Wireshark · Ethereal-users: Re: [Ethereal-users] Microsoft Word Document captured via SMTP

[Guy Harris <gharris@xxxxxxxxx>]

Mike Philip wrote:
> In response to Guy Harris's question the file was
> captured via SMTP traffic.
>
> I posted yesterday:
>
> How do you reconstruct a MS Word document captured via
> ethereal? I've selected 'Follow TCP Stream' and found
> traffic with a word document as an attachment. But
> this all appears as hex? Is there a way to export the
> data into a Word document to see the contents?

Not for SMTP.  "Follow TCP Stream" does let you write the raw data of 
one or the other side of a TCP conversation (or both sites of the 
conversation) to a file in binary (that's what "raw" does), *BUT* that 
means that, if the file was mailed, all the SMTP commands that 
transferred the file will also be in the file.

Typically, a binary file such as a Word document will be encoded as text 
in, for example, base-64 form, so the resulting file will probably be a 
text file, and you'll probably be able to edit it with a text editor and 
remove the SMTP commands.  However, the Word document will probably be 
an attachment, meaning you'll have to manually extract the attachment 
from the file, and manually decode the base-64 (or whatever the encoding 
is - that'll be in the MIME headers in the mail), unless there's a tool 
that'll do that for you (there might be, but I don't know offhand what 
tools there are).  Ethereal will do none of that for you.