Hi so i have been working with stream flows and its just not working i am not smart enough to grasp Hex editing and why my extracted data is not working But i discovered the Extract Object button that works great under the file menu But some http objects are not displayed i would just like to know why and what the limits of this easy to use item is so i can know where i can use it and where not i have tested downloading exe from a website works great but once i try and download a sample capture it does not see the object why would this be is it just that .pcap/.cap/.pcapng files are not in the data base or is there just a limited use for this feature This question is marked "community wiki". asked 28 Jul '16, 09:19 Reynhard Wouda |
One Answer:
It may be that there are missing packets from the capture file so the object is incomplete and thus can't be exported. But it's hard to say for sure without a capture file to look at. Coincidentally, bug 12588 was recently opened regarding this very topic. (The bug has since been closed because it wasn't actually a bug at all but merely that packets were missing from the capture file.) answered 28 Jul '16, 10:21 cmaynard ♦♦ |
Thanks Helps allot
But now all a need to know is will this work as an alternative to following a packet stream and saving the raw data and then compiling the file
it seems allot easier but will this be sufficient for all data in most cases or does the feature have a limitation to its use in the sense of garbing data from a packet capture and opening the file content downloaded by the user
For forensic purposes it would be beneficial if the object (with holes) could be exported. Same is done for RTP streams, where artificial silence is inserted on time stamp jumps.