|
How to extract the attachment which is in multiple frames ? for eg a doc file |
|
That depends on the protocol that was used to transfer the "attachment". For some protocols (HTTP, DICOM and SMB at the moment) Wireshark can export the objects through "File -> Export -> Objects -> <proto>". If the attachment you are interested in is not transferred using one of those, your best bet is to do a "Follow TCP/UDP stream" and save the raw data (it's best to only save the data in one direction). Then you have to use a (hex) editor to delete all the unnecessary data around your attachment. Laura has a GREAT demo for this in one of her wireshark training books. I don't remember if is in the new one or one of her older revs but I did it and it blew me away. There might even be a demo on youtube. I used the hex process the SYNbit refers to. It is well worth digging into to learn. You will be amazed at you find :)
(06 Oct '10, 07:05)
blacknight
|
