Ask Your Question
0

An rtf file was transferred as FTP-DATA, so I followed the TCP Stream and saved the file. How can I decode this to view the contents?

asked 2018-10-10 15:35:55 +0000

DFirnhaber gravatar image

updated 2018-10-12 17:12:12 +0000

cmaynard gravatar image

When I open it, it shows the pcap file, the rtf file and a text file, but just the names of the files, not the content. How do I decode this to view its contents?

edit retag flag offensive close merge delete

Comments

Have you tried to save the stream as a .doc, .txt, or .rtf file and open it with notepad?

elliep gravatar imageelliep ( 2018-10-10 20:49:14 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-12 17:11:10 +0000

cmaynard gravatar image

Wireshark does not yet support "File -> Export Objects" for FTP data transfers, but you should be able to export the data anyway if you follow this guide:

  1. Select the packet where you see the rtf file of interest indicated in the Info column
  2. In the Packet List Pane, right-click the packet and choose, Follow -> TCP Stream A new window will appear whose contents contains the 2-way data being transferred.
  3. Optional: To be sure you only get the data coming from the FTP server, choose the appropriate direction of data flow instead of Entire conversation. There should only be data flowing in one direction, so if that's the case, then this step isn't necessary.
  4. Next to Show and save data as, be sure to select Raw
  5. Select *Save as..." at the bottom and give it a name, e.g., file.rtf.

You should now have the rtf file. If desired, repeat for the text file or any other transfers.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2018-10-10 15:35:55 +0000

Seen: 1,860 times

Last updated: Oct 12 '18