I have a pcap with a HTTP upload of an image. Wonder if there is a way to extract the image to file with Wireshark.

My Wireshark has version 1.10.6. When I tried "Export Objects" --> HTTP, I got the entire HTTP body of the HTTP POST message. The body includes things like Multi-part boundary etc and so it's not an image.

pcap here

asked 05 Dec '15, 16:03

pktUser1001's gravatar image

pktUser1001
201405054
accept rate: 12%


I get a similar result with 1.12.7., so it looks like a bug of the object export. Please file a bug report at https://bugs.wireshark.org

UPDATE: same with Wireshark 2.0.0, so definitely a bug or some form of encoding that is not yet implemented in the code. However if you remove the leading text lines in the exported file with a HEX editor up to '%PNG', you will get the correct image.

Regards
Kurt

link

answered 06 Dec '15, 03:39

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.4k1035231
accept rate: 15%

edited 06 Dec '15, 03:47

(06 Dec '15, 19:12) pktUser1001

You can use NetworkMiner to extract any file uploaded with an HTTP POST. Just open the PCAP and NetworkMiner will carve out the files to disk for you.

http://www.netresec.com/?page=Networkminer

link

answered 09 Dec '15, 03:25

Netresec_LJ's gravatar image

Netresec_LJ
264
accept rate: 0%

@Netresec_LJ, that's good to know. Wonder if NetworkMiner allows user to select a HTTP POST request and extract the files in the HTTP POST body? This allows user to pair up the extracted file with the HTTP request. Thanks.

(09 Dec '15, 06:18) pktUser1001

@pktUser1001, NetworkMiner will extract all files from all HTTP POST requests in the loaded PCAP file. But the details you request are available in the "Files" tab of NetworkMiner. You will see the URL and a lot more details there for each extracted file.

(09 Dec '15, 07:19) Netresec_LJ

@Netresec_LJ, I saw it now. Very nice. Wish the extracted upload-file will have a HTTP URL in addition to other parameters such as src ip, src port dst ip, dst port etc.

(09 Dec '15, 07:30) pktUser1001
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×1,526
×283

Asked: 05 Dec '15, 16:03

Seen: 1,677 times

Last updated: 09 Dec '15, 07:30

p​o​w​e​r​e​d by O​S​Q​A