This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello everybody! I am attempting to capture the packets on my own computer, in the hopes of being able to extract any files downloaded from the resulting pcap file. From what I understand this should be possible, but I am having no success in doing so. When in wireshark after the capture, I understand that doing file>export objects>HTTP should extract the files from the capture session, but I do not see either of the two .exe files that I downloaded during my session when using this method. I am not using any filters, and I am sniffing on the ethernet that my computer is connected to.

Help is appreciated!

asked 07 Oct '15, 05:39

surfing123's gravatar image

surfing123
6113
accept rate: 0%

Show us the capture file, just put it on CloudShark.

(07 Oct '15, 07:34) Jaap ♦

If the download was through HTTPS, you won't see anything!

(07 Oct '15, 07:42) Kurt Knochner ♦

Ok. Here is the link. The pcap should contain a single exe file, which I am attempting to extract. https://www.cloudshark.org/captures/d6503563cbc6

(07 Oct '15, 07:56) surfing123

Ok, so it appears that when I used networkminer to extract files from the pcap I just posted, I was able to grab the file. The difference between this pcap and the original one is that the original pcap contained larger exe files. Could this be the reason I was originally unable to extra the exe files? Is there some sort of size limitation in play? I was unable to upload the original pcap because cloudshark limits to 2mb.

(07 Oct '15, 08:00) surfing123

Kurt, is there no way to extract a file downloaded over an HTTPS connection?

(07 Oct '15, 08:03) surfing123

I was able to extract and run the file PortRptr.exe from the trace you posted on Cloudshark.

Go to Edit > Preferences > Protocols > TCP and enable "Allow subdissector to reassemble TCP streams." Then go to File > Export Objects > HTTP. Find and highlight the file and click "Save As."

If you normally have "Allow subdissector to reassemble streams" off, then turn it back off when you're done saving the file.

permanent link

answered 07 Oct '15, 08:30

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×293
×238
×82

question asked: 07 Oct '15, 05:39

question was seen: 39,578 times

last updated: 07 Oct '15, 08:30

p​o​w​e​r​e​d by O​S​Q​A