Wireshark-users: Re: [Wireshark-users] Reassemble packets from Gnutella download?

From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Sun, 04 Feb 2007 06:53:50 -1100
I guess that depends on how the Gnutella protocol actually sends the
files. In some situations the actual data is constantly mixed with
control data that controls the transfer. I don't really know an easy way
to get the actual file data from a stream like that. I guess check the
Gnutella protocol?


On Sun, 4 Feb 2007 06:35:11 -0800 (PST), "d a" <otto81494@xxxxxxxxx>
said:
> I did exactly that. Saved "tcp stream"as raw data, manually stripped the
> header, and saved as jpg. This is pretty easy with a small file (30KB}.
> When I download a larger jpg, i recieve multiple headers midstream. The 
> header info somtimes runs into the raw data. Its a long process trying to
> edit exactly to reproduce the image. Furthermore even though the image
> sometimes opens properly, the sha1 value doesnt allows match that of the
> original image proving that my reassembly isnt perfect.
> 
> I think I need a filter that will remove header bytes or seperate
> software that can accomplish this in the raw data file.. Any ideas? 
> 
> 
> Hans Nilsson <hasse_gg@xxxxxxxx> wrote: Well that's basically what you're
> doing. Check the raw button and save
> the data from the "Follow TCP Stream" window. But all the data is saved,
> not just the JPEG-data so you have to cut the http-headers and things
> like that.
> 
> 
> On Sat, 3 Feb 2007 20:17:25 -0800 (PST), "d a" 
> said:
> > James
> > Thanks for the response. Was hoping for something a bit more automated
> > like the "export as raw data option" but I can work with this too. Il
> > give it a try
> > Dave
> > 
> > "Small, James"  wrote: Dave,
> > 
> > You should be able to do a follow TCP stream and save the contents to a
> > file.  However, in order to edit the file, you need to use a hex editor. 
> > If you use a regular editor, it will mangle the file.  Usually when I do
> > this (for example saving a JPEG), I open a working JPEG in a Hex editor
> > so I can see what the initial file header is.  For JPEGs, I believe this
> > is HEX:ffd8ffe000104a464946 (ASCII:ÿØÿà..JFIF).  Then when I edit the
> > exported TCP stream, I know to delete up to that header so that I can
> > save a valid JPEG.  I have used this to extract many different types of
> > files successfully.
> > 
> > Here's an example free Hex Editor that I have used:
> > http://www.hhdsoftware.com/Family/hex-editor.html
> > 
> > Not to say there aren't better ones, but this one has worked for me.
> > 
> > --Jim
> >  
> > ________________________________________
> > From: wireshark-users-bounces@xxxxxxxxxxxxx
> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of d a
> > Sent: Saturday, February 03, 2007 11:47 AM
> > To: wireshark-users@xxxxxxxxxxxxx
> > Subject: [Wireshark-users] Reassemble packets from Gnutella download?
> > 
> > Hello all,
> > 
> > I posted a couple days ago and it never made the forum so I appologize if
> > this is a repeat.
> > First off...great software!
> > I have about 12 hours of Wireshark use so far. Having trouble
> > reassembling packets downloaded from Gnutella. I can reassemble HTTP
> > image packets n/p. Someone please tell me what Im doing wrong.
> > 
> > I begin a capture (wireshark latest realease), download an image file
> > (jpg ) with only 1 host (to avoid swarming downloads). I then stop the
> > capture and filter using the "ip.source" filter. I can then view all tcp
> > packets downloaded from the host and checksum shows successful. I dont
> > get the same options as I do with a HTTP Jpeg download and cant find an
> > option to export as raw data. I even tried "follow TCP stream", stripping
> > header info, and copy and paste the bytes to a  text editor with a JPEG
> > extension but the image wont open. I do have TCP dissector and IP
> > reassemble ticked. Maybe Im using the wrong filter?
> > 
> >     Any suggestions as to how I can reassemble an image file downloaded
> >     from with Gnutella would be greatly appretiated.
> > Thanks
> > Dave
> > 
> >   
> > ________________________________________
> > Sucker-punch spam with award-winning protection.
> > Try the free Yahoo! Mail Beta.
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> > 
> > 
> >  
> > ---------------------------------
> > Never Miss an Email
> > Stay connected with Yahoo! Mail on your mobile. Get started!
> -- 
>   Hans Nilsson
>   hasse_gg@xxxxxxxx
> 
> -- 
> http://www.fastmail.fm - A no graphics, no pop-ups email service
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> 
>  
> ---------------------------------
> Finding fabulous fares is fun.
> Let Yahoo! FareChase search your favorite travel sites to find flight and
> hotel bargains.
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - IMAP accessible web-mail