This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

Hello fellow Wireshark Ninjas,

I have been thinking about making a plugin for Wireshark (LUA) that automatically parses through a PCAP file, reassembles any known file types by file header details, and then saves them in a directory. Any ideas on how to get started? I have successfully created a few LUA scripts, one even sets up the proper directories for the files I wish to reassemble. My problem is the API and if it is/isn't possible to call a dissector already? Or if something already exists that does this? Or maybe even some example code of someone automating TCP reassembler?

Ideally, I would like to run this script over a pcap file capture from a gateway that allows me to reconstruct websites entirely offline. Or something can capture and rebuild an FTP stream to check for sensitive data leaving my network. I think it would be a wickedly sweet plugin. Sadly, it is shaping up to be a beast with my lack of wireshark LUA API knowhow.

Thanks in advance!

asked 01 Apr '13, 15:34

T3CHKOMMIE's gravatar image

T3CHKOMMIE
11235
accept rate: 0%


Save yourself the trouble, unless you have something very specific in mind. Wireshark can already export files for HTTP and SMB (See the export functionality in the file menu), and with the "Follow TCP Stream" functionality you can also pull files from FTP transfers if done correctly.

If you're trying to code a payload extraction plugin you need to consider that you'll have to do that for the protocol above TCP. For example: if you want to extract a file that is an attachment sent via SMTP you need to code it exactly so that it does SMTP payload extraction. TCP payload extraction won't help at all since you'd also get the SMTP protocol layer in your extracted payload, and that will not work.

And, by the way, there are lots of tools out there who dig content out of tracefiles already, e.g here: https://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961

permanent link

answered 01 Apr '13, 15:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 01 Apr '13, 15:48

Ah, export object http functionality. That's Brilliant!

Sounds like trouble indeed. I think I will forgo this project. The export HTTP object looks like it does what I am looking for. Is there a way to script that functionality so that its a bit more automated?

I am looking at analyzing several day long packet captures. :) Its more of a "web cache".

thanks again, your comment has been quite helpful.

(01 Apr '13, 16:00) T3CHKOMMIE

There is a "Save All" button, but I think that's all "automation" you can get from Wireshark. Maybe one of the other tools helps when dealing with large amount of trace files. Most tools that do large scale Web forensics on trace files cost money afaik.

(01 Apr '13, 16:16) Jasper ♦♦

If all you need is to extract files from pcaps, then Wireshark (as an packet analysis tool) is not the best fitted tool to use. Although it does have some options to export files (as @Jasper indicated), the main purpose of Wireshark lies elsewhere.

A quick google on the subject gives the following link. It lists a couple of other tools you might use that are a closer fit.

See: https://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961

permanent link

answered 02 Apr '13, 00:19

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I capture in pcap format many SMTP packets, and I can assemble the packets from each SMTP connection through "Analyse --> Follow TCP Stream". With that, I can get all the e-mails from each SMTP connection. However, I think the only way wireshark let me save the e-mails in separated files is doing one-by-one (and they are thousands of e-mails) through the reassembled tab in the "Packet Bytes" pane. Is there any way to do these savings automatically?

I saw that the attributes of the command line (using tshark) does not let me do that, and LUA scripts does not either ...

thank you for any help, Otavio

permanent link

answered 06 Jul '13, 08:39

otavioc's gravatar image

otavioc
111
accept rate: 0%

Any ideas on how to get started?

I'd start by looking at tcpflow and see whether it already does what I want.

permanent link

answered 06 Jul '13, 15:21

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×431
×78
×31
×7

question asked: 01 Apr '13, 15:34

question was seen: 8,284 times

last updated: 06 Jul '13, 15:21

p​o​w​e​r​e​d by O​S​Q​A