Hi I have a malware pcap file that I have for analysis that i have tcpreplayed and the stream data is captured using splunk stream. Now the problem is that I have a list of MD5 hashes as a lookup table and I would like to compare the md5 hashes with the lookup table and the .txt files or .exe files found in the pcap stream. I would like to generate md5 hashes of the .txt and .exe and compare with the lookup table.
I have also researched that I can extract a field as an MD5 hash, e.g. i extract the field src_content as an md5 hash. But when I tried that, it seems like the md5 hash does not match against the .txt file e.g. hi.txt that I have extracted from wireshark. I used md5sum in ubuntu linux to generate the md5 hash for hi.txt
I have found out that I can do this by using the content extraction in splunk stream. But the hashes does not match because in splunk stream, the dest and src content payload data contains the content headers, which I do not want. I only want to hash the file inside. How do i do it ?