Wireshark-users: Re: [Wireshark-users] How can I tell if there is a JPG image in my trace.

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Thu, 24 Sep 2009 20:48:14 +0200
Hi Andrew,

Look for the file signatures:
http://www.garykessler.net/library/file_sigs.html

Open the capture file.
Go to Edit -> Find Packet
Select Hex value: FF D8 FF E0
Find


Open the capture file with a hex editor to extract the image:
HxD - Freeware Hex Editor and Disk Editor
http://mh-nexus.de/en/hxd/

Search -> Find 
Search for: FF D8 FF E0
Datatype: Hex-values
Write down the Offset

Next search for the trailer: FF D9
Datatype: Hex-values

Select the hex-values from  FF D8 FF E0  to  FF D9
Copy & paste and save this to a separate file.
Close the hex editor and open the file with a viewer.

HTH
Joan

>From: "Andrew Lee" <andrew@xxxxxxxxxxxxxxxxxxxxxxx>
Wed, 23 Sep 2009 10:52:55 +0100 Andrew Lee wrote:

>Hi 
>
>I have a trace file which I think contains a JPG image (the trace is NOT
>from an HTTP conversation). Is there a way to determine if the trace
>contains an image and can I extract out the image?
>
>Best regards
>
>Andrew