Thursday, May 28, 2009

Recover deleted files from deleted partition

I never thought recovering files would be so easy. I had deleted my personal files on old Laptop to return it.
I also repartitioned the disk using the Ubuntu install CD.

But I later realized later that I had deleted something that I had not backed up(so naive).

There are two Linux tools that I found useful.
1) testdisk
2) photorec

There is a project called SystemRescueCd which includes useful tools to recover data.

I used "test disk" tool to recover the deleted partition I was not able to restore the partition as such. But was able to browse files using the tool itself.

There is another tool called  "photorec" which I used to recover deleted files of that partition.

you can use the SystemRescueCd bootable cd or boot using ubuntu live cd and install the tools you want and use them as I did.
Blogged with the Flock Browser

Thursday, May 7, 2009

analyze extremely large packet capture(tcpdump) file

I recently had to analyze an extremely large packet capture file to resolve a customer issue.
wireshark would crash trying to load the file(around 375 MB).
You start thinking 'why did the client not capture packets only when the problem occured?'.
But, I quickly realised that tcpdump can be used with the capture file as input and filters can be applied to extract packets of our interest.

In this case I was interested in packets that had a particular ip address. So used the below command to extracted those packets into another pcap file.

tcpdump -r [largefile.pcap] -w [filteredFile.pcap] [filter]

And now I have a pcap file that wireshark can load so that I can take a good look at what is happening.