Wireshark-users: Re: [Wireshark-users] Exporting raw packet data?
From: Pete Fraser <pfraser@xxxxxxxxx>
Date: Mon, 13 Nov 2006 19:14:30 -0800
At 07:05 PM 11/13/2006, Jim Small wrote:
Pete,

I didn't even realize you could do this until I read your question, but
here is one way (not sure if this is exactly what you want):
Open a capture
Narrow down the interesting packets
(For example, I do a lot of web traffic analysis so I might use a filter
such as http.content_length > 20000)
Now, let's say I see a Flash file, a GIF, or a JPEG that I want to save
- just the actual binary data, not the packet headers.
I would click on the interesting packet (assuming I have TCP and HTTP
reassembly enabled)
Next, in the packet details window (middle pane) I would click on the
relevant data portion.  So for a JPEG image this would be the part that
reads JPEG File Interchange Format.
Finally, I would use the File->Export->Selected Packet Bytes menu item.
Then I would name the file and I personally change the save as type to
*.* so I can set the file extension (not completely sure this is
necessary but I do it out of habit).
Now, if I open up this file with a graphics viewing I will see that I
have a valid JPEG.

Pretty cool stuff.

I think that would work for small amounts of data, but I'm dealing with video streams over hundreds of packets.


You can also filter by TCP streams (but I believe you can't save as raw
from the TCP Streams page).

You  can save as raw. It's great for video streams over TCP.
I was hoping for a similar capability for UDP streams, after I'd applied a filter.



Thanks

Pete