Replies in-line below... > >I didn't even realize you could do this until I read your question, but > >here is one way (not sure if this is exactly what you want): > >Open a capture > >Narrow down the interesting packets > >(For example, I do a lot of web traffic analysis so I might use a filter > >such as http.content_length > 20000) > >Now, let's say I see a Flash file, a GIF, or a JPEG that I want to save > >- just the actual binary data, not the packet headers. > >I would click on the interesting packet (assuming I have TCP and HTTP > >reassembly enabled) > >Next, in the packet details window (middle pane) I would click on the > >relevant data portion. So for a JPEG image this would be the part that > >reads JPEG File Interchange Format. > >Finally, I would use the File->Export->Selected Packet Bytes menu item. > >Then I would name the file and I personally change the save as type to > >*.* so I can set the file extension (not completely sure this is > >necessary but I do it out of habit). > >Now, if I open up this file with a graphics viewing I will see that I > >have a valid JPEG. > > > >Pretty cool stuff. > > I think that would work for small amounts of data, but I'm dealing > with video streams over hundreds of packets. >
Out of curiosity, I just tried it on a 4.4MB video file and while a little slow, it worked well. This is definitely a slick program! > > >You can also filter by TCP streams (but I believe you can't save as raw > >from the TCP Streams page). > > You can save as raw. It's great for video streams over TCP. > I was hoping for a similar capability for UDP streams, after I'd > applied a filter. > You're right of course - there is a save as raw option. I noticed though that this option also saves the headers. Thus for a binary file such as an image, you have to use a hex editor or binary editing program so you don't corrupt the file when you remove the headers. The other way it just saves the binary data so it's a small convenience that saves you from removing the headers. I agree that it would be nice to have something like this for UDP but that means someone would have to write the dissector/re-assembler. Probably not an easy task. --Jim _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users