This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract file included in HTTP upload

0

I have a pcap with a HTTP upload of an image. Wonder if there is a way to extract the image to file with Wireshark.

My Wireshark has version 1.10.6. When I tried "Export Objects" --> HTTP, I got the entire HTTP body of the HTTP POST message. The body includes things like Multi-part boundary etc and so it's not an image.

pcap here

asked 05 Dec '15, 16:03

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%


2 Answers:

0

I get a similar result with 1.12.7., so it looks like a bug of the object export. Please file a bug report at https://bugs.wireshark.org

UPDATE: same with Wireshark 2.0.0, so definitely a bug or some form of encoding that is not yet implemented in the code. However if you remove the leading text lines in the exported file with a HEX editor up to '%PNG', you will get the correct image.

Regards
Kurt

answered 06 Dec '15, 03:39

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Dec '15, 03:47

(06 Dec '15, 19:12) pktUser1001

0

You can use NetworkMiner to extract any file uploaded with an HTTP POST. Just open the PCAP and NetworkMiner will carve out the files to disk for you.

http://www.netresec.com/?page=Networkminer

answered 09 Dec '15, 03:25

Netresec_LJ's gravatar image

Netresec_LJ
264
accept rate: 0%

@Netresec_LJ, that's good to know. Wonder if NetworkMiner allows user to select a HTTP POST request and extract the files in the HTTP POST body? This allows user to pair up the extracted file with the HTTP request. Thanks.

(09 Dec '15, 06:18) pktUser1001

@pktUser1001, NetworkMiner will extract all files from all HTTP POST requests in the loaded PCAP file. But the details you request are available in the "Files" tab of NetworkMiner. You will see the URL and a lot more details there for each extracted file.

(09 Dec '15, 07:19) Netresec_LJ

@Netresec_LJ, I saw it now. Very nice. Wish the extracted upload-file will have a HTTP URL in addition to other parameters such as src ip, src port dst ip, dst port etc.

(09 Dec '15, 07:30) pktUser1001