Wireshark · Ethereal-users: Re: [ethereal-users] How to reconstruct a file from Packets?

Ethereal-users: Re: [ethereal-users] How to reconstruct a file from Packets?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Sun, 16 Jul 2000 19:56:57 -0500 (CDT)

Hi Josh & Jay,

I have finally managed to get a good packet sniffer/analyzer.
It separates the different headers in a packet from the data.
BUT when I add up the data part of the packets that I have sniffed
during an "file attach operation with hotmail" .. I do not get the
correct size of the attached file, I get a size much larger.

There are some packets that do not contain data, I assume they are
acknowledgement/synchronization packets of some kind and ignore them
while adding. 

Do you guys have any idea of how exactly one goes about adding the data
from the packets captured to get the size of the original file?.. I did
leave out all the header info in every packet and added only the data
remaining...but I still do not arrive at the correct size??

Thanx
Tarun

On Sun, 16 Jul 2000,
Shaun Clowes wrote:

> 
> > Thanx for your previous help with packet sniffers. Can you give me a step
> > by step instruction on how exactly I go about RECONSTRUCTING a file from
> > the packets I sniff.... I have done a lot of research on this but have not
> > come up with a concrete method of doing this.....Say I send a 5KB
> > attachment through hotmail..... how do I reconstruct that file and the
> > E-mail from the packets I sniff..... It should be possible.... if anyone
> > has ACTUALLY done something like this...please help me....I'v been trying
> > to do this for almost 45 days now... I need HELP!
> 
> This really depends on what you'd trying to do, Ethereal certain isn't
> suitable for it in its current state (as Guy said). If its intercepting
> mail on the local network, which is by the way illegal if its not your own
> mail your sniffing, you'll find mailsnarf in the dsniff packacge available
> from www.packetfactory.net to be perf3ct. If its other web traffic, you'll
> need to hack up something yourself quickyl using libnids, an awesome
> little tcp connection defragmenter based on Linux kernel code. Hacking up
> the sample program provided with the library to do almost anything is
> exceptionall easy. 
> 
> That said, if you don't feel comfortable hacking around in C, don't
> bother :(
> 
> Cheers,
> Shaun
> 
> 

Tarun.G.Acharya
3102 dodge Street
Omaha,NE.USA

References:
- Re: [ethereal-users] How to reconstruct a file from Packets?
  - From: Shaun Clowes

Prev by Date: Re: [ethereal-users] How to reconstruct a file from Packets?
Next by Date: Re: [ethereal-dev] Re: [ethereal-users] Ethereal Plugins
Previous by thread: Re: [ethereal-users] How to reconstruct a file from Packets?
Next by thread: [ethereal-users] Ethereal Plugins
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$