How does one view/export the file data of an http.response that has a content type of Jpeg or GIF
Following a tutorial I found online to make LUA script to show http request and responses https://lua.readthedocs.io/en/latest/... I was able to change the script a bit to include and show the http file data with
local http_response_data = Field.new("http.file_data") and to_string(http_response_data())
however once I run the script, the file data is only shown for some http responses that have the content type html/text and html/css but nothing for GIF and Jpeg, how would one get those raw binary or hexdump to show like it is on the TCP stream since http.file_data technically should have all the file data?
Have you looked at the fields in the Wireshark Gui to verify
http.content_typeandhttp.file_dataexist and are the values expected?Yes I have, using a packet capture from visiting an HTTP site that had images (JPGs and GIFs), the packet capture shows them when I filter the http.response and look at the HTTP portion of the packet in the file data as well as in the exportable objects. The values exist within wireshark, but it's only when I run the script that it seems that these specific values are excluded when printed out. The script there with the modification writes out the data to a file based on the TCP stream, the TCP stream contains said file data for some of the HTTP responses, but not all of them which confuses me as it does exist within Wireshark GUI & based off the documentation wireshark http.file_data should have all file data.
http.file_data is a
Character stringfield.When I dump it out with
tshark, the field data ends at the first null character.In the Gui, all the data is there. In the packet details it shows
File Data: 232502 bytesAdd http.file_data string field to store decompressed HTTP data. Discussion when field was added - bytes vs string.
Disable the
jpegprotocol and the data is available inmedia.type. There is probably a more elegant way to do that. Maybe someone will come along with a proper answer.