Well that's basically what you're doing. Check the raw button and save the data from the "Follow TCP Stream" window. But all the data is saved, not just the JPEG-data so you have to cut the http-headers and things like that.
On Sat, 3 Feb 2007 20:17:25 -0800 (PST), "d a" <[EMAIL PROTECTED]> said: > James > Thanks for the response. Was hoping for something a bit more automated > like the "export as raw data option" but I can work with this too. Il > give it a try > Dave > > "Small, James" <[EMAIL PROTECTED]> wrote: Dave, > > You should be able to do a follow TCP stream and save the contents to a > file. However, in order to edit the file, you need to use a hex editor. > If you use a regular editor, it will mangle the file. Usually when I do > this (for example saving a JPEG), I open a working JPEG in a Hex editor > so I can see what the initial file header is. For JPEGs, I believe this > is HEX:ffd8ffe000104a464946 (ASCII:ÿØÿà..JFIF). Then when I edit the > exported TCP stream, I know to delete up to that header so that I can > save a valid JPEG. I have used this to extract many different types of > files successfully. > > Here's an example free Hex Editor that I have used: > http://www.hhdsoftware.com/Family/hex-editor.html > > Not to say there aren't better ones, but this one has worked for me. > > --Jim > > ________________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of d a > Sent: Saturday, February 03, 2007 11:47 AM > To: [email protected] > Subject: [Wireshark-users] Reassemble packets from Gnutella download? > > Hello all, > > I posted a couple days ago and it never made the forum so I appologize if > this is a repeat. > First off...great software! > I have about 12 hours of Wireshark use so far. Having trouble > reassembling packets downloaded from Gnutella. I can reassemble HTTP > image packets n/p. Someone please tell me what Im doing wrong. > > I begin a capture (wireshark latest realease), download an image file > (jpg ) with only 1 host (to avoid swarming downloads). I then stop the > capture and filter using the "ip.source" filter. I can then view all tcp > packets downloaded from the host and checksum shows successful. I dont > get the same options as I do with a HTTP Jpeg download and cant find an > option to export as raw data. I even tried "follow TCP stream", stripping > header info, and copy and paste the bytes to a text editor with a JPEG > extension but the image wont open. I do have TCP dissector and IP > reassemble ticked. Maybe Im using the wrong filter? > > Any suggestions as to how I can reassemble an image file downloaded > from with Gnutella would be greatly appretiated. > Thanks > Dave > > > ________________________________________ > Sucker-punch spam with award-winning protection. > Try the free Yahoo! Mail Beta. > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > --------------------------------- > Never Miss an Email > Stay connected with Yahoo! Mail on your mobile. Get started! -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - A no graphics, no pop-ups email service _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
