Wireshark-users: Re: [Wireshark-users] Analysing MSN traffic

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Mon, 8 Jan 2007 21:59:06 -0800

On Mon, Jan 08, 2007 at 07:29:22PM -0000, Antonio Cassidy wrote:

> By removing the first 105 and last 104 chars we're left with the 
> content of the text file.  I have tried this with other text files and 
> it's the same number of characters both at the start and at the end.

These are probably other fields from the protocol.  Are you able to send 
us a sample capture with a file transfer in it to help you look at it?

> This is the same as when an image is transferred if I remove the first 
> 105 and last 104 I'm left with the same number of characters as when I 
> open the image in notepad however the characters are not exactly the 
> same in the capture as the original file ie:
> 
> Original File: %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz??
> 
> Capture File: .....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.
> 
> It looks like the non standard characters in the image file are being 
> replaced by '.''s in the capture file.

Yes, "non-printable" characters are replaced with periods when displayed 
in Wireshark.  


Steve