Wireshark-users: Re: [Wireshark-users] Reassemble packets from Gnutella download?
From: d a <otto81494@xxxxxxxxx>
Date: Sun, 4 Feb 2007 06:35:11 -0800 (PST)
I did exactly that. Saved "tcp stream"as raw data, manually stripped the header, and saved as jpg. This is pretty easy with a small file (30KB}. When I download a larger jpg, i recieve multiple headers midstream. The header info somtimes runs into the raw data. Its a long process trying to edit exactly to reproduce the image. Furthermore even though the image sometimes opens properly, the sha1 value doesnt allows match that of the original image proving that my reassembly isnt perfect.
I think I need a filter that will remove header bytes or seperate software that can accomplish this in the raw data file.. Any ideas?
Hans Nilsson <hasse_gg@xxxxxxxx> wrote:
Finding fabulous fares is fun.
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.
I think I need a filter that will remove header bytes or seperate software that can accomplish this in the raw data file.. Any ideas?
Hans Nilsson <hasse_gg@xxxxxxxx> wrote:
Well that's basically what you're doing. Check the raw button and save
the data from the "Follow TCP Stream" window. But all the data is saved,
not just the JPEG-data so you have to cut the http-headers and things
like that.
On Sat, 3 Feb 2007 20:17:25 -0800 (PST), "d a"
said:
> James
> Thanks for the response. Was hoping for something a bit more automated
> like the "export as raw data option" but I can work with this too. Il
> give it a try
> Dave
>
> "Small, James"wrote: Dave,
>
> You should be able to do a follow TCP stream and save the contents to a
> file. However, in order to edit the file, you need to use a hex editor.
> If you use a regular editor, it will mangle the file. Usually when I do
> this (for example saving a JPEG), I open a working JPEG in a Hex editor
> so I can see what the initial file header is. For JPEGs, I believe this
> is HEX:ffd8ffe000104a464946 (ASCII:ÿØÿà..JFIF). Then when I edit the
> exported TCP stream, I know to delete up to that header so that I can
> save a valid JPEG. I have used this to extract many different types of
> files successfully.
>
> Here's an example free Hex Editor that I have used:
> http://www.hhdsoftware.com/Family/hex-editor.html
>
> Not to say there aren't better ones, but this one has worked for me.
>
> --Jim
>
> ________________________________________
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of d a
> Sent: Saturday, February 03, 2007 11:47 AM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Reassemble packets from Gnutella download?
>
> Hello all,
>
> I posted a couple days ago and it never made the forum so I appologize if
> this is a repeat.
> First off...great software!
> I have about 12 hours of Wireshark use so far. Having trouble
> reassembling packets downloaded from Gnutella. I can reassemble HTTP
> image packets n/p. Someone please tell me what Im doing wrong.
>
> I begin a capture (wireshark latest realease), download an image file
> (jpg ) with only 1 host (to avoid swarming downloads). I then stop the
> capture and filter using the "ip.source" filter. I can then view all tcp
> packets downloaded from the host and checksum shows successful. I dont
> get the same options as I do with a HTTP Jpeg download and cant find an
> option to export as raw data. I even tried "follow TCP stream", stripping
> header info, and copy and paste the bytes to a text editor with a JPEG
> extension but the image wont open. I do have TCP dissector and IP
> reassemble ticked. Maybe Im using the wrong filter?
>
> Any suggestions as to how I can reassemble an image file downloaded
> from with Gnutella would be greatly appretiated.
> Thanks
> Dave
>
>
> ________________________________________
> Sucker-punch spam with award-winning protection.
> Try the free Yahoo! Mail Beta.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ---------------------------------
> Never Miss an Email
> Stay connected with Yahoo! Mail on your mobile. Get started!
--
Hans Nilsson
hasse_gg@xxxxxxxx
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Finding fabulous fares is fun.
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.
- Follow-Ups:
- Re: [Wireshark-users] Reassemble packets from Gnutella download?
- From: Hans Nilsson
- Re: [Wireshark-users] Reassemble packets from Gnutella download?
- References:
- Re: [Wireshark-users] Reassemble packets from Gnutella download?
- From: Hans Nilsson
- Re: [Wireshark-users] Reassemble packets from Gnutella download?
- Prev by Date: Re: [Wireshark-users] V0.99.5 & Coloring Rules
- Next by Date: Re: [Wireshark-users] V0.99.5 & Coloring Rules
- Previous by thread: Re: [Wireshark-users] Reassemble packets from Gnutella download?
- Next by thread: Re: [Wireshark-users] Reassemble packets from Gnutella download?
- Index(es):