This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to extract the attachment which is in muliple frames ?

0

How to extract the attachment which is in multiple frames ? for eg a doc file

asked 23 Sep '10, 21:49

sethaliasathanar's gravatar image

sethaliasath...
1222
accept rate: 0%


One Answer:

4

That depends on the protocol that was used to transfer the "attachment". For some protocols (HTTP, DICOM and SMB at the moment) Wireshark can export the objects through "File -> Export -> Objects -> <proto>".

If the attachment you are interested in is not transferred using one of those, your best bet is to do a "Follow TCP/UDP stream" and save the raw data (it's best to only save the data in one direction).

Then you have to use a (hex) editor to delete all the unnecessary data around your attachment.

answered 24 Sep '10, 00:41

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Laura has a GREAT demo for this in one of her wireshark training books. I don't remember if is in the new one or one of her older revs but I did it and it blew me away. There might even be a demo on youtube. I used the hex process the SYNbit refers to. It is well worth digging into to learn. You will be amazed at you find :)

(06 Oct '10, 07:05) blacknight