Wireshark-users: Re: [Wireshark-users] Exporting raw packet data?
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Mon, 13 Nov 2006 22:05:51 -0500
Pete, I didn't even realize you could do this until I read your question, but here is one way (not sure if this is exactly what you want): Open a capture Narrow down the interesting packets (For example, I do a lot of web traffic analysis so I might use a filter such as http.content_length > 20000) Now, let's say I see a Flash file, a GIF, or a JPEG that I want to save - just the actual binary data, not the packet headers. I would click on the interesting packet (assuming I have TCP and HTTP reassembly enabled) Next, in the packet details window (middle pane) I would click on the relevant data portion. So for a JPEG image this would be the part that reads JPEG File Interchange Format. Finally, I would use the File->Export->Selected Packet Bytes menu item. Then I would name the file and I personally change the save as type to *.* so I can set the file extension (not completely sure this is necessary but I do it out of habit). Now, if I open up this file with a graphics viewing I will see that I have a valid JPEG. Pretty cool stuff. You can also filter by TCP streams (but I believe you can't save as raw from the TCP Streams page). Once you filter by TCP Stream, close the Follow TCP Stream page. Now, you need to select the packet that has the upper layer info you're interested in. There should only be one packet like this. The rest of the packets will be flow start (SYN, SYN/ACK, ACK), flow stop (FIN/ACK, ACK, FIN/ACK, ACK), and reassembled PDUs (TCP Segment of a reassembled PDU), or maybe an occasional ReSeT. In my case, I look for the one packet that says HTTP/1.1 200 OK (JPEG JFIF image). Hope that helps, --Jim -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Pete Fraser Sent: Monday, November 13, 2006 8:52 PM To: wireshark-users@xxxxxxxxxxxxx Subject: [Wireshark-users] Exporting raw packet data? I'm new to Wireshark, so sorry if this is a dumb question. I want to export packet data in raw format, so that I end up with a binary file. If the packets are TCP I can use Analyze->Follow TCP Stream then Save As Raw. For any type of packet, I can select packet data in the bottom pane and do File->Export->Selected Packet Bytes. What I want to do, but can't work out how, is to export a lot of packet data as a raw binary file. I develop the appropriate filter so that only the packets of interest are visible, then do File->Export->File..., select "All packets", "Displayed", and "Packet Bytes" for the only Packet Format. I would hope that I can then save as raw, but I only find ASCII, PS, XML, etc. What am I doing wrong? Thanks in advance. _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
- Prev by Date: Re: [Wireshark-users] Exporting raw packet data?
- Next by Date: Re: [Wireshark-users] Exporting raw packet data?
- Previous by thread: Re: [Wireshark-users] Exporting raw packet data?
- Next by thread: Re: [Wireshark-users] Exporting raw packet data?
- Index(es):