This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Forensic Analysis (XMPP)

0

Hi Guys,

Is it possible to extract the files that are transferred captured under the XMPP/XML Protocol?

I am able to see the filename and size, but i have no idea how to extract/rebuild the image.

Here is the PCAP if you any of you are willing to help.

Forensic Analysis - PCAP File

Kind Regards,

Sen

asked 12 Oct '15, 01:02

sentral's gravatar image

sentral
6113
accept rate: 0%

One Answer:

3

Is it possible to extract the files that are transferred captured under the XMPP/XML Protocol?

Yes.

Description based on Wireshark 1.12.7. As there are only JPEGs in your pcap file, the following description is related to JPEG files (see remove bytes at the beginning of the file!).

Step #1: Follow the TCP stream.

tcp.stream eq 1

Step #2: right click any frame and select "Follow TCP Stream"
Step #3: In the pop-up window, click "save as" and save the file to a directory
Step #4: get a HEX editor, like HxD
Step #5: open the saved file in the HEX editor
Step #6: remove everything up to the 6 bytes in front of "JFIF"

alt text

Step #7: save the file
Step #8: Open the file with an image viewer.

Hint: 'save as' in the pop-up of 'Follow TCP stream' in 1.99.x somehow cripples the file, so don't use 1.99.x!

Regards
Kurt

answered 12 Oct '15, 15:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Oct '15, 15:05

Hey Kurt,

Thanks for your help!

Sen

(13 Oct '15, 01:40) sentral

You're welcome!

(13 Oct '15, 04:57) Kurt Knochner ♦