Well that's basically what you're doing. Check the raw button and save
the data from the "Follow TCP Stream" window. But all the data is saved,
not just the JPEG-data so you have to cut the http-headers and things
like that.
On Sat, 3 Feb 2007 20:17:25 -0800 (PST), "d a" <otto81494@xxxxxxxxx>
said:
> James
> Thanks for the response. Was hoping for something a bit more automated
> like the "export as raw data option" but I can work with this too. Il
> give it a try
> Dave
>
> "Small, James" <JSmall@xxxxxxxxxxxx> wrote: Dave,
>
> You should be able to do a follow TCP stream and save the contents to a
> file. However, in order to edit the file, you need to use a hex editor.
> If you use a regular editor, it will mangle the file. Usually when I do
> this (for example saving a JPEG), I open a working JPEG in a Hex editor
> so I can see what the initial file header is. For JPEGs, I believe this
> is HEX:ffd8ffe000104a464946 (ASCII:ÿØÿà..JFIF). Then when I edit the
> exported TCP stream, I know to delete up to that header so that I can
> save a valid JPEG. I have used this to extract many different types of
> files successfully.
>
> Here's an example free Hex Editor that I have used:
> http://www.hhdsoftware.com/Family/hex-editor.html
>
> Not to say there aren't better ones, but this one has worked for me.
>
> --Jim
>
> ________________________________________
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of d a
> Sent: Saturday, February 03, 2007 11:47 AM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Reassemble packets from Gnutella download?
>
> Hello all,
>
> I posted a couple days ago and it never made the forum so I appologize if
> this is a repeat.
> First off...great software!
> I have about 12 hours of Wireshark use so far. Having trouble
> reassembling packets downloaded from Gnutella. I can reassemble HTTP
> image packets n/p. Someone please tell me what Im doing wrong.
>
> I begin a capture (wireshark latest realease), download an image file
> (jpg ) with only 1 host (to avoid swarming downloads). I then stop the
> capture and filter using the "ip.source" filter. I can then view all tcp
> packets downloaded from the host and checksum shows successful. I dont
> get the same options as I do with a HTTP Jpeg download and cant find an
> option to export as raw data. I even tried "follow TCP stream", stripping
> header info, and copy and paste the bytes to a text editor with a JPEG
> extension but the image wont open. I do have TCP dissector and IP
> reassemble ticked. Maybe Im using the wrong filter?
>
> Any suggestions as to how I can reassemble an image file downloaded
> from with Gnutella would be greatly appretiated.
> Thanks
> Dave
>
>
> ________________________________________
> Sucker-punch spam with award-winning protection.
> Try the free Yahoo! Mail Beta.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ---------------------------------
> Never Miss an Email
> Stay connected with Yahoo! Mail on your mobile. Get started!
--
Hans Nilsson
hasse_gg@xxxxxxxx
--
http://www.fastmail.fm - A no graphics, no pop-ups email service