Screencast : Retrieve POST data from full packet capture

This is a real story. I spent about 30 mins composing and posting a thoughtful message to an online forum. Upon hitting submit, something broke and the server returned an error. Hitting the back button or pressing refresh did not work. After a burst of profanity, I recalled that we have a full capture NSM tool (Trisul) running in our company. In a little $500 appliance, capturing every flow, URL, and packet our two ISP connections see.

I was able to recover my message within 1 minute.

This little 4-minute screencast shows you how to

1. Pull up list of URLs
2. Use the form to filter POST requests to specific server
3. Pull out PCAPs into a reconstruction tool like Unsniff Network Analyzer
4. Locate data in reconstructed (ie, unzipped, dechunked) content

Please excuse the poor audio and the developers voice !

The next post will be about automating this whole process using Ruby and Trisul Remote Protocol.