Wireshark is a very handy tool to analyse network traffic. I just learn to use it for a task. I’m using macOS MoJave system, the version of WireShark is 3.0.5.
Open pcap file with Wireshark, you will see the following interface.
The use of ‘filter’ function can help make your work easier.
All right, let’s get back to the topic today!
Method 1
Right click and click ‘Follow’, ‘TCP Stream’.
Different colors represent different meanings. Red means request from client side, while blue means what client receives.
Show and save data as raw.
We’ll use a cheat sheet which is attached at the end to help us find the signature of certain files.
Other tools that I find. https://www.filesignatures.net/index.php?
As it claims to be a jpeg, we’ll search if it has ffd8 and ffd9.
Copy data from ‘ffd8’ to ‘ffd9’ and paste into a hex editor, then save as jpeg format.
Caution: The raw data may contain more than one ffd8 and ffd9, so it’s crucial to search all of them and try if they’re all headers or footers. Some ffd8 appears like header but it’s not. It’s maybe in the form of ‘5f fd 8a’. Two digits together represent a number.
Then follow the same process, extract files one by one.
Method 2
Go to File, Export Objects, HTTP.
Through this way, it can help you export all files in the pcap file. But there’re a few things to remember. The raw data appears more than you think. So it’s crucial to go back and examine the raw data.
For example, at the end of picture, the stream also contain a message.
Another thing to mention is that the request claims to get a pdf file but it receives a jpeg file actually. If you still open the file in pdf format, it won’t work.
Conclusion
Though method 2 is easier, method 1 is highly recommended. You’ll miss important information if you don’t check the raw data.
Appendix
Link: https://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdf
Geek lady 