Wireshark-users: Re: [Wireshark-users] Copy Hex from a follow TCP stream

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Mon, 19 Aug 2013 12:40:12 -0700
sed -e "s/[^ ]* //"

On Mon, Aug 19, 2013 at 12:21 PM, FRANCIS PROVENCHER
<FRANCIS.PROVENCHER@xxxxxxxxxxxxxx> wrote:
> Hi,
>
> I want to extract an exe from a TCP Stream.
>
> First i add a filter on wireshark, "tcp.stream eq 2010"
>
> I see after the 3 way handshack, the start of the .exe (HEX file Signature
> "4D 5a")
>
> The download of this executable is on 52000 packets, to extract the file, i
> have choose the option "follow TCP Stream" and after click on "Hex Dump"
> option.
>
> The output look like this;
>
>     00000000  00 6e 0b 00
> .n..
>     00000004  4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81
> MZ.....[ REU.....
>     00000014  12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0
> .......W h....P..
>     00000024  68 f0 b5 a2 56 68 05 00  00 00 50 ff d3 00 00 00
> h...Vh.. ..P.....
>     00000034  00 00 00 00 00 00 00 00  00 00 00 00 e0 00 00 00
> ........ ........
>     00000044  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68
> ........ !..L.!Th
>     00000054  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f
> is progr am canno
>     00000064  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20
> t be run  in DOS
>     00000074  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00
> mode.... $.......
>
>
> How can i remove hex number and ascii trailer from this output to have some
> thing like this?
>
>       00 6e 0b 00
>       4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81
>       12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0
>
>
> Thanks all!
>
> Francis Provencher
> Conseiller en sécurité de l'information
> Ministère de la Sécurité publique du Québec
> Direction des technologies de l'information
> Division de la sécurité informatique
> Tél: 1 418 646-6777 #30083 BlackBerry; 1 418 473 6419
> Courriel:   Francis.provencher@xxxxxxxxxxxxxx
>
> Certifié;  SANS GCIA, SANS GPEN, SANS GSEC, C|EH, SSCP, Security +
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe