ee6f0fe486009a6d83b035a4c0bd_1_8_1_0"                                                                                                                                                                                                                                                                                                  "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     9        0x0000000000004001  1431031901.437910  1431031901.594209  0.156299   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49190    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__b2566564b3ba1a38e61c83957a7dbcd5_1_9_1_0"                                                                                                                                                                                                                                                                                                  "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     31       0x0000000000004001  1431031946.186400  1431031952.217120  6.030720   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"          80       192.168.138.158  09       "Private network"              49207    6        0x02       0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_2                          2_0_0_0_0_0_0                                                                                                                      "image/png";"image/vnd.microsoft.icon"                                                                                 "_img_flags_es.png_1_31_1_0";"_favicon.ico_1_31_2_1"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               "nginx/1.2.1"
B     10       0x0000000000004001  1431031901.748731  1431031901.905523  0.156792   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49191    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__3a08b0be8322c244f5a1cb9c1057d941_1_10_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     11       0x0000000000004001  1431031902.059710  1431031902.440796  0.381086   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49192    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__d71e0bd86db9587158745a986a4b3606_1_11_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     12       0x0000000000004001  1431031902.592729  1431031902.752525  0.159796   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49193    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__34eaf8bd50d85d8c6baacb45f0a7b22e_1_12_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     14       0x0000000000004001  1431031902.893639  1431031903.051071  0.157432   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49194    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__60dbe33b908e0086292196ef00.8.7bc_1_14_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     18       0x0000000000004000  1431031903.090317  1431031903.288476  0.198159   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49197    204.152.254.221  us       "Brinkster Communications Co"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg"  "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_0_18_1_0"                                                                                                "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     18       0x0000000000004001  1431031903.132272  1431031903.288564  0.156292   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Co"  80       192.168.138.158  09       "Private network"              49197    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_1_18_1_0"                                                                                                                                                                                                                                                                        "Apache"
B     16       0x0000000000004001  1431031903.188176  1431031903.341751  0.153575   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    de       "HEG Mass"                     80       192.168.138.158  09       "Private network"              49196    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__51424ddd486ff06861fceed24e86b329_1_16_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     22       0x0000000000004000  1431031905.650875  1431031905.834393  0.183518   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49199    204.152.254.221  us       "Brinkster Communications Co"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42"  "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_0_22_1_0"                                                                                                "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     22       0x0000000000004001  1431031905.709435  1431031905.834454  0.125019   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Co"  80       192.168.138.158  09       "Private network"              49199    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_1_22_1_0"                                                                                                                                                                                                                                                                        "Apache"
A     24       0x0000000000004000  1431031908.613660  1431031908.779062  0.165402   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49201    204.152.254.221  us       "Brinkster Communications Co"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk"    "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_0_24_1_0"                                                                                                  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     24       0x0000000000004001  1431031908.667116  1431031908.779106  0.111990   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Co"  80       192.168.138.158  09       "Private network"              49201    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_1_24_1_0"                                                                                                                                                                                                                                                                          "Apache"
A     25       0x0000000000004000  1431031908.780729  1431031912.367847  3.587118   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49202    72.34.49.86      us       "IHNetworks"                   80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk"          "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_0_25_1_0"                                                                                                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     25       0x0000000000004001  1431031908.886579  1431031912.367927  3.481348   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                   80       192.168.138.158  09       "Private network"              49202    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_1_25_1_0"                                                                                                                                                                                                                                                                                "Apache"                                          "PHP/5.3.29"
A     26       0x0000000000004000  1431031914.993554  1431031915.185509  0.191955   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49203    204.152.254.221  us       "Brinkster Communications Co"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9"    "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_0_26_1_0"                                                                                                  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     26       0x0000000000004001  1431031915.035444  1431031915.185568  0.150124   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Co"  80       192.168.138.158  09       "Private network"              49203    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_1_26_1_0"                                                                                                                                                                                                                                                                          "Apache"
A     33       0x0000000000004000  1431031945.999417  1431032021.842696  75.843279  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  09       "Private network"              49209    95.163.121.204   ru       "LLC Digital Network"          80       6        0x42       0x006c    0x0000      0x0a         0x0001         0x0010      1_1           0                      2_0_0_0_0_1_0_1_2_1                          0_0_0_0_0_1_0                    "7oqnsnzwwnm6zb7y.gigapaysun.com"  "/img/flags/de.png";"/11iQmfg"                                 "application/x-www-form-urlencoded"     "PHPSESSID=uqq1670l1pkd07vgdnsg98dee5";"PHPSESSID=uqq1670l1pkd07vgdnsg98dee5"                                                                                                                               "_11iQmfg_0_33_2_0"                                                                                                                                                   "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"            "http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg"
B     33       0x0000000000004001  1431031946.199749  1431031957.906658  11.706909  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"          80       192.168.138.158  09       "Private network"              49209    6        0x02       0x0078    0x0000      0x00         0x0044         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_2                          1_0_0_0_1_0_0                                                                                                                      "image/png";"text/html"                                                                                                "_img_flags_de.png_1_33_1_0"                                                                                                                                                                         "_11iQmfg_1_33_2_0"                                                                                                                                                                                                                                                                                                                           "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     30       0x0000000000004001  1431031944.192640  1431031960.017404  15.824764  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"          80       192.168.138.158  09       "Private network"              49206    6        0x02       0x0068    0x0000      0x00         0x0044         0x0010      0_0           2          200;304     0_0_0_1_0_0_0_0_0_2                          2_0_0_0_1_0_0                                                                                                                      "text/css";"image/png"                                                                                                 "_img_flags_it.png_1_30_5_0";"_img_flags_fr.png_1_30_6_1"                                                                                                                                            "_img_style.css_1_30_1_0"                                                                                                                                                                                                                                                                                                                     "nginx/1.2.1"
B     29       0x0000000000004001  1431031941.537441  1431031962.048801  20.511360  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"          80       192.168.138.158  09       "Private network"              49205    6        0x02       0x0068    0x0000      0x00         0x0044         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_2                          3_0_0_0_1_0_0                                                                                                                      "text/html";"image/png"                                                                                                "_img_flags_us.png_1_29_3_0";"_img_rt.png_1_29_4_1";"_img_bitcoin.png_1_29_5_2"                                                                                                                      "_11iQmfg_1_29_1_0"                                                                                                                                                                                                                                                                                                                           "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     34       0x0000000000004001  1431031946.186402  1431031962.095257  15.908855  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"          80       192.168.138.158  09       "Private network"              49210    6        0x02       0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_1                          3_0_0_0_0_0_0                                                                                                                      "image/png"                                                                                                            "_img_lt.png_1_34_1_0";"_img_lb.png_1_34_2_1";"_img_button_pay.png_1_34_3_2"                                                                                                                                                                                                                                                                                                                                                                                                                                                                       "nginx/1.2.1"

Now you see all http commands being exchanged including content names and files. Yes, really fishy. If you want to see which host requests which file:

$ tawk -e 'httpHostsURL()' 2015-05-08-traffic-analysis-exercise_flows.txt | tcol
62.75.195.236
                                                                               /?34eaf8bd50d85d8c6baacb45f0a7b22e
                                                                               /?3a08b0be8322c244f5a1cb9c1057d941
                                                                               /?51424ddd486ff06861fceed24e86b329
                                                                               /?60dbe33b908e0086292196ef00.8.7bc
                                                                               /?b2566564b3ba1a38e61c83957a7dbcd5
                                                                               /?b514ee6f0fe486009a6d83b035a4c0bd
                                                                               /?d71e0bd86db9587158745a986a4b3606
                                                                               /aa25f5fe2875e3d0a244e6969e589cc4
7oqnsnzwwnm6zb7y.gigapaysun.com
                                                                               /11iQmfg
                                                                               /favicon.ico
                                                                               /img/bitcoin.png
                                                                               /img/button_pay.png
                                                                               /img/flags/de.png
                                                                               /img/flags/es.png
                                                                               /img/flags/fr.png
                                                                               /img/flags/it.png
                                                                               /img/flags/us.png
                                                                               /img/lb.png
                                                                               /img/lt.png
                                                                               /img/rb.png
                                                                               /img/rt.png
                                                                               /img/style.css
                                                                               /picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764
comarksecurity.com
                                                                               /wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg
                                                                               /wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42
                                                                               /wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9
                                                                               /wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk
ip-addr.es
                                                                               /
r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in
                                                                               /
runlove.us
                                                                               /wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9
                                                                               /wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42
                                                                               /wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg
                                                                               /wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk
ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in
                                                                               /
va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in
                                                                               /?285a4d4e4e5a4d4d4649584c5d43064b4745
$

Seems clear that is malware.

Now we are interested to extract the content now set HTTP_SAVE_IMAGE HTTP_SAVE_TEXT HTTP_SAVE_APPL to 1,n httpSniffer.h, or use the t2conf command, recompile httpSniffer and rerun t2

$ t2conf httpSniffer -D HTTP_SAVE_IMAGE=1 -D HTTP_SAVE_TEXT=1 -D HTTP_SAVE_APPL=1
$ t2build httpSniffer
...
$ t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results

now move to /tmp

$ cd /tmp
$ ls
httpAppl	httpPicture	httpText 	...

move into httpPicture

$ cd httpPicture
$ ls
_favicon.ico_1_31_2_1       _img_button_pay.png_1_34_3_2   _img_flags_es.png_1_31_1_0   _img_flags_it.png_1_30_5_0   _img_lb.png_1_34_2_1   _img_rb.png_1_32_3_1  '_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_1_32_1_0'
_img_bitcoin.png_1_29_5_2   _img_flags_de.png_1_33_1_0     _img_flags_fr.png_1_30_6_1   _img_flags_us.png_1_29_3_0   _img_lt.png_1_34_1_0   _img_rt.png_1_29_4_1
$

The files are directly linked to the flow via its name coding:

Filename_Flow-Dir(0/1)_findex_#Packet-in-Flow_#Mimetype-in-Flow

Open the pics with your file browser or eog, as you wish. Be careful with the application folder.

Now try faf-exercise.pcap (Source: Bro) add smtpDecode and set SMTP_SAVE 1 in smtpDecode.h

$ cd smtpDecode/src
$ vi smtpDecode.h

or use the t2conf command, recompile, rerun T2 and move into /tmp/SMTPFILES

$ t2conf smtpDecode -D SMTP_SAVE=1
$ t2build smtpDecode
$ t2 -r ~/data/faf-exercise.pcap -w ~/results
================================================================================
Tranalyzer 0.8.7 (Anteater), Tarantula. PID: 2424
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.7
    02: tcpStates, 0.8.7
    03: smtpDecode, 0.8.7
    04: httpSniffer, 0.8.7
    05: txtSink, 0.8.7
...
--------------------------------------------------------------------------------
tcpStates: Aggregated anomaly flags: 0x4a
smtpDecode: Number of SMTP packets: 894 [15.15%]
smtpDecode: Number of SMTP files: 3
httpSniffer: Number of HTTP packets: 3821 (3.82 K) [64.74%]
httpSniffer: Number of HTTP GET  requests: 16 [0.42%]
httpSniffer: Aggregated status flags : 0x002c
httpSniffer: Aggregated anomaly flags: 0x5000
httpSniffer: Aggregated content flags: 0x0010
httpSniffer: Aggregated mime type    : 0x0045
httpSniffer: Number of files img_vid_aud_txt_msg_app_unk: 3_0_0_10_0_7_0
--------------------------------------------------------------------------------
...

So we have 3 mail files, 3 images, 10 texts and 7 applications. If we were only interested in the

$ tawk 'strtonum($smtpStat) || hdr()' faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPWho           srcPort  dstIP          dstIPCC  dstIPWho           dstPort  l4Proto  tcpStates  smtpStat  smtpCC                    smtpRC           smtpUsr  smtpPW  smtpSANum  smtpESANum  smtpERANum  smtpSA                                                                                                                                                                                                                                     smtpESA                 smtpERA                httpStat  httpAFlags  httpMethods  httpHeadMimes  httpCFlags  httpGet_Post  httpRSCnt  httpRSCode  httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim  httpImg_Vid_Aud_Msg_Txt_App_Unk  httpHosts  httpURL  httpMimes     httpCookies  httpImages  httpVideos  httpAudios  httpMsgs  httpAppl  httpText          httpPunk  httpBdyURL  httpUsrAg                                  httpXFor  httpRefrr  httpVia  httpLoc  httpServ  httpPwr
A     12       0x0000000000004000  1258563573.941668  1258563576.594009  2.652341  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  1397     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     12       0x0000000000004001  1258563573.941709  1258563576.594045  2.652336  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  1397     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     13       0x0000000000004000  1258565030.304653  1258565030.420837  0.116184  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  1749     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     13       0x0000000000004001  1258565030.304696  1258565030.420877  0.116181  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  1749     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     14       0x0000000000004000  1258565174.919134  1258565175.037809  0.118675  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  1755     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     14       0x0000000000004001  1258565174.919179  1258565175.037828  0.118649  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  1755     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     15       0x0000000000004000  1258565820.302090  1258565821.898589  1.596499  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49218    192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     15       0x0000000000004001  1258565820.302128  1258565821.898612  1.596484  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.105  09       "Private network"  49218    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     16       0x0000000000004000  1258565880.189257  1258565880.212242  0.022985  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49219    192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     16       0x0000000000004001  1258565880.189338  1258565880.212279  0.022941  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.105  09       "Private network"  49219    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     17       0x0000000000004000  1258566050.124592  1258566050.238771  0.114179  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49220    192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     17       0x0000000000004001  1258566050.124650  1258566050.238828  0.114178  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.105  09       "Private network"  49220    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     18       0x0000000000004000  1258566123.706408  1258566123.739652  0.033244  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  1806     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     18       0x0000000000004001  1258566123.706462  1258566123.739692  0.033230  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  1806     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     19       0x0000000000004000  1258567109.383510  1258567113.574618  4.191108  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  09       "Private network"  1400     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     19       0x0000000000004001  1258567109.383558  1258567113.574642  4.191084  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.102  09       "Private network"  1400     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     20       0x0000000000004000  1258567248.261596  1258567248.374768  0.113172  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  09       "Private network"  1404     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     20       0x0000000000004001  1258567248.261635  1258567248.374809  0.113174  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.102  09       "Private network"  1404     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     21       0x0000000000004000  1258567289.262109  1258567289.283592  0.021483  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  09       "Private network"  1405     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     21       0x0000000000004001  1258567289.262156  1258567289.283642  0.021486  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.102  09       "Private network"  1405     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     22       0x0000000000004000  1258567757.457759  1258567757.572930  0.115171  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49336    192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     22       0x0000000000004001  1258567757.457805  1258567757.572984  0.115179  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.105  09       "Private network"  49336    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     23       0x0000000000004000  1258568036.508358  1258568036.620287  0.111929  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49353    192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     23       0x0000000000004001  1258568036.508400  1258568036.620325  0.111925  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.105  09       "Private network"  49353    6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     24       0x0000000000004000  1258568059.128662  1258568059.160656  0.031994  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  1836     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     24       0x0000000000004001  1258568059.128711  1258568059.160696  0.031985  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  1836     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     25       0x0000000000004000  1258568667.549041  1258568667.662968  0.113927  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  09       "Private network"  1709     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     25       0x0000000000004001  1258568667.549083  1258568667.662999  0.113916  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.102  09       "Private network"  1709     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     26       0x0000000000004000  1258568738.108255  1258568738.141234  0.032979  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  09       "Private network"  49561    192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     26       0x0000000000004001  1258568738.108301  1258568738.141266  0.032965  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.105  09       "Private network"  49561    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     27       0x0000000000004000  1258574141.027462  1258574141.466197  0.438735  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  09       "Private network"  1572     192.168.1.1    09       "Private network"  25       6        0x00       0x11      EHLO;MAIL;RCPT;DATA;QUIT                                    1          1           1           "[192.168.1.104]"                                                                                                                                                                                                                          "charlie@m57.biz_0_27"  "pat@m57.biz"          0x0000    0x0000      0x00         0x0040         0x0010      0_0           0                      0_0_0_0_0_1_0_0_0_1                          0_0_0_0_1_0_0                                        "text/plain"                                                                       "nudel_0_27_5_0"                        "Thunderbird 2.0.0.23 (Windows/20090812)"
B     27       0x0000000000004001  1258574141.027497  1258574141.466226  0.438729  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.104  09       "Private network"  1572     6        0x00       0x01                                220;250;354;221                   7          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as 3B2C92AF471";"221 2.0.0 Bye"                                                 0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     28       0x0000000000004000  1258577484.692600  1258577484.971674  0.279074  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  09       "Private network"  1604     192.168.1.1    09       "Private network"  25       6        0x00       0x11      EHLO;MAIL;RCPT;DATA;QUIT                                    1          1           1           "[192.168.1.104]"                                                                                                                                                                                                                          "charlie@m57.biz_0_28"  "pat@m57.biz"          0x0000    0x0000      0x00         0x0040         0x0010      0_0           0                      0_0_0_0_0_1_0_0_0_1                          0_0_0_0_1_0_0                                        "text/plain"                                                                       "nudel_0_28_5_0"                        "Thunderbird 2.0.0.23 (Windows/20090812)"
B     28       0x0000000000004001  1258577484.692644  1258577484.971707  0.279063  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.104  09       "Private network"  1604     6        0x00       0x01                                220;250;354;221                   7          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as BF9192AF931";"221 2.0.0 Bye"                                                 0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     29       0x0000000000004000  1258577840.949762  1258577841.204606  0.254844  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  09       "Private network"  1665     192.168.1.1    09       "Private network"  25       6        0x00       0x11      EHLO;MAIL;RCPT;DATA;QUIT                                    1          1           1           "[192.168.1.104]"                                                                                                                                                                                                                          "charlie@m57.biz_0_29"  "alix.pery@yahoo.com"  0x0000    0x0000      0x00         0x0040         0x0010      0_0           0                      0_0_0_0_0_1_0_0_0_1                          0_0_0_0_1_0_0                                        "text/plain"                                                                       "nudel_0_29_5_0"                        "Thunderbird 2.0.0.23 (Windows/20090812)"
B     29       0x0000000000004001  1258577840.949804  1258577841.204644  0.254840  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.104  09       "Private network"  1665     6        0x00       0x01                                220;250;354;221                   7          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as 0B4782AF94B";"221 2.0.0 Bye"                                                 0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     30       0x0000000000004000  1258581757.587843  1258581758.358872  0.771029  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  1934     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     30       0x0000000000004001  1258581757.587891  1258581758.358901  0.771010  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  1934     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     31       0x0000000000004000  1258582107.588230  1258582108.822693  1.234463  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  09       "Private network"  2008     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     31       0x0000000000004001  1258582107.588266  1258582108.822724  1.234458  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.103  09       "Private network"  2008     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     32       0x0000000000004000  1258583614.298059  1258583615.323171  1.025112  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  09       "Private network"  1911     192.168.1.1    09       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     32       0x0000000000004001  1258583614.298161  1258583615.323218  1.025057  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    09       "Private network"  25       192.168.1.102  09       "Private network"  1911     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
$

You can see now all vital mail communication aggregated in a flow based aggregation. If you want to read emails look into the tmp folder and open a file.

$ cd /tmp/SMTPFILES
$ ls
$ charlie@m57.biz_0_27  charlie@m57.biz_0_28  charlie@m57.biz_0_29
$ cat charlie@m57.biz_0_27
Message-ID: <4B0451D7.6080508@m57.biz>
Date: Wed, 18 Nov 2009 11:58:15 -0800
From: Charlie <charlie@m57.biz>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Pat McGoo <pat@m57.biz>
Subject: Re: COFFEE
References: <98CC40FE46EA4F9CB82A95B0E7634C9A@m57pat>
In-Reply-To: <98CC40FE46EA4F9CB82A95B0E7634C9A@m57pat>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Pat McGoo wrote:
> Charlie, Terry,
>
>     just checking up on your preferences for coffee - jo is going
> shopping tomorrow, let us know what you want.
>
> Jo, I like my coffee cinnamon apple flavor with just a whisper of
> cream - be sure to get the heavy whipping cream, NOT the half and
> half.  See if they have any of those nice pumpkin muffins, too.
>
> Pat
Can I just get hot chocolate instead?  I like the little sprinkles and
whipped cream with it.
.
QUIT
$

Also for smtpDecode all extracted filenames have the flowIndex attached to correlate flows with the extracted files.

Filename_Flow-Dir(0/1)_findex

Look also under the other folders extracted from httpSniffer.

Don’t forget to reset the configuration for other tutorials:

$ t2conf httpSniffer -D HTTP_SAVE_IMAGE=0 -D HTTP_SAVE_TEXT=0 -D HTTP_SAVE_APPL=00
$ t2conf smtpDecode -D SMTP_SAVE=0
$

Play a bit around with the other extracting plugins and your own traffic. Have fun!