On May 17, 2007, at 2:52 AM, Kevin Wuang wrote: > i just discovered the wonder of wireshark few days ago and now as a > pet project i am learning to reconstruct a simple text file from the > data that is captured from unencrypted wireless link (.cap file).
To which data are you referring? You probably have a bunch of packets with 802.11 headers (or Ethernet headers, if the capture has "pretend Ethernet" headers), IP headers, TCP and/or UDP headers, and packet data, not all of which is necessarily text. > i noticed that Wireshark has the capability to reassembling the > packets so surely it is possible to reconstruct the files as well? When you say "the files", do you mean that the traffic you captured involves transferring files, and you want to reconstruct the contents of the file? If so, what protocols are being used to transfer the files - FTP? HTTP? (I'm assuming it's not ssh via scp, as that'd be encrypted.) Some remote file system protocol (NFS, SMB, AFP, etc.)? > Can anyone please give me some advices on how to achieve this? The advice would depend on the protocol. There's a general reassembly framework in Wireshark, but the way it's used for different protocols is different; similarly, there's no general solution that would automatically give you the ability to reconstruct files transferred using any protocol - the solution would inherently depend on the protocol. > Should i start from reading through the source code of Wireshark and > is it based on C language? Yes, it's in C - but it's rather a lot of C, and you could spend a lot of time looking at code that, while you might learn a lot by looking at it, what you learned wouldn't be relevant to the project in which you're interested. (I.e., I'm not discouraging you from looking at the code, but if you want to start your learning experience with that project, you should probably look at the dissector for the protocol being used to transfer the file, first.) Also, you might be able to do at least some of what you want with "Follow TCP Streams" - follow whatever TCP connection transferred the file, if it was transferred using a protocol that runs over TCP (such as FTP or HTTP). BTW, if you're going to be doing Wireshark *development*, the best list to ask questions on would be [EMAIL PROTECTED] _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
