Wireshark-users: Re: [Wireshark-users] Copy Hex from a follow TCP stream
From: Jim Aragon <Jim@xxxxxxxxxxxxxxxxx>
Date: Mon, 19 Aug 2013 12:41:04 -0700
On 8/19/2013 12:21 PM, FRANCIS PROVENCHER wrote:

I want to extract an exe from a TCP Stream.

First i add a filter on wireshark, "tcp.stream eq 2010"

I see after the 3 way handshack, the start of the .exe (HEX file
Signature "4D 5a")

The download of this executable is on 52000 packets, to extract the
file, i have choose the option "follow TCP Stream" and after click on
"Hex Dump" option.

How can i remove hex number and ascii trailer from this output to have
some thing like this?

       00 6e 0b 00
       4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81
       12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0

If you actually want to extract the .exe file, instead of a hex dump of the contents, leave the output type at "Raw" instead of "Hex Dump."

Jim