Wireshark-users: Re: [Wireshark-users] Exporting raw packet data?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Mon, 13 Nov 2006 23:03:19 -0500
Replies in-line below...

> >I didn't even realize you could do this until I read your question,
but
> >here is one way (not sure if this is exactly what you want):
> >Open a capture
> >Narrow down the interesting packets
> >(For example, I do a lot of web traffic analysis so I might use a
filter
> >such as http.content_length > 20000)
> >Now, let's say I see a Flash file, a GIF, or a JPEG that I want to
save
> >- just the actual binary data, not the packet headers.
> >I would click on the interesting packet (assuming I have TCP and HTTP
> >reassembly enabled)
> >Next, in the packet details window (middle pane) I would click on the
> >relevant data portion.  So for a JPEG image this would be the part
that
> >reads JPEG File Interchange Format.
> >Finally, I would use the File->Export->Selected Packet Bytes menu
item.
> >Then I would name the file and I personally change the save as type
to
> >*.* so I can set the file extension (not completely sure this is
> >necessary but I do it out of habit).
> >Now, if I open up this file with a graphics viewing I will see that I
> >have a valid JPEG.
> >
> >Pretty cool stuff.
> 
> I think that would work for small amounts of data, but I'm dealing
> with video streams over hundreds of packets.
> 

Out of curiosity, I just tried it on a 4.4MB video file and while a
little slow, it worked well.  This is definitely a slick program!

> 
> >You can also filter by TCP streams (but I believe you can't save as
raw
> >from the TCP Streams page).
> 
> You  can save as raw. It's great for video streams over TCP.
> I was hoping for a similar capability for UDP streams, after I'd
> applied a filter.
> 

You're right of course - there is a save as raw option.  I noticed
though that this option also saves the headers.  Thus for a binary file
such as an image, you have to use a hex editor or binary editing program
so you don't corrupt the file when you remove the headers.  The other
way it just saves the binary data so it's a small convenience that saves
you from removing the headers.

I agree that it would be nice to have something like this for UDP but
that means someone would have to write the dissector/re-assembler.
Probably not an easy task.

--Jim