This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reassemble file problem

0

Hi Forum readers,

I obtained a pcap file and wanted to find a pdf file and reassemble it i think i have found the tcp stream for it but when I try to save it the pdf is unreadable. i get refered to chapter 7 of the user manual but that isnt helpful for pdfs. Can anyone help me? If you require any more info just let me know

Thanks

asked 18 Oct '12, 03:08

helpMe's gravatar image

helpMe
6114
accept rate: 0%

edited 21 Oct '12, 19:41

lol Uni SA? im stuck on the same thing

(23 Oct '12, 16:21) Thor_White

One Answer:

1

If it is transfered by either HTTP or SMB you should take a look at the File -> Export Objects menu (you might need to upgrade to 1.8.x to see it if your version is older than that).

answered 18 Oct '12, 04:45

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Apparently it's transferred by TCP/FTP if that makes sense?

(18 Oct '12, 14:05) helpMe
1

Yeah it does. In that case you should be able to extract the file by using follow TCP stream as you did. Can you upload your file to www.cloudshark.org and post the URL so that I can take a look (only if it isn't anything containing sensitve data)?

(18 Oct '12, 15:39) Jasper ♦♦
1

Okay, I just extracted the PDF with no problem. This is the recipe:

  1. Select Packet 500, which is the SYN packet for the Data transfer session initiated in the FTP control channel in packets 497-499.

  2. Right click, select "Follow TCP Stream". You should get an extra window where the first line contains "%PDF-1.5" in red letters.

  3. Make sure the selection box says "Entire conversation (58441 bytes)"

  4. Use "save as" to save it as SecretNumber.pdf

As I said, this just worked fine for me, so it should work for you, too. My guess is you probably tried to export the command channel :-)

(21 Oct '12, 08:22) Jasper ♦♦

Thanks for that Jasper, is there an easy way to tell which SYN packet is initiated in the FTP control channel for future reference

(21 Oct '12, 13:58) helpMe
1

Yes, take a look at packet 497, containing the PORT command. Right in there you'll find the IP and port number that the data connection will connect to (unfold the FTP layer and the PORT command in the decode and you'll see it). The SYN packet in packet 500 uses the exact same destination TCP port, so that is how you can match it. It is easier to see if you disable Name Resolution for the transport layer in the View -> Name Resolution menu.

(21 Oct '12, 15:25) Jasper ♦♦

Thankyou Jasper for yo9ur help on this assignment i was haveing trouple reassembleing the file.

the way i was trying to do it was with the following steps form

http://wiki.wireshark.org/TCP_Reassembly

but that was for pictures i tried to rename it to a .pdf but that didnt work. so thankyou agian

(23 Oct '12, 16:23) Thor_White
showing 5 of 6 show 1 more comments