Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

If it's known that the file is PDF, use the file signature (magic number).
For a PDF file:

Hex: 25 50 44 46 2d
ASCII: %PDF-

(Before attempting in Wireshark, spend sometime with a known PDF file and a hex editor to get a feel for what the file bytes will look like.)
image description

  1. Set a Wireshark display filter of frame contains "%PDF-"
  2. Check the packet bytes. Is it a PDF header or does the string appear randomly in the capture?
  3. Right click the packet, then Follow -> TCP Stream

image description

  1. Check that you will only be saving the download side of the conversation.
  2. Set Show data as: Raw
  3. Save the file Save as...

If it's known that the file is PDF, use the file signature (magic number).
For a PDF file:

Hex: 25 50 44 46 2d
ASCII: %PDF-

(Before attempting in Wireshark, spend sometime with a known PDF file and a hex editor to get a feel for what the file bytes will look like.)
image description

  1. Set a Wireshark display filter of frame contains "%PDF-"
  2. Check the packet bytes. Is it a PDF header or does the string appear randomly in the capture?capture? image description
  3. Right click the packet, then Follow -> TCP Stream image description

  • image description

    1. Check that you will only be saving the download side of the conversation.

    2. Set Show data as: Raw
    3. Save the file Save as...