Tutorial: HyperText Transfer Protocol (HTTP)

This tutorial discusses the plugin httpSniffer.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates httpSniffer txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: 2015-05-08-traffic-analysis-exercise.pcap (Source: malware-traffic-analysis.net). Now you’re all set.

httpSniffer

Let’s look at the plugin configuration first:

$ httpSniffer
$ vi src/httpSniffer.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define HTTP_MIME      1 // 1: print mime type in flow file; 0: print # of mime types only
#define HTTP_STAT      1 // 1: print response status code in flow file; 0: print # of status codes only
#define HTTP_MCNT      1 // 1: method counts: GET, POST
#define HTTP_HOST      1 // 1: print hosts in flow file; 0: print # of hosts only
#define HTTP_URL       1 // 1: print URL in flow file; 0: print # of URL only
#define HTTP_COOKIE    1 // 1: print cookies in flow file; 0: print # of cookies only
#define HTTP_IMAGE     1 // 1: print image name in flow file; 0: print # of images only
#define HTTP_VIDEO     1 // 1: print video name in flow file; 0: print # of videos only
#define HTTP_AUDIO     1 // 1: print audio name in flow file; 0: print # of audios only
#define HTTP_MSG       1 // 1: print message name in flow file; 0: print # of messages only
#define HTTP_APPL      1 // 1: print application name in flow file; 0: print # of applications only
#define HTTP_TEXT      1 // 1: print text name in flow file; 0: print # of texts only
#define HTTP_PUNK      1 // 1: print POST/unknown and all else name in flow file; 0: print # of POST/unknown/else only
#define HTTP_BODY      1 // 1: content body exam, print anomaly bits in flow file; 0: none
#define HTTP_BDURL     1 // 1: print body url name in flow file; 0: none
#define HTTP_USRAG     1 // 1: print User-Agents in flow file; 0: none
#define HTTP_XFRWD     1 // 1: print X-Forward-For in flow file; 0: none
#define HTTP_REFRR     1 // 1: print Referer in flow file; 0: none
#define HTTP_VIA       1 // 1: print Via in flow file; 0: none
#define HTTP_LOC       1 // 1: print Location in flow file; 0: none
#define HTTP_SERV      1 // 1: print Server in flow file; 0: none
#define HTTP_PWR       1 // 1: print X-Powered-By in flow file; 0: none

#define HTTP_STATAGA   1 // 1: aggregate stat reponse in flow file; 0: dont
#define HTTP_MIMEAGA   1 // 1: aggregate mime reponse in flow file; 0: dont
#define HTTP_HOSTAGA   1 // 1: aggregate Host in flow file; 0: dont
#define HTTP_URLAGA    1 // 1: aggregate URL in flow file; 0: dont
#define HTTP_USRAGA    1 // 1: aggregate User-Agents in flow file; 0: dont
#define HTTP_XFRWDA    1 // 1: aggregate X-Forwarded-For in flow file; 0: dont
#define HTTP_REFRRA    1 // 1: aggregate Referer in flow file; 0: dont
#define HTTP_VIAA      1 // 1: aggregate Via in flow file; 0: dont
#define HTTP_LOCA      1 // 1: aggregate Location in flow file; 0: dont
#define HTTP_SERVA     1 // 1: aggregate Server in flow file; 0: dont
#define HTTP_PWRA      1 // 1: aggregate X-Powered-By in flow file; 0: dont

//#define HTTP_ENT  0    // entropy calculation, not implemented yet

// data carving modes
#define HTTP_SAVE_IMAGE   0 // 1: Save images in files under HTTP_IMAGE_PATH; 0: Don't save images
#define HTTP_SAVE_VIDEO   0 // 1: Save videos in files under HTTP_VIDEO_PATH; 0: Don't save videos
#define HTTP_SAVE_AUDIO   0 // 1: Save audios in files under HTTP_TEXT_PATH; 0: Don't save audios
#define HTTP_SAVE_MSG     0 // 1: Save messages in files under HTTP_MSG_PATH; 0: Don't save pdfs
#define HTTP_SAVE_TEXT    0 // 1: Save texts in files under HTTP_TEXT_PATH; 0: Don't save text
#define HTTP_SAVE_APPL    0 // 1: Save applications in files under HTTP_TEXT_PATH; 0: Don't save applications
#define HTTP_SAVE_PUNK    0 // 1: Save PUT/else content in files under HTTP_PUNK_PATH; 0: Don't save PUT content

#define HTTP_RMDIR        1 // empty HTTP_*_PATH before starting (require at least one of HTTP_SAVE*=1)

// User defined storage boundary conditions
#define HTTP_PATH "/tmp/" // root path

#define HTTP_IMAGE_PATH HTTP_PATH "httpPicture/" // Path for pictures
#define HTTP_VIDEO_PATH HTTP_PATH "httpVideo/"   // Path for videos
#define HTTP_AUDIO_PATH HTTP_PATH "httpAudio/"   // Path for audios
#define HTTP_MSG_PATH   HTTP_PATH "httpMSG/"     // Path for messages
#define HTTP_TEXT_PATH  HTTP_PATH "httpText/"    // Path for texts
#define HTTP_APPL_PATH  HTTP_PATH "httpAppl/"    // Path for applications
#define HTTP_PUNK_PATH  HTTP_PATH "httpPunk/"    // Path for POST / else / unknown content

#define HTTP_NONAME "nudel" // name of files without name

#define HTTP_DATA_C_MAX  40 // Maximum dimension of storage arrays per flow
#define HTTP_MXFILE_LEN  80 // Maximum storage name length
#define HTTP_MXUA_LEN   400 // User-Agent length
#define HTTP_MXXF_LEN    80 // X-Forwarded-For length

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Run t2 on the supplied pcap.

$ t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results/
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 21830
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: httpSniffer, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/data/2015-05-08-traffic-analysis-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1431031896.723375 sec (Thu 07 May 2015 20:51:36 GMT)
Dump stop : 1431032021.842982 sec (Thu 07 May 2015 20:53:41 GMT)
Total dump duration: 125.119607 sec (2m 5s)
Finished processing. Elapsed time: 0.005148 sec
Finished unloading flow memory. Time: 0.006716 sec
Percentage completed: 100.00%
Number of processed packets: 761
Number of processed bytes: 495665 (495.67 K)
Number of raw bytes: 495665 (495.67 K)
Number of pad bytes: 1857 (1.86 K)
Number of pcap bytes: 507865 (507.87 K)
Number of IPv4 packets: 761 [100.00%]
Number of A packets: 305 [40.08%]
Number of B packets: 456 [59.92%]
Number of A bytes: 34638 (34.64 K) [6.99%]
Number of B bytes: 461027 (461.03 K) [93.01%]
Average A packet load: 113.57
Average B packet load: 1011.02
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x42
httpSniffer: Aggregated httpStat=0x003c
httpSniffer: Aggregated httpAFlags=0x1103
httpSniffer: Aggregated httpCFlags=0x0010
httpSniffer: Aggregated httpHeadMimes=0x0045
httpSniffer: Number of files img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0
httpSniffer: Number of HTTP packets: 415 [54.53%]
httpSniffer: Number of HTTP GET  requests: 28 [6.75%]
httpSniffer: Number of HTTP POST requests: 9 [2.17%]
httpSniffer: HTTP GET/POST ratio: 3.11
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 745 [97.90%]
Number of TCP bytes: 493885 (493.88 K) [99.64%]
Number of UDP packets: 16 [2.10%]
Number of UDP bytes: 1780 (1.78 K) [0.36%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 68
Number of processed A flows: 34 [50.00%]
Number of processed B flows: 34 [50.00%]
Number of request     flows: 34 [50.00%]
Number of reply       flows: 34 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 11.19
Number of processed A packets/flows: 8.97
Number of processed B packets/flows: 13.41
Number of processed total packets/s: 6.08
Number of processed A+B   packets/s: 6.08
Number of processed A     packets/s: 2.44
Number of processed   B   packets/s: 3.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.54
Average full raw bandwidth: 31692 b/s (31.69 Kb/s)
Average full bandwidth : 31574 b/s (31.57 Kb/s)
Max number of flows in memory: 56 [0.02%]
Memory usage: 0.02 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

So the aggregated httpStat tells us there is HTTP.

$ tawk -V httpStat=0x003c -V httpAFlags=0x1103 -V httpCFlags=0x0010 -V httpHeadMimes=0x0045
The httpStat column with value 0x003c is to be interpreted as follows:

   bit | httpStat | Description
   =============================================================================
     2 | 0x0004   | Internal state: pending URL name
     3 | 0x0008   | HTTP flow
     4 | 0x0010   | Internal state: Chunked transfer
     5 | 0x0020   | Internal state: HTTP flow detected


The httpAFlags column with value 0x1103 is to be interpreted as follows:

   bit | httpAFlags | Description
   =============================================================================
     0 | 0x0001     | POST query with parameters
     1 | 0x0002     | Host is IPv4, e.g., Host: 1.2.3.4
     8 | 0x0100     | X-Site Scripting protection
    12 | 0x1000     | Possible EXE download


The httpCFlags column with value 0x0010 is to be interpreted as follows:

   bit | httpCFlags | Description
   =============================================================================
     4 | 0x0010     | Potential HTTP content


The httpHeadMimes column with value 0x0045 is to be interpreted as follows:

   bit | httpHeadMimes | Description
   =============================================================================
     0 | 0x0001        | Application
     2 | 0x0004        | Image
     6 | 0x0040        | Text

img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0

$ tawk '{ split($httpImg_Vid_Aud_Msg_Txt_App_Unk, A, "_"); if (A[1] || A[5] || A[6]) print }' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg                          srcPort  dstIP            dstIPCC  dstIPOrg                          dstPort  l4Proto  tcpStates  httpStat  httpAFlags  httpMethods  httpHeadMimes  httpCFlags  httpGet_Post  httpRSCnt  httpRSCode  httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim  httpImg_Vid_Aud_Msg_Txt_App_Unk  httpHosts                          httpURL                                                        httpMimes                               httpCookies                                                                    httpImages                                                                                 httpVideos  httpAudios  httpMsgs  httpAppl                                                                httpText                                                                httpPunk  httpBdyURL  httpUsrAg                                                                                                                                                         httpXFor  httpRefrr                                         httpVia  httpLoc  httpServ                                          httpPwr
B     2        0x0400000000004001  1431031897.090353  1431031897.467080  0.376727   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49184    6        0x00       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__285a4d4e4e5a4d4d4649584c5d43064b4745_B_2_1_0"                                                                                                                                                                                                                                                                                              "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     7        0x0400000000004001  1431031898.870027  1431031899.146185  0.276158   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49188    6        0x00       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_aa25f5fe2875e3d0a244e6969e589cc4_B_7_1_0"                                                                                                                                                                                                                                                                                                   "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     21       0x0400000000004000  1431031903.508284  1431031905.661649  2.153365   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49198    72.34.49.86      us       "IHNetworks"                      80       6        0x00       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg"        "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_A_21_1_0"                                                                                                      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     21       0x0400000000004001  1431031903.559171  1431031905.661533  2.102362   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49198    6        0x00       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_B_21_1_0"                                                                                                                                                                                                                                                                              "Apache"                                          "PHP/5.3.29"
A     23       0x0400000000004000  1431031905.838183  1431031908.624824  2.786641   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49200    72.34.49.86      us       "IHNetworks"                      80       6        0x00       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42"        "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_A_23_1_0"                                                                                                      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     23       0x0400000000004001  1431031905.940902  1431031908.624779  2.683877   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49200    6        0x00       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_B_23_1_0"                                                                                                                                                                                                                                                                              "Apache"                                          "PHP/5.3.29"
B     15       0x0400000000004001  1431031902.907008  1431031903.049134  0.142126   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              188.165.164.184  -        "-"                               80       192.168.138.158  07       "Private network"                 49195    6        0x02       0x0078    0x0100      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/plain"                                                                                                                                                                                                                                                                                                                "__B_15_1_0"                                                                                                                                                                                                                                                                                                                                  "DYNAMIC+"
A     27       0x0400000000004000  1431031915.188019  1431031917.179846  1.991827   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49204    72.34.49.86      us       "IHNetworks"                      80       6        0x00       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9"          "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_A_27_1_0"                                                                                                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     27       0x0400000000004001  1431031915.292307  1431031917.179749  1.887442   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49204    6        0x00       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_B_27_1_0"                                                                                                                                                                                                                                                                                "Apache"                                          "PHP/5.3.29"
B     6        0x0400000000004001  1431031897.801147  1431031961.652768  63.851621  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49186    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__B_6_1_0"                                                                                                                                                                                                                                                                                                                                   "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     32       0x0400000000004001  1431031946.186389  1431031950.230839  4.044450   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"             80       192.168.138.158  07       "Private network"                 49208    6        0x02       0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          2_0_0_0_0_0_0                                                                                                                      "image/png"                                                                                                            "_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_B_32_1_0";"_img_rb.png_B_32_3_1"                                                                                                                                                                                                                                                                                                                                                                                                                                                          "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     5        0x0400000000004001  1431031897.787957  1431031898.067694  0.279737   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49185    6        0x02       0x0068    0x0000      0x00         0x0001         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_0_1_0                                                                                                                      "application/x-shockwave-flash"                                                                                                                                                                                                                     "__B_5_1_0"                                                                                                                                                                                                                                                                                                                                                                                                           "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     8        0x0400000000004001  1431031899.272356  1431031900.101930  0.829574   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49189    6        0x02       0x0068    0x1000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__b514ee6f0fe486009a6d83b035a4c0bd_B_8_1_0"                                                                                                                                                                                                                                                                                                  "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     9        0x0400000000004001  1431031901.437910  1431031901.594209  0.156299   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49190    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__b2566564b3ba1a38e61c83957a7dbcd5_B_9_1_0"                                                                                                                                                                                                                                                                                                  "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     31       0x0400000000004001  1431031946.186400  1431031952.217120  6.030720   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"             80       192.168.138.158  07       "Private network"                 49207    6        0x02       0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_2                          2_0_0_0_0_0_0                                                                                                                      "image/png";"image/vnd.microsoft.icon"                                                                                 "_img_flags_es.png_B_31_1_0";"_favicon.ico_B_31_2_1"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               "nginx/1.2.1"
B     10       0x0400000000004001  1431031901.748731  1431031901.905523  0.156792   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49191    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__3a08b0be8322c244f5a1cb9c1057d941_B_10_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     11       0x0400000000004001  1431031902.059710  1431031902.440796  0.381086   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49192    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__d71e0bd86db9587158745a986a4b3606_B_11_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     12       0x0400000000004001  1431031902.592729  1431031902.752525  0.159796   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49193    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__34eaf8bd50d85d8c6baacb45f0a7b22e_B_12_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     14       0x0400000000004001  1431031902.893639  1431031903.051071  0.157432   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49194    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__60dbe33b908e0086292196ef001816bc_B_14_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     18       0x0400000000004000  1431031903.090317  1431031903.288476  0.198159   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49197    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg"  "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_A_18_1_0"                                                                                                "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     18       0x0400000000004001  1431031903.132272  1431031903.288564  0.156292   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49197    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_B_18_1_0"                                                                                                                                                                                                                                                                        "Apache"
B     16       0x0400000000004001  1431031903.188176  1431031903.341751  0.153575   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              62.75.195.236    -        "-"                               80       192.168.138.158  07       "Private network"                 49196    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__51424ddd486ff06861fceed24e86b329_B_16_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     22       0x0400000000004000  1431031905.650875  1431031905.834393  0.183518   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49199    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42"  "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_A_22_1_0"                                                                                                "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     22       0x0400000000004001  1431031905.709435  1431031905.834454  0.125019   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49199    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_B_22_1_0"                                                                                                                                                                                                                                                                        "Apache"
A     24       0x0400000000004000  1431031908.613660  1431031908.779062  0.165402   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49201    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk"    "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_A_24_1_0"                                                                                                  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     24       0x0400000000004001  1431031908.667116  1431031908.779106  0.111990   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49201    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_B_24_1_0"                                                                                                                                                                                                                                                                          "Apache"
A     25       0x0400000000004000  1431031908.780729  1431031912.367847  3.587118   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49202    72.34.49.86      us       "IHNetworks"                      80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk"          "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_A_25_1_0"                                                                                                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     25       0x0400000000004001  1431031908.886579  1431031912.367927  3.481348   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49202    6        0x02       0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_B_25_1_0"                                                                                                                                                                                                                                                                                "Apache"                                          "PHP/5.3.29"
A     26       0x0400000000004000  1431031914.993554  1431031915.185509  0.191955   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49203    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02       0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9"    "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_A_26_1_0"                                                                                                  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B     26       0x0400000000004001  1431031915.035444  1431031915.185568  0.150124   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49203    6        0x02       0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_B_26_1_0"                                                                                                                                                                                                                                                                          "Apache"
A     33       0x0400000000004000  1431031945.999417  1431032021.842696  75.843279  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              192.168.138.158  07       "Private network"                 49209    95.163.121.204   ru       "LLC Digital Network"             80       6        0x42       0x006c    0x0000      0x0a         0x0001         0x0010      1_1           0                      2_0_0_0_0_1_0_1_2_1                          0_0_0_0_0_1_0                    "7oqnsnzwwnm6zb7y.gigapaysun.com"  "/img/flags/de.png";"/11iQmfg"                                 "application/x-www-form-urlencoded"     "PHPSESSID=uqq1670l1pkd07vgdnsg98dee5";"PHPSESSID=uqq1670l1pkd07vgdnsg98dee5"                                                                                                                               "_11iQmfg_A_33_2_0"                                                                                                                                                   "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"            "http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg"
B     33       0x0400000000004001  1431031946.199749  1431031957.906658  11.706909  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"             80       192.168.138.158  07       "Private network"                 49209    6        0x02       0x0078    0x0000      0x00         0x0044         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_2                          1_0_0_0_1_0_0                                                                                                                      "image/png";"text/html"                                                                                                "_img_flags_de.png_B_33_1_0"                                                                                                                                                                         "_11iQmfg_B_33_2_0"                                                                                                                                                                                                                                                                                                                           "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     30       0x0400000000004001  1431031944.192640  1431031960.017404  15.824764  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"             80       192.168.138.158  07       "Private network"                 49206    6        0x02       0x0068    0x0000      0x00         0x0044         0x0010      0_0           2          200;304     0_0_0_1_0_0_0_0_0_2                          2_0_0_0_1_0_0                                                                                                                      "text/css";"image/png"                                                                                                 "_img_flags_it.png_B_30_5_0";"_img_flags_fr.png_B_30_6_1"                                                                                                                                            "_img_style.css_B_30_1_0"                                                                                                                                                                                                                                                                                                                     "nginx/1.2.1"
B     29       0x0400000000004001  1431031941.537441  1431031962.048801  20.511360  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"             80       192.168.138.158  07       "Private network"                 49205    6        0x02       0x0068    0x0000      0x00         0x0044         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_2                          3_0_0_0_1_0_0                                                                                                                      "text/html";"image/png"                                                                                                "_img_flags_us.png_B_29_3_0";"_img_rt.png_B_29_4_1";"_img_bitcoin.png_B_29_5_2"                                                                                                                      "_11iQmfg_B_29_1_0"                                                                                                                                                                                                                                                                                                                           "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     34       0x0400000000004001  1431031946.186402  1431031962.095257  15.908855  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800              95.163.121.204   ru       "LLC Digital Network"             80       192.168.138.158  07       "Private network"                 49210    6        0x02       0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_1                          3_0_0_0_0_0_0                                                                                                                      "image/png"                                                                                                            "_img_lt.png_B_34_1_0";"_img_lb.png_B_34_2_1";"_img_button_pay.png_B_34_3_2"                                                                                                                                                                                                                                                                                                                                                                                                                                                                       "nginx/1.2.1"

Now you see all HTTP commands being exchanged including content names and files. Yes, really fishy. If you want to see which host requests which file:

$  tawk -H '{ print $httpHosts, $httpURL}' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt | sort | tcol
"62.75.195.236"                                                                  "/?34eaf8bd50d85d8c6baacb45f0a7b22e"
"62.75.195.236"                                                                  "/?3a08b0be8322c244f5a1cb9c1057d941"
"62.75.195.236"                                                                  "/?51424ddd486ff06861fceed24e86b329"
"62.75.195.236"                                                                  "/?60dbe33b908e0086292196ef001816bc"
"62.75.195.236"                                                                  "/aa25f5fe2875e3d0a244e6969e589cc4"
"62.75.195.236"                                                                  "/?b2566564b3ba1a38e61c83957a7dbcd5"
"62.75.195.236"                                                                  "/?b514ee6f0fe486009a6d83b035a4c0bd"
"62.75.195.236"                                                                  "/?d71e0bd86db9587158745a986a4b3606"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/11iQmfg";"/img/flags/us.png";"/img/rt.png";"/img/bitcoin.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/flags/de.png";"/11iQmfg"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/flags/es.png";"/favicon.ico"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/lt.png";"/img/lb.png";"/img/button_pay.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/style.css";"/img/flags/it.png";"/img/flags/fr.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764";"/img/rb.png"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk"
"ip-addr.es"                                                                     "/"
"r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in"    "/"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk"
"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in"   "/"
"va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in"  "/?285a4d4e4e5a4d4d4649584c5d43064b4745"

Look at the hosts and the URLs. That is malware.

The command and its output can be simplified further by using one of tawk example function, namely httpHostsURL():

$ tawk -e 'httpHostsURL()' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt
62.75.195.236
	/?34eaf8bd50d85d8c6baacb45f0a7b22e
	/?3a08b0be8322c244f5a1cb9c1057d941
	/?51424ddd486ff06861fceed24e86b329
	/?60dbe33b908e0086292196ef001816bc
	/?b2566564b3ba1a38e61c83957a7dbcd5
	/?b514ee6f0fe486009a6d83b035a4c0bd
	/?d71e0bd86db9587158745a986a4b3606
	/aa25f5fe2875e3d0a244e6969e589cc4

7oqnsnzwwnm6zb7y.gigapaysun.com
	/11iQmfg
	/favicon.ico
	/img/bitcoin.png
	/img/button_pay.png
	/img/flags/de.png
	/img/flags/es.png
	/img/flags/fr.png
	/img/flags/it.png
	/img/flags/us.png
	/img/lb.png
	/img/lt.png
	/img/rb.png
	/img/rt.png
	/img/style.css
	/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764

comarksecurity.com
	/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg
	/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42
	/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9
	/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk

ip-addr.es
	/

r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in
	/

runlove.us
	/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9
	/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42
	/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg
	/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk

ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in
	/

va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in
	/?285a4d4e4e5a4d4d4649584c5d43064b4745

Data carving with httpSniffer

$ t2conf httpSniffer -D HTTP_SAVE_IMAGE=1 -D HTTP_SAVE_TEXT=1 -D HTTP_SAVE_APPL=1 && t2build httpSniffer
...
$

Now we are interested to extract the content. Set HTTP_SAVE_IMAGE, HTTP_SAVE_TEXT and HTTP_SAVE_APPL to 1 in httpSniffer.h, , recompile httpSniffer and rerun t2

$ t2conf httpSniffer -D HTTP_SAVE_IMAGE=1 -D HTTP_SAVE_TEXT=1 -D HTTP_SAVE_APPL=1 && t2build httpSniffer
...
$ t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results
...
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x42
httpSniffer: Max number of file handles: 7
httpSniffer: Number of HTTP packets: 415 [54.53%]
httpSniffer: Number of HTTP GET  requests: 28 [6.75%]
httpSniffer: Number of HTTP POST requests: 9 [2.17%]
httpSniffer: HTTP GET/POST ratio: 3.11
httpSniffer: Aggregated httpStat=0xc53c
httpSniffer: Aggregated httpAFlags=0x1113
httpSniffer: Aggregated httpCFlags=0x0010
httpSniffer: Aggregated httpHeadMimes=0x0045
httpSniffer: Number of files img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0
--------------------------------------------------------------------------------
...
$

The 2nd line in the httpSniffer end report indicates that 7 files are extracted.

$ tawk -V httpStat=0xc53c -V httpAFlags=0x1113 -V httpCFlags=0x0010 -V httpHeadMimes=0x0045
The httpStat column with value 0xc53c is to be interpreted as follows:

   bit | httpStat | Description
   =============================================================================
     2 | 0x0004   | Internal state: pending URL name
     3 | 0x0008   | HTTP flow
     4 | 0x0010   | Internal state: Chunked transfer
     5 | 0x0020   | Internal state: HTTP flow detected
     8 | 0x0100   | Internal state: header shift
    10 | 0x0400   | Internal state: image payload sniffing
    14 | 0x4000   | Internal state: text payload sniffing
    15 | 0x8000   | Internal state: application payload sniffing


The httpAFlags column with value 0x1113 is to be interpreted as follows:

   bit | httpAFlags | Description
   =============================================================================
     0 | 0x0001     | POST query with parameters
     1 | 0x0002     | Host is IPv4, e.g., Host: 1.2.3.4
     4 | 0x0010     | Sequence number violation
     8 | 0x0100     | X-Site Scripting protection
    12 | 0x1000     | Possible EXE download


The httpCFlags column with value 0x0010 is to be interpreted as follows:

   bit | httpCFlags | Description
   =============================================================================
     4 | 0x0010     | Potential HTTP content


The httpHeadMimes column with value 0x0045 is to be interpreted as follows:

   bit | httpHeadMimes | Description
   =============================================================================
     0 | 0x0001        | Application
     2 | 0x0004        | Image
     6 | 0x0040        | Text

Now move to /tmp/:

$ cd /tmp
$ ls
httpAppl        httpPicture     httpText        ...
$

Move into httpPicture

$ cd httpPicture
$ ls
_favicon.ico_1_31_2_1       _img_button_pay.png_1_34_3_2   _img_flags_es.png_1_31_1_0   _img_flags_it.png_1_30_5_0   _img_lb.png_1_34_2_1   _img_rb.png_1_32_3_1  '_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_1_32_1_0'
_img_bitcoin.png_1_29_5_2   _img_flags_de.png_1_33_1_0     _img_flags_fr.png_1_30_6_1   _img_flags_us.png_1_29_3_0   _img_lt.png_1_34_1_0   _img_rt.png_1_29_4_1
$

The files are directly linked to the flow via its name coding:

Filename_Flow-Dir(0/1)_findex_#Packet-in-Flow_#Mimetype-in-Flow

Open the pics with your file browser or with an image viewer (eog, feh, …), as you wish. Be careful with the application folder.

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf httpSniffer --reset && t2build httpSniffer
...
$

Have fun analyzing.