This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Email attachment

0

how to get the size of e-mail attachment? protocol is pop.. I have found the e-mail stream, I have also seen this: ------MIME delimiter for sendEmail-910493.736229004

Content-Type: application/pdf;

    name="invitation.pdf"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="invitation.pdf"

but I dont know how to get the size of that attachment, does anyone know? any help is appreciated.

asked 13 Jun '14, 02:17

Bishoy%20Atef's gravatar image

Bishoy Atef
6113
accept rate: 0%

One Answer:

1

but I dont know how to get the size of that attachment, does anyone know? any help is appreciated.

If there is no header that shows the length of the attachment (like "Content-Length"), you'll have to 'count' the bytes yourself, by doing the following:

  • right click one of the POP3 frames
  • select "Follow TCP Stream"
  • in the pop-up windows, select the encoded bytes (base64 encoded) of the attachment
  • copy those bytes to the clipboard (CTRL-C)
  • go to http://www.motobit.com/util/base64-decoder-encoder.asp or use the base64 decoder of your choice
  • paste the clipbaord into the blank white window
  • select the following options: 'decode the data from a Base64 string' and 'export to a binary file, filename:'
  • save the file 'base64.bin' when the pop-up appears.
  • check the file size of 'base64.bin'. That size is the answer to your question

You can test it with the following pop3 pcap file.

http://wiki.xplico.org/lib/exe/fetch.php?media=pcap:xplico.org_sample_capture_pop3_must_use_xplico_nc.cfg.pcap

Set the following display filter, to get the TCP stream with the attachment

tcp.stream eq 2

Then right-click one of the frames and select Follow TCP Stream. In the pop-up windows, click on Find and search for attachment. From the first occurrence, copy the attachment bytes.

/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEP
ERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4e
.....
many more lines
.....
AhEBAxEB/8QAHAAAAQUBAQEAAAAAAAAAAAAABQIDBAYHAAEI/8QAThAAAgEDAwEGAwYEAwYEAwUJ
XHHV1dXVxx1dXV1ccdXV1dXHHV1dXVxx1dXV1ccdXV1dXHHV1dXVxx1dXV1ccdXV1dXHHV1dXVxx
1dXV1ccdXV1dXHHV1dXVxx1dXV1ccdXV1dXHHV1dXVxx1dXV1ccdXV1dXHH/2Q==
--00151747362a0e2e0d047a4eb121--  <=== NOT this line !!!

The last line is the end marker for the MIME encoded attachment. Don't copy that line. Then just follow the steps described above. You should get a file named base64.bin, with a size of ~ 71,5 KByte.

Alternatively, you can use other tools to extract the attachment from the POP3 stream (not sure which of the following actually do support POP3 - I believe Xplico).

Xplico - the tool that provided the POP3 sample capture file above.

http://www.xplico.org

Some other tools (NetworkMiner, tcpxtract, etc.) here:

https://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961

NetWitness Investigator (now part of EMC, but still available as Freeware). Hint: Download and save that tool, as long as EMC is providing the download ;-))

http://download.netwitness.com

Regards
Kurt

answered 13 Jun '14, 07:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 13 Jun '14, 07:58

thank you very much for your reply, that really helps.

(15 Jun '14, 00:10) Bishoy Atef