Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Problem exporting data

From: Michael Monte <apoc1@xxxxxxxxxxx>
Date: Sun, 16 Nov 2008 13:51:25 -0500
I am having problem export content data from traffic between a client and server. Basically the client uploads a file to a server and I want to grab the file out of the air. Before sending the data the client does a post to the server:

POST /api/soap/eyefilm/v1/upload HTTP/1.1
Host: api.eye.fi
User-Agent: Eye-Fi Card/2.0001
Accept: text/xml, application/soap
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=---------------------------02468ace13579bdfcafebabef00d
Content-Length: 2229177

-----------------------------02468ace13579bdfcafebabef00d
Content-Disposition: form-data; name="SOAPENVELOPE"

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ns1="EyeFi/SOAP/EyeFilm"><SOAP-ENV:Body><ns1:UploadPhoto><fileid>4523222</fileid><macaddress>0018562004e4</macaddress><filename>DSC00068.JPG.tar</filename><filesize>2228224</filesize><filesignature>462e34821f13ae210af8208b5b2443f2</filesignature><encryption>none</encryption></ns1:UploadPhoto></SOAP-ENV:Body></SOAP-ENV:Envelope>
-----------------------------02468ace13579bdfcafebabef00d
Content-Disposition: form-data; name="FILENAME"; filename="DSC00068.JPG.tar"
Content-Type: application/x-tar

If I follow the tcp stream I can supposedly see all the data being sent. Now to get the data to a file, I've tried exporting the raw data to a file and removing the HTTP POST. Now at this point the OS recognizes the file as a tar file, however when I open it gives an error(it isn't very specific). This seems to suggest that the header of the data file is correct(which is seems it is), but the other parts of the data are not correct. This file uploaded to the server fine btw.

Will following the tcp stream correctly show the data in its proper order in this instance, or will I have to do something else to put the data back together?

Thanks,
MikeM