Wireshark-users: Re: [Wireshark-users] extraction of files from SSL and TCP streams automatically

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 7 May 2018 13:40:11 +0200
Hi Miroslav,

On Sat, May 05, 2018 at 06:17:42PM +0000, Miroslav Rovis wrote:
> Hi!
> 
> How do users climbing the steep path of deep packet inspection extract files,
> in HTTP/HTTPS protocols, i.e. the streams in SSL (and plain TCP) conversations?
> 
> Is there a program that can extract files from SSL- or plain- TCP streams
> automatically?
[..]
> And I've managed to put together a script that uses a few modified
> subroutines from Chaosreader on already decrypted SSL TCP streams and extracts
> files from them.

I think the feature you are looking for is "Export HTTP Objects". In the
GUI this is accessible via File -> Export Objects -> HTTP.

Since Wireshark 2.4, this feature is also available in tshark. For
example, to save all files from HTTP bodies in directory "outputdir":

    tshak -r some.pcap --export-object http,outputdir

See also https://www.wireshark.org/docs/man-pages/tshark.html

Hope it helps.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl