At 07:05 PM 11/13/2006, Jim Small wrote:
Pete,
I didn't even realize you could do this until I read your question, but
here is one way (not sure if this is exactly what you want):
Open a capture
Narrow down the interesting packets
(For example, I do a lot of web traffic analysis so I might use a filter
such as http.content_length > 20000)
Now, let's say I see a Flash file, a GIF, or a JPEG that I want to save
- just the actual binary data, not the packet headers.
I would click on the interesting packet (assuming I have TCP and HTTP
reassembly enabled)
Next, in the packet details window (middle pane) I would click on the
relevant data portion. So for a JPEG image this would be the part that
reads JPEG File Interchange Format.
Finally, I would use the File->Export->Selected Packet Bytes menu item.
Then I would name the file and I personally change the save as type to
*.* so I can set the file extension (not completely sure this is
necessary but I do it out of habit).
Now, if I open up this file with a graphics viewing I will see that I
have a valid JPEG.
Pretty cool stuff.
I think that would work for small amounts of data, but I'm dealing
with video streams over hundreds of packets.
You can also filter by TCP streams (but I believe you can't save as raw
from the TCP Streams page).
You can save as raw. It's great for video streams over TCP.
I was hoping for a similar capability for UDP streams, after I'd
applied a filter.
Thanks
Pete