Wireshark · Ethereal-users: Re: [Ethereal-users] JPG-Export from captured file (TCP-Reassembly)

[Guy Harris <gharris@xxxxxxxxx>]

Olivier Biot wrote:

> Go to Edit -> Preferences. In the left pane, click on "Protocols" so you 
> can edit the protocol preferences.
>
> Look at TCP, and make sure that "Allow subdissector to reassemble TCP 
> streams" is enabled.
> Then look at HTTP, and enable at least the first 3 preferences 
> (reassemble headers, reassemble bodies, reassemble chunked bodies).
>
> Save the preferences, and reload the capture file (you may use the 
> display filter "image-jfif or image-gif" to search for JPEG and GIF in 
> the captured packets).
>
> Once you found an image, click on the protocol line in the dissection 
> window ("JPEG File Interchange Format" or "Compuserve GIF, Version: 
> 87a/89a") so the relevant bytes get highlighted (selected), and export 
> the selected packet bytes, either from the File menu, or by 
> right-clicking on the packet.

...and if any of that can't be done, e.g. because HTTP doesn't have 
those preferences, or JPEGs aren't dissected, upgrade to a newer version 
of Ethereal (I don't remember when those were added, but if it was after 
0.10.3, the original poster will have to upgrade - items in the Wiki are 
likely to refer to the current version, so anybody running older 
versions might find that they don't apply).