A couple hours ago, Jeremy Stretch posted an article entitled Quick and dirty packet capture data extraction in which he shows how one can extract a JPEG image from a packet capture containing the HTTP stream.
Stretch’s method uses “foremost” to recover the original file which works, but… there’s an even quicker way to do it. Actually, just like with Perl, there’s more than one way to do it.
I made two videos showing how to extract files from data streams within Wireshark. Instead of embedding them in this post, I’m linking to them instead as they are quite large (resolution wise).
- Video 1: Extracting objects from HTTP streams (shows how to extract the same JPEG from the same capture)
- Video 2: Extracting a PDF from an HTTP stream (shows how to extract a PDF file from a different capture)
Hopefully this will be helpful to some others, it definitely has been to me. Thanks to Jeremy Stretch for the idea, and the guys who taught my SANS Comprehensive Packet Analysis (SEC 556) class for originally showing me how to do it!