Verify large files via Extract HTTP Objects

asked 2019-05-13 00:36:31 +0000

vudex gravatar image

updated 2019-05-13 00:41:49 +0000

Hi. I am trying to extract files from wireshark pcap file. As a test media I chose to download images from local http site. When I'm testing small files (up to 2 MB) there is no problem - file extract as a whole. When file is large enough it's obviously received in fragments. Is there a way to extract large file as a whole?

Note: File was downloaded just fine, I need this operation to test traffic mirroring in the future.

https://imgur.com/a/oQTrB4F - related images

edit retag flag offensive close merge delete

Comments

"Fragments" in what sense?

You're probably dealing with 1518-byte Ethernet packets (or "pretend 802.11 is an Ethernet" packets), so, with a 14-byte Ethernet header, 20-byte IPv4 header with no options, 20-byte TCP header with no options, and 4-byte CRC, that's 1460 bytes of TCP payload, not even counting the initial HTTP headers, so a 2MB file will be fragmented over the network.

What sort of fragmentation are you thinking of for files > 2MB? It's presumably some other sort, such as transferring the file in multiple HTTP transactions; if it's transferred in one HTTP transaction, 2MB is not a limit for extracting it.

If you select frame 4710, is it part of an HTTP transaction that doesn't also, for example, include frame 3547 or frame 4607 or...?

Guy Harris gravatar imageGuy Harris ( 2019-05-13 03:45:44 +0000 )edit

Yes, you're pronouncing your point very clearly. I am getting confused by the fact, that some files are getting "parted" by Wireshark and others (smaller ones) don't. While initial data stays the same (same download resource, etc) only the size of the files is changing.

This file has size of 14 MB. If I understood you correctly, what you are saying is that I can extract it in one chunk, in order for it being downloaded in one HTTP transaction. So the question rises:

If you select frame 4710, is it part of an HTTP transaction that doesn't also, for example, include frame >3547 or frame 4607 or...?

  1. How can I verify that multiple HTTP transactions occurs.

  2. Is such behavior even normal for LAN resource and such small file?

I'm attaching the link to the discussed capture file, just in case https://yadi.sk/d/VcGPBwLimHWY9A

vudex gravatar imagevudex ( 2019-05-13 04:58:19 +0000 )edit

It is not uncommon for HTTP clients to request multiple range of data from a larger resource. These are then stored as parts and once all of them have been received they're simply stitched together to make the original file. So it's not Wireshark that makes these so called fragments, it's the client who's requesting multiple ranges. That is the network traffic Wireshark then sees. This could be happening to you as well.

Jaap gravatar imageJaap ( 2019-05-14 05:44:05 +0000 )edit
add a comment