I have a pcap with a HTTP upload of an image. Wonder if there is a way to extract the image to file with Wireshark. My Wireshark has version 1.10.6. When I tried "Export Objects" --> HTTP, I got the entire HTTP body of the HTTP POST message. The body includes things like Multi-part boundary etc and so it's not an image. asked 05 Dec '15, 16:03  pktUser1001 |
2 Answers:
I get a similar result with 1.12.7., so it looks like a bug of the object export. Please file a bug report at https://bugs.wireshark.org UPDATE: same with Wireshark 2.0.0, so definitely a bug or some form of encoding that is not yet implemented in the code. However if you remove the leading text lines in the exported file with a HEX editor up to '%PNG', you will get the correct image. Regards answered 06 Dec '15, 03:39  Kurt Knochner ♦ edited 06 Dec '15, 03:47 |
You can use NetworkMiner to extract any file uploaded with an HTTP POST. Just open the PCAP and NetworkMiner will carve out the files to disk for you. answered 09 Dec '15, 03:25  Netresec_LJ @Netresec_LJ, that's good to know. Wonder if NetworkMiner allows user to select a HTTP POST request and extract the files in the HTTP POST body? This allows user to pair up the extracted file with the HTTP request. Thanks. (09 Dec '15, 06:18) pktUser1001 @pktUser1001, NetworkMiner will extract all files from all HTTP POST requests in the loaded PCAP file. But the details you request are available in the "Files" tab of NetworkMiner. You will see the URL and a lot more details there for each extracted file. (09 Dec '15, 07:19) Netresec_LJ @Netresec_LJ, I saw it now. Very nice. Wish the extracted upload-file will have a HTTP URL in addition to other parameters such as src ip, src port dst ip, dst port etc. (09 Dec '15, 07:30) pktUser1001 |
Thanks Kurt, reported it at: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11859