How to extract the attachment which is in multiple frames ? for eg a doc file asked 23 Sep '10, 21:49  sethaliasath... |
One Answer:
That depends on the protocol that was used to transfer the "attachment". For some protocols (HTTP, DICOM and SMB at the moment) Wireshark can export the objects through "File -> Export -> Objects -> <proto>". If the attachment you are interested in is not transferred using one of those, your best bet is to do a "Follow TCP/UDP stream" and save the raw data (it's best to only save the data in one direction). Then you have to use a (hex) editor to delete all the unnecessary data around your attachment. answered 24 Sep '10, 00:41  SYN-bit ♦♦ |
Laura has a GREAT demo for this in one of her wireshark training books. I don't remember if is in the new one or one of her older revs but I did it and it blew me away. There might even be a demo on youtube. I used the hex process the SYNbit refers to. It is well worth digging into to learn. You will be amazed at you find :)