using sed, how does one match square brackets in a character class? - sed

Here's a chunk of the raw data:
00000000 54 6f 70 69 63 20 46 6f 72 75 6d 20 52 65 70 6c |Topic Forum Repl|
00000010 69 65 73 20 4c 61 73 74 20 70 6f 73 74 20 31 20 |ies Last post 1 |
00000020 4c 69 6e 75 78 20 54 6f 64 61 79 20 31 34 3a 34 |Linux Today 14:4|
00000030 36 3a 35 37 20 62 79 20 4c 69 6e 75 78 20 4f 75 |6:57 by Linux Ou|
00000040 74 6c 61 77 73 20 32 36 39 20 e2 80 93 20 53 6f |tlaws 269 ... So|
00000050 6d 65 6f 6e 65 20 4b 6c 6f 73 65 20 54 68 61 74 |meone Klose That|
00000060 20 4f 75 74 6c 61 77 73 20 32 38 20 73 79 73 79 | Outlaws 28 sysy|
00000070 70 68 75 73 2e 6a 6f 6e 65 73 20 48 6f 6c 65 20 |phus.jones Hole |
00000080 62 79 20 59 4f 42 41 20 5b 20 31 20 32 20 5d 20 |by YOBA [ 1 2 ] |
00000090 32 20 4c 69 6e 75 78 20 26 20 54 6f 64 61 79 20 |2 Linux & Today |
000000a0 31 31 3a 34 34 3a 35 31 20 62 79 20 4c 6f 6f 6b |11:44:51 by Look|
000000b0 73 20 6c 69 6b 65 20 43 61 6e 6f 6e 69 63 61 6c |s like Canonical|
000000c0 20 69 73 20 61 6e 6e 6f 75 63 69 6e 67 20 70 6c | is annoucing pl|
000000d0 61 6e 73 20 46 72 65 65 64 6f 6d 20 31 20 6b 72 |ans Freedom 1 kr|
It's a hex dump and I'm interested in isolating the text part.
Here's a sed expression that almost works:
$ sed 's/.* |\([a-zA-Z0-9:& \.]*\)|$/\1/g' hex.dat
Topic Forum Repl
ies Last post 1
Linux Today 14:4
6:57 by Linux Ou
tlaws 269 ... So
meone Klose That
Outlaws 28 sysy
phus.jones Hole
00000080 62 79 20 59 4f 42 41 20 5b 20 31 20 32 20 5d 20 |by YOBA [ 1 2 ] |
2 Linux & Today
11:44:51 by Look
s like Canonical
is annoucing pl
ans Freedom 1 kr
Almost. But how to filter that last line though?
$ sed 's/.* |\([a-zA-Z0-9:&\[\] \.]*\)|$/\1/g' hex.dat
And:
$ sed 's/.* |\([a-zA-Z0-9:&\\[\\] \.]*\)|$/\1/g' hex.dat
Don't work at all (they fail to translate anything).
And:
$ sed 's/.* |\([a-zA-Z0-9:&[] \.]*\)|$/\1/g' hex.dat
obviously can't work.
Thanks for any help.

You almost had it.
Look at this section of a Unix regular expressions tutorial.
The way that yours could be done is by placing ][ immediately after you begin your character class.
So, try sed 's/.* |\([][a-zA-Z0-9:& \.]*\)|$/\1/g' hex.dat
For clarification, it does not matter where in the character class the [ is, so long as the closing bracket you intend to include in your character class (]) immediately follows the opening of your character class.
Also, as a further edit, try typing man cut and using what Tomasz said in a comment.
cut -d='|' -f2 hex.dat will cut your file, delimiting on a pipe, and take the second field.

Related

Snort logs in OSSIM show hex in payload but I want only the text to be there. Is there a config I can change in Snort?

I am new to snort and I am testing things out with OSSIM. I've installed snort and using rsyslog I am getting snort alerts.log to OSSIM. But the thing is payloads of events in OSSIM show as
length = 219
000 : 31 31 2F 32 35 2F 31 39 2D 31 30 3A 30 34 3A 32 11/25/19-10:04:2
010 : 39 2E 37 38 30 31 32 34 20 20 5B 2A 2A 5D 20 5B 9.780124 [**] [
020 : 31 32 30 3A 31 38 3A 33 5D 20 28 68 74 74 70 5F 120:18:3] (http_
030 : 69 6E 73 70 65 63 74 29 20 50 52 4F 54 4F 43 4F inspect) PROTOCO
040 : 4C 2D 4F 54 48 45 52 20 48 54 54 50 20 73 65 72 L-OTHER HTTP ser
050 : 76 65 72 20 72 65 73 70 6F 6E 73 65 20 62 65 66 ver response bef
060 : 6F 72 65 20 63 6C 69 65 6E 74 20 72 65 71 75 65 ore client reque
070 : 73 74 20 20 5B 2A 2A 5D 20 5B 43 6C 61 73 73 69 st [**] [Classi
080 : 66 69 63 61 74 69 6F 6E 3A 20 55 6E 6B 6E 6F 77 fication: Unknow
090 : 6E 20 54 72 61 66 66 69 63 5D 20 5B 50 72 69 6F n Traffic] [Prio
0a0 : 72 69 74 79 3A 20 33 5D 20 7B 54 43 50 7D 20 31 rity: 3] {TCP} 1
0b0 : 39 32 2E 31 36 38 2E 30 2E 31 36 38 3A 38 30 38 92.168.0.168:808
0c0 : 30 20 2D 3E 20 31 39 32 2E 31 36 38 2E 30 2E 31 0 -> 192.168.0.1
0d0 : 32 32 3A 33 39 31 37 30 22 20 0A 22:39170" .
But I want it to be like
11/25/19-10:04:29.780124 [**] [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server response before client request [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.168:8080 -> 192.168.0.122:39170" .
Is there any config in snort I can change to make this happen?
Thanks in advance for any help!

Copying a CSV file from stdin throws "missing data for column"

I have some data that has been exported from postgres, reworked a bit using a spreadsheet and I know want the data back into a table, but I keep failing on the import:
cat extract.csv | psql -h 10.135.0.44 myapp myapp -f copy-user.sql`
psql:copy-user.sql:7: ERROR: missing data for column "email"
CONTEXT: COPY to_update, line 1: ""
The actual data is supplied below. I first converted the CSV file from DOS to Unix style line endings. It didn't seem to matter much.
copy-user.sql
COPY "to_update"
FROM STDIN
WITH DELIMITER ';' CSV;
extract.csv
bfb92e29-1d2c-45c4-b9ab-357a3ac7ad13;test#test90239023783457843.com;x
aeccc3ea-cc1f-43ef-99ff-e389d5d63b22;tester#testerkjnaefgjnwerg.no;x
9cec13ae-c880-4371-9b1c-dd201f5cf233;bloblo#gmail.com;x
aeada2bc-a362-4f3e-80f2-06a717206802;vet#gmail.com;x
fb85ddd8-7d17-4d41-8bc3-213b1e469506;navnnavnesen#ptflow.com;x
528e1f2e-1baa-483b-bc8c-85f993014696;kklk#hotmail.com;x
dbc8a9c1-56cf-4589-8b2c-cf1a2e0832ed;ghiiii#hotmail.com;x
fbf23553-baa2-410a-8f96-32b5c4deb0c7;lala#lala.no;x
e22ec0de-06f9-428a-aa3e-171c38f9a1f7;x2#gmail.com;x
8e8d0f73-8eb7-43b4-8019-b79042731b97;mail#mail.com;x
table definition for to_update
create table to_update(id text, email text, text char);
-- also tried this variant, but same error
-- create table to_update(id uuid, email text, text char);
EDIT: Additional info
It seems this exact same thing doesn't throw on my local machine:
$ cat extract.csv | psql postgres -f copy-user.sql
Timing is on.
Line style is unicode.
Border style is 2.
Null display is "[NULL]".
Expanded display is used automatically.
COPY 0
Time: 0.430 ms
It still doesn't work (as it just copies 0 rows), but at least it doesn't throw an error. That points to it being related to the environment (versions, locale settings, etc).
Local machine (which doesn't throw error)
$ psql --version
psql (PostgreSQL) 10.6
$ psql postgres -c "SHOW server_version;"
Timing is on.
Line style is unicode.
Border style is 2.
Null display is "[NULL]".
Expanded display is used automatically.
┌────────────────┐
│ server_version │
├────────────────┤
│ 10.6 │
└────────────────┘
(1 row)
Time: 40.960 ms
$ printenv | grep LC
LC_CTYPE=UTF-8
Remote server(s) (which throws error)
$ psql --version # this is the client, not the same physical server as the db
psql (PostgreSQL) 9.5.12
$ psql -h 10.135.0.44 myapp myapp -c "SHOW server_version;"
Password for user pete:
server_version
----------------
9.5.12
(1 row)
$ printenv | grep LC
LC_ALL=C.UTF-8
LC_CTYPE=UTF-8
LANG=C.UTF-8
Hex dump of extract.csv (all 7 lines)
$ wc -l extract.csv
10 extract.csv
$ hexdump -C extract.csv
00000000 62 66 62 39 32 65 32 39 2d 31 64 32 63 2d 34 35 |bfb92e29-1d2c-45|
00000010 63 34 2d 62 39 61 62 2d 33 35 37 61 33 61 63 37 |c4-b9ab-357a3ac7|
00000020 61 64 31 33 3b 74 65 73 74 40 74 65 73 74 39 30 |ad13;test#test90|
00000030 32 33 39 30 32 33 37 38 33 34 35 37 38 34 33 2e |239023783457843.|
00000040 63 6f 6d 3b 78 0a 61 65 63 63 63 33 65 61 2d 63 |com;x.aeccc3ea-c|
00000050 63 31 66 2d 34 33 65 66 2d 39 39 66 66 2d 65 33 |c1f-43ef-99ff-e3|
00000060 38 39 64 35 64 36 33 62 32 32 3b 74 65 73 74 65 |89d5d63b22;teste|
00000070 72 40 74 65 73 74 65 72 6b 6a 6e 61 65 66 67 6a |r#testerkjnaefgj|
00000080 6e 77 65 72 67 2e 6e 6f 3b 78 0a 39 63 65 63 31 |nwerg.no;x.9cec1|
00000090 33 61 65 2d 63 38 38 30 2d 34 33 37 31 2d 39 62 |3ae-c880-4371-9b|
000000a0 31 63 2d 64 64 32 30 31 66 35 63 66 32 33 33 3b |1c-dd201f5cf233;|
000000b0 62 6c 6f 62 6c 6f 40 67 6d 61 69 6c 2e 63 6f 6d |bloblo#gmail.com|
000000c0 3b 78 0a 61 65 61 64 61 32 62 63 2d 61 33 36 32 |;x.aeada2bc-a362|
000000d0 2d 34 66 33 65 2d 38 30 66 32 2d 30 36 61 37 31 |-4f3e-80f2-06a71|
000000e0 37 32 30 36 38 30 32 3b 76 65 74 40 67 6d 61 69 |7206802;vet#gmai|
000000f0 6c 2e 63 6f 6d 3b 78 0a 66 62 38 35 64 64 64 38 |l.com;x.fb85ddd8|
00000100 2d 37 64 31 37 2d 34 64 34 31 2d 38 62 63 33 2d |-7d17-4d41-8bc3-|
00000110 32 31 33 62 31 65 34 36 39 35 30 36 3b 6e 61 76 |213b1e469506;nav|
00000120 6e 6e 61 76 6e 65 73 65 6e 40 70 74 66 6c 6f 77 |nnavnesen#ptflow|
00000130 2e 63 6f 6d 3b 78 0a 35 32 38 65 31 66 32 65 2d |.com;x.528e1f2e-|
00000140 31 62 61 61 2d 34 38 33 62 2d 62 63 38 63 2d 38 |1baa-483b-bc8c-8|
00000150 35 66 39 39 33 30 31 34 36 39 36 3b 6b 6b 6c 6b |5f993014696;kklk|
00000160 40 68 6f 74 6d 61 69 6c 2e 63 6f 6d 3b 78 0a 64 |#hotmail.com;x.d|
00000170 62 63 38 61 39 63 31 2d 35 36 63 66 2d 34 35 38 |bc8a9c1-56cf-458|
00000180 39 2d 38 62 32 63 2d 63 66 31 61 32 65 30 38 33 |9-8b2c-cf1a2e083|
00000190 32 65 64 3b 67 68 69 69 69 69 40 68 6f 74 6d 61 |2ed;ghiiii#hotma|
000001a0 69 6c 2e 63 6f 6d 3b 78 0a 66 62 66 32 33 35 35 |il.com;x.fbf2355|
000001b0 33 2d 62 61 61 32 2d 34 31 30 61 2d 38 66 39 36 |3-baa2-410a-8f96|
000001c0 2d 33 32 62 35 63 34 64 65 62 30 63 37 3b 6c 61 |-32b5c4deb0c7;la|
000001d0 6c 61 40 6c 61 6c 61 2e 6e 6f 3b 78 0a 65 32 32 |la#lala.no;x.e22|
000001e0 65 63 30 64 65 2d 30 36 66 39 2d 34 32 38 61 2d |ec0de-06f9-428a-|
000001f0 61 61 33 65 2d 31 37 31 63 33 38 66 39 61 31 66 |aa3e-171c38f9a1f|
00000200 37 3b 78 32 40 67 6d 61 69 6c 2e 63 6f 6d 3b 78 |7;x2#gmail.com;x|
00000210 0a 38 65 38 64 30 66 37 33 2d 38 65 62 37 2d 34 |.8e8d0f73-8eb7-4|
00000220 33 62 34 2d 38 30 31 39 2d 62 37 39 30 34 32 37 |3b4-8019-b790427|
00000230 33 31 62 39 37 3b 6d 61 69 6c 40 6d 61 69 6c 2e |31b97;mail#mail.|
00000240 63 6f 6d 3b 78 0a |com;x.|
00000246
I think you want \copy ... from pstdin... on a single line. Both the starting backslash and pstdin instead of stdin are on purpose.
This mailing-list thread: psql -f COPY from STDIN explains the problem and the solution.
COPY FROM STDIN expects data inline after the COPY command, as in a dump file, not from the standard input of the psql process.
Relevant snippet from the mailing list summing up the alternatives
I'd like the store the COPY command in a separate file without
specifying an input file name. I want to feed it the data from the
shell script that calls psql
"STDIN: All rows are read from the same source that issued the
command"
- As I understand now, this applies to both COPY and \COPY. In other words the input file must contain command and data.
I have found a few solutions to achieve my objective:
1) using COPY FROM STDIN cat event.csv | psql -c "$(cat event.sql)"
2) using COPY FROM STDIN psql -f <(cat event.sql event.csv)
3) using \COPY FROM PSTDIN cat event.csv | psql -f event.sql
4) using \COPY FROM STDIN psql -f <(cat event.sql event.csv <(echo
"."))
What I don't like about \COPY is that it has to be on one line. Indeed
it can't be split over multiple lines
following works in my setup:
cat extract.csv | psql -d db_name -U user_name -c "copy to_update from stdin with delimiter ';' csv"
or
psql -d db_name -U user_name -c "\copy public.to_update(id, email, text) from '/path_to/extract.csv' with delimiter ';' csv"
With regards to the actual thrown error, after some debugging, I found that this error only happens with Postgres 9.5.12, not my local database running 10.6. That's using the exact same script in the sql file.
Postgres 9.5.12 doesn't handle multi-line COPY FROM STDIN statements! Deleting the newlines so that the entire expression was on a single line made it run. It still didn't work, though, as it still showed 0 rows being copied, but that is really a different question ... Krishna was onto something though ... I'll post a separate question for that and link it up.

Can I tell GitHub (or eq.) to use ASCII to make my binary files readable?

I want to host a binary file on a web-based hosting service for git (i.e. GitHub) so I can easily see any changes made to it.
The binary file in question uses the common ASCII character encoding so that this binary
73 63 6F 70 65 20 68 75 72 72 72 20 69 6E 69 74 69 61 6C 69 7A 65 72 20 64 65 72 70 0D 0A 20 20 20 20 66 75 6E 63 74 69 6F 6E 20 64 65 72 70 20 74 61 6B 65 73 20 6E 6F 74 68 69 6E 67 20 72 65 74 75 72 6E 73 20 6E 6F 74 68 69 6E 67 0D 0A 20 20 20 20 20 20 20 20 63 61 6C 6C 20 53 65 74 53 74 61 72 74 4C 6F 63 50 72 69 6F 28 24 42 2C 24 41 2C 24 41 2C 4D 41 50 5F 4C 4F 43 5F 50 52 49 4F 5F 48 49 47 48 29 0D 0A 20 20 20 20 65 6E 64 66 75 6E 63 74 69 6F 6E 0D 0A 65 6E 64 73 63 6F 70 65
becomes this readable text (†)
scope hurrr initializer derp
function derp takes nothing returns nothing
call SetStartLocPrio($B,$A,$A,MAP_LOC_PRIO_HIGH)
endfunction
endscope
The problem is that services like GitHub will only show me the raw binary when I want to view the file in-browser (or have me download and open it in a text editor):
Right now, to have any changes made, I have to download the changed binary file, convert it to readable text, then use diff to see what changes have been made. This is tedious and loses the beautiful web interface that GitHub has.
So my question is this: Can I tell GitHub (or any equivalent service) to translate a binary file to readable text?
--
(†) For anyone interested in trivia, this is indeed vJass syntax for WarCraft III.

How can I decrypt this so I can view it

Hex (148 bytes): 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 69 6d 67 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 6a 70 65 67 3b 62 61 73 65 36 34 2c 2f 39 6a 2f 34 41 41 51 53 6b 5a 4a 52 67 41 42 41 51 45 41 57 67 42 61 41 41 44 2f 34 67 78 59 53 55 4e 44 58 31 42 53 54 30 5a 4a 54 45 55 41 41 51 45 41 41 41 78 49 54 47 6c 75 62 77 49 51 41 41 42 2e 2e 2e ... �����ExifII*bj(1r2�i����
'��
'Adobe Photoshop CS4 Macintosh2012-02-06T20:39:30�0220�������Ducky<��-�http://ns.adobe.com/xap/1.0/ ��Adobed����
��^��� !1AQq"a����2BR#�br3�႒�$%��CS��D5!1AQq�a��2B�����"R�br�3��?��ݣW���DB�{6�xֵ�,�=����A���NY>C%�nE^j?��
��;\��So��k���9̇�X���I%4�|�1����m�vC���:G�Y��;}�R�D"���0p1���3�,�^}NVn���)��G�W7y��^�u�Գ��ywҰM�y�y3^�m�,Z�B {�x������d1E;�s���6q�e�~��{ۺ"=��7-�r>�e��t.I�u$���v�SG�qXwҒ�u��M������j��" �<�tW��ą�|�c��ꮖ�����:.��0DO:����RFX��E��4g�e�>Xv״����o�L��sw���c�'���i}I��IYaFz�(�������C�Zu(8�Xky�?����b�\j���#�c��.#s����G��g_i4�K��n�+)^a�..�F]VXQ��B�%�O8��e g�T����HѸ
�T4P���K��j|T�)���Lv��wO�$uq���J��L�l���c��h��2AsO�Ϲs�晝#��u��{�q�t�xN���ɪ�pT############A&z�6�ޠ�����C�#��2\&�xK�����{]ރ��<��"��Ǥ�uO����9�6�x��-�={޶7�ft���hg��sC�Ai��VlĪ������?W��C�m�����63�IN���J7��3q��:G(x>��?�ɥ~
���Ϲ-w ########A��L��u-��qlR;��S�d�_�-������C���˖i?4}��!����kS�t��L�~l&���Q)|��5�����#ݭ�=�U����z3/�6�厫fc\xV��˭�]
��
�
� �F�8~���a��K���2����TI��2��E����]t��Mg�������m�N�*Z�D�������rA0k�70�TD�;K.�����̍�z��&����id�9�Yg��ִ����]c��mc<�j�MSz�Йg�<�44<
G*tre�RQ� 8�^jH#��.�s0b�!� h�7���>�g�-o,M��Z�ֆ�
��|�Ӭ�*��Lc��.{��*I<������FY��_��Z>��t�{"��[8�|��C͗��e}|��F#����kM�&��>��ycI�6=�2V�v��|]�=o_�[O�s���.���V�{LMq�,b�v7��v�ʕ�<]�y�WM"l=�������4��oҶ��J��P�N.qD��Y��d�Qe;��=����N��Ԟ�8���4���_Ok/ַ,ȳ����x�o(5����������j�㥸K.ߨ�/�Y�ɓ������VgX##A�Ϩ�7>�/m�m��:{7}����ߪW'5<��κ��p�{5�<'�G0�4Ddisi���ݎ��*km'V}�iŒ���O]��c�l���+�+y��Q��5�a��-1�] ��H��Ԡgb��oX��J��E��I��,�#:������k'l׎�J�,�m���������(�����#����AA4c�% ��U�Z:sfw~A�K1����[����M�и�Š���}��)�%����q�io�{�c�i��ۿ
�V2�e��:�[�9�S�w?���o�����[D�Lr�bc��84�ujI��+%���"vH{sa�J�O��q��%y�md�ZO�*��Y���1�ʣ!hPP��%��#�$ Ɨ-x(�k.z�6W|���h��
�\�a$y���Y��V�N���v�9$<��)�zf?�rdW�n��4���4�vB��m�
�K�i�ٲ���~�#j�.6�Z֍hA�=���na�F�7�_rn�҂�WAV�PP\�5�<���1�o�$#B�x�{�-�df!��,�$��qAv<~fWn�尷�F�������˧wk�#�6+X"��h�
�ATA�08iM�|ET�;���:�J4�8(��/RX�ַQH̾k=��U�zkI������#Og&�EF��+��ЈU�-pp�
G��]7��-���bv���ǟc�Gs�f��"_J�f���x���+6D�_u�5�t��L��b�[�\�N������,�<��sz��6���+�������dw�vN��� ��$�$��4�a��h�[9KK|v�.�et�7���.�8�\qѽ��I��i�~���Gs�}C���G�|�B+Z�> �=ȶ,�K,��pm�-�I�����6o>ں�=��c�Fn>Pw�'�{˨�����(A�(����^zצ��tI:i��_��1:����p�UksmŬ�H�k���e4tV����N�:�M�h#MP��z��ܑ-����q��2��PI;�
(CV$����Y��1�q/�)n�ᴶm-�c)�#D�q��hЃ�{d;Z<�PlV�vҠ �A�;���Pcϔ��Ѻ�6�m�M{�w��'$X��;���<�k�s�]��ȣ��͝���: ʏ� s�˩��}(C�C�4A���Y[�C��#AT!k�w��p>*�k�W���v�5Ӵp�� �}e�������i]<M&��Lt������iq7����ԁ����s2�KL<S��Y�^�Z�########A)z=�Dg������L�ַ.���-q��|�y[{l�^���N0���d���Jzc��1���
�=�N�aTH�����P0�5 d���M�[�5��?Wu+�w�,���.n���Ɵ�+�sG��%��fWu�G�\f4�6ٜZKOC��u�9��[�Oc�ɓ'����w��<R�w���~�Xt�5nl�i�E��WO1�G�a͚)�+�u:�q�<��N/��no�滺��q;̒��R\�RJ���:��6���fV* ������V�CS�����;U���~׵�z4���_�>���G����ʭ�uzX�s[�����Jb:��K�� ~�OhMd�I��;����'�4����[V��ꤴ�����0�)�F�͗#�$���E�Av�Eh�7�^���!�\H5;�R7v��~?�imj)P*Pd�Fm �-�C�AguI�y���Ν��K��EG'��AV�ݹ�R��⍏�v���t�y�l�>�=���Mnn�ioA��GrL��^��&����y��C�Q׳O��X���R��6�J����5�P
#�P*��T
� �-q���t�J��*P�ӡ~�� |��cG
9� p��C�2C�x��ɏZ}*�R�������B}%u�9-��G��?�h��%澥��H��.�j�������������oS3�?umj�6$���o/�5���2un��,�ھ�ǩ��1:Ӷ'��}0������Ka�t�7A�법����&X�6������׏sI���D��d�a��'��E���<aS��~�h��^�X��=�Ve��o� �i-�b��;�w�s��9���9�&2[�aKS���a����{���㧺~_͵���;W�.��*x�ro�_j�<5���ϥb�>o������[������\H�a��m���Q3���V5��o[zᏳk��p��Z���g�4�s��Z�wQ�{��+��]�g��r9+ܕ䗗�:{�N�$y�%h��β򗽭3kN�,e
�-�\�o�W�|Or�����p_-���e��җ9K����m������ ����J��ycGж[XJ)���2�Zh��Fi��fmtm]R+��F��i�>h=�A�s_��W�$
t.B[C�:Ӛ
1�Iv�M���H��Y�Or'pv�N���M�8;Zº��<3hv�֤�b#Ѯ�֨.7q���~H(���[� ��_��ۏ�l&,��Ĭ%��wD���z��<��:����x��XL�5d#AP�ֱ����{u��)C�?��
%hs���yK)i�y��X�Mu�Ej���������]sa'�E3���oȭ\�֞T�9�����7L�2�뜖R��ٻ����F=�4��5�gFLx���9����
��}:#D�#��3x�ln���z}�LE}�Y_z����!�����ZG����Rs}(�4�ƽۤ������;��QbŚi��lz�]���5�N �
�gEߵ��I1����\����0�wU�S��oo�ZO�s���:.f�fnΟ�3~ �������-��}��y�p�s�vT�٘��i%'-{�6�[x���i��c�;W���}Ӝ#��#�����i
<�{m^S6�~�ծhp5TaYݘ�I�A��7�k�id��챡���]�Z{�p�y��rG���̠��b
��H��ݍ�
kY�Q�c�.O��-��Oen�ضW���U��Kϩ���3��ҭ�~�uE�Z-�s\��ɩc���iX�:����׍�m�CӞ��a���Iv�®m�ul���wrخ8�N�,4�R"��J-�!"lv��1���pWёG4��;t;��#D�h�hC�S���7p�=�.m�k����
8��a�j�̯��PWy4�%�b�&��}ćO.^��\�:'q�:�zvѻ�j3�߹�}����M��m;��A��i6�*(��ڂ��og�
�Q����H|/itN�m����$��<���9Fk4g�4!̽zɱ�N�HI8瘪���7��c~2�a��O�Vx"]�5
ꪀ��+T|F�ô����;Oz�.�#퍐�L��$q#�k�ٚci;CO�H�ޡ/��eśN������\�)�ӗ�Se\u�j�)���͜�{X��h'���ںN����,���J�\#######A#�g�ޟ���wSf�s|�-�8�t�~Ԏ.=��8/J�n�K��O��i�٤xqt=K��f���nl�w4��[I���[���u��i��z�܇�on��廻��\���ey���ĕ�3��/3kM�fgY��
�21�s����[��{�lK�#
b5��&��s����?����������A�Ӵ�#.��V8��|�Ï[Ε�|���]7T��-�<�8���i_i$��Yry��o��7�\��ͬm!76���O�)���ˏ����&u���v��?.?%��k�f�����8��W�E�p,�ᇘn��g�b�]�v˭���G�i���Æ��1�jZ+!�Y낕�����X������<��0����0�
~�hX��C}Vv����_�)J�t�� �>:����?h��<�l�c�k��ʠC��Q�T
q�AV� �N-51���[J4�p�>���4T��e���lev�0���u�D3-�y� 73Enʅ��O���+��5��q�]��yx�/�� ��kov�X&�>�P*��?ז�o�ɯ��!�?��o��?��P��&��>��"<��l�5� g�����
����H��ntDo<�tU���z+�_���v����/�����Y�i�,��� �q}il��2&�opoҚ
�^�!y� w0�4���
tF�~����rc���lm.s�4p"�[NuQ$:�H�������v�,W�����
�����㺣�w
n��.;����v�H'��8 �=um��-s��N.A�f���{A�۪�np��;��=4G�0�0��>Y�Q�U����xϨb��k�H��wX!g������FS���lsK0��%���}8
���<#[:]3$�'쯟/ˬ�Q��[���p�N5����ݧ��7=���T�����S��G����?f�?7�9�
k#=��byΞ�����r��k�~4f�)�o��ö���}������:A��0�~�+�܏g�lR0����kӣᘙ�m7k����r_�p����_�ܮ��AO.��M=N�
z\�ql]�����%+��t�
�P[Jk�C����t�{*����uk�j�a�����̊Z��fA]���?q yu|ָ�ͣe=� �}<��Hm���J��6~��A�G��5�X,c�b��R9R�Z>h/Gi���__\\�^%�ckNb6��A��~���<���J��1NJA
ٱ�e<��}xm��� �}?",L��>+ɿF�w�Kj�3��n�K|#V�h��2��)�+_b���!�;rۉZȋ]��M;%D�/��3-�.4ҳ�C������-/�p�cn��#ExU�R�U[�hu��.siͩpӈ�uH�l���r7SW��.>lhR�g��[��� ��+mR7�n�,�GfI��:��]
E[�)$;� U��
I'm not sure what you mean by decrypting this so you can view it. It looks like the contents of an image file. Try opening this file with an image viewer such as MS Paint, Adobe Photoshop or try uploading it to https://pixlr.com/editor. You might have to change the file extension for this to work (try PSD).
In case you're not interested in the image but actually the contents of the file, encoding is not really your problem here since this is not a text file but a binary file. Its contents don't represent characters but are contents of data structures used by Photoshop to represent an image.

Perl Net::Pcap hex dump packet session

I have the following information below being produced by the Net::Pcap module to print the payload of the packets of interest within a capture.
The data below is the excerpt of a Windows executable file being captured within Perl.
I would like to be able to capture all of the hex data output into one file or variable to assess the session data of the file download while retaining the integrity of the hex dump.
The problem I am having is for each packet being produced for the download of the file it obviously produces a hex dump output. This is easily seen by the output below by the string "Payload" I print per packet/hex dump output.
I want to tie all relevant data together for a given file download session. How can I do this in Perl?
Payload:HTTP/1.1 200 OK
Date: Fri, 15 Jun 2012 02:31:32 GMT
Server: Apache
Last-Modified: Sat, 10 Dec 2011 13:38:37 GMT
ETag: "dc44da-4d000-4b3bd04c7a2f1"
Accept-Ranges: bytes
Content-Length: 315392
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZ<90>^#^C^#^#^#^D^#^#^#<FF><FF>^#^#<B8>^#^#^#^#^#^#^##^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#<F8>^#^#^#^N^_<BA>^N^#<B4> <CD>!<B8>^AL<CD>!This program cannot be run in DOS mode.^M
$^#^#^#^#^#^#^#4^TGmpu)>pu)>pu)>c}#>ru)>uyI>ru)>uy&>ku)>c}t>ru)><F3>}t>uu)>pu(>
u)>uyv><DA>u)><9C>~w>qu)>uys>qu)>Richpu)>^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#PE^#^#L^A^D^#^_R<E3>N^#^#^#^#^#^#^#^#<E0>^#^O^A^K^A^G
^#<80>^C^#^#<90>^A^#^#^#^#^#g^F^C^#^#^P^#^#^#<90>^C^#^#^##^#^#^P^#^#^#^P^#^#^D^#^#^#^#^#^#^#^D^#^#^#^#^#^#^#^# ^E^#^#^P^#^#^#^#^#^#^C^#^#^#^#^#^P^#^#^P^#^#^#^#^P^#^#^P^#^#^#^#^#^#^P^#^#^#^#^#^#^#^#^#^#^#<A8><91>^D^#P^#^#^#^#^#^E^#<C8>^T^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^##<91>^D^#H^#^#^#^#^#^#^#^#^#^#^#^#<90>^C^#<D0>^A^#^#^#^#^#^#^#^#
^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#.text^#^#^#As^C^#^#^P^#^#^#<80>^C^#^#^P^#^#^#^#^#^#^#^#^#^#^#^#^#^# ^#^#`.rdata^#^#<C2>^K^A^#^#<90>^C^#^#^P^A^#^#<90>^C^#^#^#^#^#^#^#^#^#^#^#^#^##^#^##.data^#^#^#D]^#^#^#<A0>^D^#^#^P^#^#^#<A0>^D^#^#^#^#^#^#^#^#^#^#^#^#^##^#^#<C0>.rsrc^#^#^#<C8>^T^#^#^#^#^E^#^# ^#^#^#<B0>^D^#^#^#^#^#^#^#^#^#^#^#^#^##^#^##^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#Payload:^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^#^
Thank you Borodin for the suggestion. However, I don't know how to use this module correctly and it is apparent as I am still getting the same output. Here is the snippet of code I am using with this module and the printed hex. As you can see the printed hex is not tied together as one hex output but two seperate for the given TCP stream for which I want to tie together. Any help is appreciated.
my $user_data;
my $header;
my $packet;
my $err ='';
my $pcap = Net::Pcap::open_offline("./pcap", \$err) or die "can't open ./pcap...$err\n";
Net::Pcap::loop($pcap, -1, \&process_pkt, '');
Net::Pcap::Reassemble::loop($pcap, -1, \&rend_callback, '');
Net::Pcap::close($pcap);
my $ip;
my $tcp;
my $payload;
sub process_pkt
{
my ($user_data,$header, $packet) = #_;
$ip = NetPacket::IP->decode(eth_strip($packet));
$tcp = NetPacket::TCP->decode($ip->{data});
$payload = $tcp->{data};
my $hexPayload = hexdump(data => $payload, start_position => 0) if length $payload;
print "Hex Payload:". $hexPayload;
}
print output:
Hex Payload: 0x0000 : 47 45 54 20 2F 6D 61 63 2F 5F 62 61 73 65 5F 76 : GET./mac/_base_v
0x0010 : 31 2F 73 63 72 69 70 74 2F 6A 71 75 65 72 79 2D : 1/script/jquery-
0x0020 : 31 2E 36 2E 31 2E 6A 73 20 48 54 54 50 2F 31 2E : 1.6.1.js.HTTP/1.
0x0030 : 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 6D 69 63 : 1..Host:.www.mic
0x0040 : 72 6F 73 6F 66 74 2E 63 6F 6D 0D 0A 55 73 65 72 : rosoft.com..User
0x0050 : 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F : -Agent:.Mozilla/
0x0060 : 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 : 5.0.(Macintosh;.
0x0070 : 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 : Intel.Mac.OS.X.1
0x0080 : 30 2E 36 3B 20 72 76 3A 31 33 2E 30 29 20 47 65 : 0.6;.rv:13.0).Ge
0x0090 : 63 6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 : cko/20100101.Fir
0x00A0 : 65 66 6F 78 2F 31 33 2E 30 0D 0A 41 63 63 65 70 : efox/13.0..Accep
0x00B0 : 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C : t:./..Accept-L
0x00C0 : 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 2C 65 : anguage:.en-us,e
0x00D0 : 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D : n;q=0.5..Accept-
0x00E0 : 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 : Encoding:.gzip,.
0x00F0 : 64 65 66 6C 61 74 65 0D 0A 52 65 66 65 72 65 72 : deflate..Referer
0x0100 : 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 6D 69 63 : :.http://www.mic
0x0110 : 72 6F 73 6F 66 74 2E 63 6F 6D 2F 6D 61 63 2F 72 : rosoft.com/mac/r
0x0120 : 65 6D 6F 74 65 2D 64 65 73 6B 74 6F 70 2D 63 6C : emote-desktop-cl
0x0130 : 69 65 6E 74 0D 0A 44 4E 54 3A 20 31 0D 0A 43 6F : ient..DNT:.1..Co
0x0140 : 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 : nnection:.keep-a
0x0150 : 6C 69 76 65 0D 0A 0D 0A 00 00 00 00 00 00 00 00 : live............
Hex Payload: 0x0000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D : HTTP/1.1.200.OK.
0x0010 : 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 : .Cache-Control:.
0x0020 : 6D 61 78 2D 61 67 65 3D 39 30 30 0D 0A 43 6F 6E : max-age=900..Con
0x0030 : 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 : tent-Type:.appli
0x0040 : 63 61 74 69 6F 6E 2F 78 2D 6A 61 76 61 73 63 72 : cation/x-javascr
0x0050 : 69 70 74 0D 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 : ipt..Content-Enc
0x0060 : 6F 64 69 6E 67 3A 20 67 7A 69 70 0D 0A 4C 61 73 : oding:.gzip..Las
0x0070 : 74 2D 4D 6F 64 69 66 69 65 64 3A 20 57 65 64 2C : t-Modified:.Wed,
0x0080 : 20 30 38 20 4A 75 6E 20 32 30 31 31 20 31 38 3A : .08.Jun.2011.18:
0x0090 : 34 35 3A 34 39 20 47 4D 54 0D 0A 41 63 63 65 70 : 45:49.GMT..Accep
Take a look at Net::Pcap::Reassemble
This module performs reassembly of fragmented datagrams in libpcap
packet capture data returned by the Net::Pcap loop() function