Ethereal-users: RE: [Ethereal-users] Help with combining packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Fri, 26 Oct 2001 16:40:53 -0500
With HTTP it works as well, but you need a binary editor (vi with the right
flags will work, as will NOTEPAD.EXE) to remove the HTTP commands at the
beginning without damaging the binary file itself.

I've had to do this a few times.  Not trivial, but not too difficult,
either.

I haven't tried with FTP, but it should work the same way.

--J

> -----Original Message-----
> From: Joe Tomasone [mailto:joe@xxxxxxxx]
> Sent: Friday, October 26, 2001 4:00 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] Help with combining packets
> 
> 
> 
> Incidentally, I have captured SMTP and POP3 sessions with 
> Ethereal, ran 
> them with "Follow TCP Streams", dumped the text to disk, and 
> successsfully 
> recovered the MIME or Base64 encoded documents attached to the email.
> 
> With HTTP, FTP, et al, it's a completely different story.
> 
>          - Joe
> 
> 
> 
> At 04:08 PM 10/26/2001, you wrote:
> > > I just loaded Ethereal and love how it works.  Is there a 
> way that I
> > > can combine the packets back into the file that was 
> downloaded? (i.e.
> > > If I know someone on the network is downloading pictures 
> can I combine
> > > the packets to see what the picture is)?
> >
> >Not with Ethereal.
> >
> >However, ethereal uses the same libpcap format for packet 
> capture files
> >that tcpdump does; there are a number of tools that process libpcap
> >files, and I seem to remember somebody mentioning some tool 
> on this list
> >that can do that sort of reassembly.
> >
> >We should probably gather a list of all the tools people 
> have mentioned
> >on the Ethereal mailing lists, and either add them to the "Tools"
> >section of the page at
> >
> >         http://www.ethereal.com/links.html
> >
> >or check which of them aren't already mentioned on the page at
> >
> >         http://www.tcpdump.org/related.html
> >
> >and add a link to that page from the "Useful Links" page on 
> the Ethereal
> >site (actually, we should send the list of tools to 
> tcpdump.org, add a
> >link to the tcpdump.org "Related Projects" page from the Ethereal
> >"Useful Links" page in any case).
> >
> >_______________________________________________
> >Ethereal-users mailing list
> >Ethereal-users@xxxxxxxxxxxx
> >http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>