Mike Philip wrote:
In response to Guy Harris's question the file was
captured via SMTP traffic.
I posted yesterday:
How do you reconstruct a MS Word document captured via
ethereal? I've selected 'Follow TCP Stream' and found
traffic with a word document as an attachment. But
this all appears as hex? Is there a way to export the
data into a Word document to see the contents?
Not for SMTP. "Follow TCP Stream" does let you write the raw data of
one or the other side of a TCP conversation (or both sites of the
conversation) to a file in binary (that's what "raw" does), *BUT* that
means that, if the file was mailed, all the SMTP commands that
transferred the file will also be in the file.
Typically, a binary file such as a Word document will be encoded as text
in, for example, base-64 form, so the resulting file will probably be a
text file, and you'll probably be able to edit it with a text editor and
remove the SMTP commands. However, the Word document will probably be
an attachment, meaning you'll have to manually extract the attachment
from the file, and manually decode the base-64 (or whatever the encoding
is - that'll be in the MIME headers in the mail), unless there's a tool
that'll do that for you (there might be, but I don't know offhand what
tools there are). Ethereal will do none of that for you.