How does one view/export the file data of an http.response that has a content type of Jpeg or GIF

asked 2021-10-05 19:34:31 +0000

Following a tutorial I found online to make LUA script to show http request and responses I was able to change the script a bit to include and show the http file data with

local http_response_data ="http.file_data") and to_string(http_response_data())

however once I run the script, the file data is only shown for some http responses that have the content type html/text and html/css but nothing for GIF and Jpeg, how would one get those raw binary or hexdump to show like it is on the TCP stream since http.file_data technically should have all the file data?

edit retag flag offensive close merge delete


Have you looked at the fields in the Wireshark Gui to verify http.content_type and http.file_data exist and are the values expected?

Chuckc gravatar imageChuckc ( 2021-10-06 01:24:02 +0000 )edit

Yes I have, using a packet capture from visiting an HTTP site that had images (JPGs and GIFs), the packet capture shows them when I filter the http.response and look at the HTTP portion of the packet in the file data as well as in the exportable objects. The values exist within wireshark, but it's only when I run the script that it seems that these specific values are excluded when printed out. The script there with the modification writes out the data to a file based on the TCP stream, the TCP stream contains said file data for some of the HTTP responses, but not all of them which confuses me as it does exist within Wireshark GUI & based off the documentation wireshark http.file_data should have all file data.

cleun007 gravatar imagecleun007 ( 2021-10-06 02:27:23 +0000 )edit

http.file_data is a Character string field.
When I dump it out with tshark, the field data ends at the first null character.

C:\>"\Program Files\Wireshark\tshark.exe" -r .\210929_tcp_segment_col_append2.pcapng -T fields -e http.file_data -Y http.file_data

In the Gui, all the data is there. In the packet details it shows File Data: 232502 bytes

Add http.file_data string field to store decompressed HTTP data. Discussion when field was added - bytes vs string.

Chuckc gravatar imageChuckc ( 2021-10-06 03:17:56 +0000 )edit

Disable the jpeg protocol and the data is available in media.type. There is probably a more elegant way to do that. Maybe someone will come along with a proper answer.

Chuckc gravatar imageChuckc ( 2021-10-06 03:43:11 +0000 )edit