passdown analyzes current (or saved) TCP traffic and extracts transferred files in order to store them to disk. It currently supports HTTP downloads in IPv4 or IPv6, but can easily extended. Sniffing is done with scapy.
Currently no installation required. Just run passdown.py either as root to search for files in your current traffic or give it a pcap-file as first argument to work with previous transfers.
passdown depends on scapy, which has to be installed and available. Try installing it with your preferred method (apt, pacman, yum, ...). Instead you can just put scapy.py in the same directory and be fine.
You can hack your own protocol to get files from, by defining a class and giving it the properties name and regex. The name should be human-readable and the regex should match to the traffic returned from the server (i.e. the party that accepts the TCP connection). The constructor of your class should accept two parameters: The data streams sent by server and client (in that order). You can then put the classname in the PROTOCOLS array. Note that you will have to adjust the filter applied to the sniff call, unless your protocol runs on tcp port 80 as well ;)
- TCP packets are not reordered.
- Retransmissions are not handled
- FIN-Handling is a little wrong
- CPU load is a little high
- We sometimes get I/O Errors on our streams
- RST packets are currently unknown to passdown
- No real option/parameter handling, verbosity switches would be nice