Ethereal-users: Re: [Ethereal-users] File (jpg/gif) reassembly

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 19 Nov 2004 14:10:41 -0800
David Mulcair wrote:
Wondering if anyone has a good way to take a full packet capture and extract the files that were transferred over HTTP. I’m fairly new to Ethereal, so bear with me. 

If, in the Edit->Preferences dialog box, you enable:

	all the options for HTTP;
"Allow subdissector to reassemble TCP streams" for TCP (and, if you're capturing outgoing traffic on an interface that does TCP checksum offloading, *dis*able "Check the validity of the TCP checksum when possible");
then the body of an HTTP request or reply should be reassembled, and, at least in some cases - which should include JPEGs and GIFs - there should be a separate protocol tree item for the body. You can select that item and either: 

	select File > Export > Selected Packet Bytes from the main menu;
select Export Selected Packet Bytes from the context menu in the packet details window (right-click with 2-button mice, Alt+click in OS X - no, not Ctrl+click, Ethereal's an X11 application, not a native Aqua application) 

which will let you save the body to a file.