On May 17, 2007, at 2:52 AM, Kevin Wuang wrote:
i just discovered the wonder of wireshark few days ago and now as a
pet project i am learning to reconstruct a simple text file from the
data that is captured from unencrypted wireless link (.cap file).
To which data are you referring?
You probably have a bunch of packets with 802.11 headers (or Ethernet
headers, if the capture has "pretend Ethernet" headers), IP headers,
TCP and/or UDP headers, and packet data, not all of which is
necessarily text.
i noticed that Wireshark has the capability to reassembling the
packets so surely it is possible to reconstruct the files as well?
When you say "the files", do you mean that the traffic you captured
involves transferring files, and you want to reconstruct the contents
of the file?
If so, what protocols are being used to transfer the files - FTP?
HTTP? (I'm assuming it's not ssh via scp, as that'd be encrypted.)
Some remote file system protocol (NFS, SMB, AFP, etc.)?
Can anyone please give me some advices on how to achieve this?
The advice would depend on the protocol. There's a general reassembly
framework in Wireshark, but the way it's used for different protocols
is different; similarly, there's no general solution that would
automatically give you the ability to reconstruct files transferred
using any protocol - the solution would inherently depend on the
protocol.
Should i start from reading through the source code of Wireshark and
is it based on C language?
Yes, it's in C - but it's rather a lot of C, and you could spend a lot
of time looking at code that, while you might learn a lot by looking
at it, what you learned wouldn't be relevant to the project in which
you're interested. (I.e., I'm not discouraging you from looking at
the code, but if you want to start your learning experience with that
project, you should probably look at the dissector for the protocol
being used to transfer the file, first.)
Also, you might be able to do at least some of what you want with
"Follow TCP Streams" - follow whatever TCP connection transferred the
file, if it was transferred using a protocol that runs over TCP (such
as FTP or HTTP).
BTW, if you're going to be doing Wireshark *development*, the best
list to ask questions on would be wireshark-dev@xxxxxxxxxxxxx.
