Ask Your Question
0

extract file from FTP stream with tshark

asked 2020-05-25 06:37:21 +0000

evpamex gravatar image

Hello!

In Wireshark if I want extract file from ftp session I do: Find ftp-data packets -> Follow Tcp Stream -> Show Raw -> Save As..

How can I do the same with tshark? Please, help.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-25 07:25:46 +0000

grahamb gravatar image

updated 2020-05-25 09:02:06 +0000

The tshark equivalent is the -z follow,prot,mode,filter[,range] option described in the man page here.

You'll probably end up with something like:

tshark -r ... -z follow,tcp,raw,<your filter>

where <your filter> will be either the stream index or ip-addr:port pairs as described in the man page.

edit flag offensive delete link more

Comments

Thank you! But how to output raw data to file to get the copy of original file?

evpamex gravatar imageevpamex ( 2020-05-25 08:04:50 +0000 )edit

The above command will get you raw data. Redirect it to a file or pipe it to another processor.

grahamb gravatar imagegrahamb ( 2020-05-25 08:18:39 +0000 )edit

Not exactly. Lets say i do:

tshark -r d14.pcap -z follow,tcp,raw,213.183.48.117:59642,172.18.86.24:42938 > f

then file "f" contains packets statistic and then some data in hex. How can I get the file data from it to get the copy of original file, like it is done with Wireshark after "save as.." command?

evpamex gravatar imageevpamex ( 2020-05-25 08:44:27 +0000 )edit

Add the -q flag to suppress the "normal" output and then post-process it. See this answer from the old site.

grahamb gravatar imagegrahamb ( 2020-05-25 09:01:46 +0000 )edit

Thank you for help! xxd did the trick!

evpamex gravatar imageevpamex ( 2020-05-26 06:33:39 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-05-25 06:37:21 +0000

Seen: 75 times

Last updated: May 25