This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Forensic Analysis (XMPP)

0

Hi Guys,

Is it possible to extract the files that are transferred captured under the XMPP/XML Protocol?

I am able to see the filename and size, but i have no idea how to extract/rebuild the image.

Here is the PCAP if you any of you are willing to help.

Forensic Analysis - PCAP File

Kind Regards,

Sen

asked 12 Oct '15, 01:02

sentral's gravatar image

sentral
6113
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
3

Is it possible to extract the files that are transferred captured under the XMPP/XML Protocol?

Yes.

Description based on Wireshark 1.12.7. As there are only JPEGs in your pcap file, the following description is related to JPEG files (see remove bytes at the beginning of the file!).

Step #1: Follow the TCP stream.

tcp.stream eq 1

Step #2: right click any frame and select "Follow TCP Stream"
Step #3: In the pop-up window, click "save as" and save the file to a directory
Step #4: get a HEX editor, like HxD
Step #5: open the saved file in the HEX editor
Step #6: remove everything up to the 6 bytes in front of "JFIF"

alt text

Step #7: save the file
Step #8: Open the file with an image viewer.

Hint: 'save as' in the pop-up of 'Follow TCP stream' in 1.99.x somehow cripples the file, so don't use 1.99.x!

Regards
Kurt

permanent link

answered 12 Oct '15, 15:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Oct '15, 15:05

Hey Kurt,

Thanks for your help!

Sen

(13 Oct '15, 01:40) sentral

You're welcome!

(13 Oct '15, 04:57) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×238
×100
×36
×3
×2

question asked: 12 Oct '15, 01:02

question was seen: 2,525 times

last updated: 13 Oct '15, 04:57

Related questions

Analyzing Large PCAP files (46GB) in Wireshark?

How can I convert an .xml file to a .pcap file

Purchasing wireshark,Pcap analysis

Remoteapp connection drop

See commands Describe, Setup, Play , Teardown in the log for VOD streaming

package fields is analysised by config file.field is defined in config file.

Analyze PCAP file

How to analyze pcap files for slow internet communication

Extracting SOAP XML Payload

RTP Analysis and Assessment

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A