How to extract the attachment which is in multiple frames ? for eg a doc file
asked 23 Sep '10, 21:49
That depends on the protocol that was used to transfer the "attachment". For some protocols (HTTP, DICOM and SMB at the moment) Wireshark can export the objects through "File -> Export -> Objects -> <proto>".
If the attachment you are interested in is not transferred using one of those, your best bet is to do a "Follow TCP/UDP stream" and save the raw data (it's best to only save the data in one direction).
Then you have to use a (hex) editor to delete all the unnecessary data around your attachment.
answered 24 Sep '10, 00:41