Wireshark-users: Re: [Wireshark-users] Rép. : Re: Copy Hex from a follow TCP stream
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Mon, 19 Aug 2013 13:16:13 -0700
-e "s/  .*$//"

two spaces before the .

On Mon, Aug 19, 2013 at 1:13 PM, FRANCIS PROVENCHER
<FRANCIS.PROVENCHER@xxxxxxxxxxxxxx> wrote:
> Thanks,
>
> That partialy work, the hex numer are remove, but the ASCII trailer is alway
> present (im really bad in regex, can you help me please?)
>
>  00 6e 0b 00
> .n..
>
>  4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81            MZ.....[
> REU.....
>
>  12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0               .......W
> h....P..
>
>  68 f0 b5 a2 56 68 05 00  00 00 50 ff d3 00 00 00               h...Vh..
> ..P.....
>
>  00 00 00 00 00 00 00 00  00 00 00 00 e0 00 00 00             ........
> ........
>
> Thanks you so much!
>
>
>
>
>
>
> Francis Provencher
> Conseiller en sécurité de l'information
> Ministère de la Sécurité publique du Québec
> Direction des technologies de l'information
> Division de la sécurité informatique
> Tél: 1 418 646-6777 #30083 BlackBerry; 1 418 473 6419
> Courriel:   Francis.provencher@xxxxxxxxxxxxxx
>
> Certifié;  SANS GCIA, SANS GPEN, SANS GSEC, C|EH, SSCP, Security +
>
>>>> ronnie sahlberg <ronniesahlberg@xxxxxxxxx> 19/08/13 15:43 >>>
> sed -e "s/[^ ]* //"
>
> On Mon, Aug 19, 2013 at 12:21 PM, FRANCIS PROVENCHER
> <FRANCIS.PROVENCHER@xxxxxxxxxxxxxx> wrote:
>> Hi,
>>
>> I want to extract an exe from a TCP Stream.
>>
>> First i add a filter on wireshark, "tcp.stream eq 2010"
>>
>> I see after the 3 way handshack, the start of the .exe (HEX file Signature
>> "4D 5a")
>>
>> The download of this executable is on 52000 packets, to extract the file,
>> i
>> have choose the option "follow TCP Stream" and after click on "Hex Dump"
>> option.
>>
>> The output look like this;
>>
>> 00000000 00 6e 0b 00
>> .n..
>> 00000004 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 81
>> MZ.....[ REU.....
>> 00000014 12 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0
>> .......W h....P..
>> 00000024 68 f0 b5 a2 56 68 05 00 00 00 50 ff d3 00 00 00
>> h...Vh.. ..P.....
>> 00000034 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00
>> ........ ........
>> 00000044 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68
>> ........ !..L.!Th
>> 00000054 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f
>> is progr am canno
>> 00000064 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20
>> t be run in DOS
>> 00000074 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
>> mode.... $.......
>>
>>
>> How can i remove hex number and ascii trailer from this output to have
>> some
>> thing like this?
>>
>> 00 6e 0b 00
>> 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 81
>> 12 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0
>>
>>
>> Thanks all!
>>
>> Francis Provencher
>> Conseiller en sécurité de l'information
>> Ministère de la Sécurité publique du Québec
>> Direction des technologies de l'information
>> Division de la sécurité informatique
>> Tél: 1 418 646-6777 #30083 BlackBerry; 1 418 473 6419
>> Courriel: Francis.provencher@xxxxxxxxxxxxxx
>>
>> Certifié; SANS GCIA, SANS GPEN, SANS GSEC, C|EH, SSCP, Security +
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives: http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>