Wireshark-users: Re: [Wireshark-users] Reassemble packets from Gnutella download?
From: "Hans Nilsson" <[email protected]>
Date: Sun, 04 Feb 2007 06:53:50 -1100
I guess that depends on how the Gnutella protocol actually sends the files. In some situations the actual data is constantly mixed with control data that controls the transfer. I don't really know an easy way to get the actual file data from a stream like that. I guess check the Gnutella protocol? On Sun, 4 Feb 2007 06:35:11 -0800 (PST), "d a" <[email protected]> said: > I did exactly that. Saved "tcp stream"as raw data, manually stripped the > header, and saved as jpg. This is pretty easy with a small file (30KB}. > When I download a larger jpg, i recieve multiple headers midstream. The > header info somtimes runs into the raw data. Its a long process trying to > edit exactly to reproduce the image. Furthermore even though the image > sometimes opens properly, the sha1 value doesnt allows match that of the > original image proving that my reassembly isnt perfect. > > I think I need a filter that will remove header bytes or seperate > software that can accomplish this in the raw data file.. Any ideas? > > > Hans Nilsson <[email protected]> wrote: Well that's basically what you're > doing. Check the raw button and save > the data from the "Follow TCP Stream" window. But all the data is saved, > not just the JPEG-data so you have to cut the http-headers and things > like that. > > > On Sat, 3 Feb 2007 20:17:25 -0800 (PST), "d a" > said: > > James > > Thanks for the response. Was hoping for something a bit more automated > > like the "export as raw data option" but I can work with this too. Il > > give it a try > > Dave > > > > "Small, James" wrote: Dave, > > > > You should be able to do a follow TCP stream and save the contents to a > > file. However, in order to edit the file, you need to use a hex editor. > > If you use a regular editor, it will mangle the file. Usually when I do > > this (for example saving a JPEG), I open a working JPEG in a Hex editor > > so I can see what the initial file header is. For JPEGs, I believe this > > is HEX:ffd8ffe000104a464946 (ASCII:ÿØÿà..JFIF). Then when I edit the > > exported TCP stream, I know to delete up to that header so that I can > > save a valid JPEG. I have used this to extract many different types of > > files successfully. > > > > Here's an example free Hex Editor that I have used: > > http://www.hhdsoftware.com/Family/hex-editor.html > > > > Not to say there aren't better ones, but this one has worked for me. > > > > --Jim > > > > ________________________________________ > > From: [email protected] > > [mailto:[email protected]] On Behalf Of d a > > Sent: Saturday, February 03, 2007 11:47 AM > > To: wi[email protected] > > Subject: [Wireshark-users] Reassemble packets from Gnutella download? > > > > Hello all, > > > > I posted a couple days ago and it never made the forum so I appologize if > > this is a repeat. > > First off...great software! > > I have about 12 hours of Wireshark use so far. Having trouble > > reassembling packets downloaded from Gnutella. I can reassemble HTTP > > image packets n/p. Someone please tell me what Im doing wrong. > > > > I begin a capture (wireshark latest realease), download an image file > > (jpg ) with only 1 host (to avoid swarming downloads). I then stop the > > capture and filter using the "ip.source" filter. I can then view all tcp > > packets downloaded from the host and checksum shows successful. I dont > > get the same options as I do with a HTTP Jpeg download and cant find an > > option to export as raw data. I even tried "follow TCP stream", stripping > > header info, and copy and paste the bytes to a text editor with a JPEG > > extension but the image wont open. I do have TCP dissector and IP > > reassemble ticked. Maybe Im using the wrong filter? > > > > Any suggestions as to how I can reassemble an image file downloaded > > from with Gnutella would be greatly appretiated. > > Thanks > > Dave > > > > > > ________________________________________ > > Sucker-punch spam with award-winning protection. > > Try the free Yahoo! Mail Beta. > > _______________________________________________ > > Wireshark-users mailing list > > [email protected] > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > > > > > --------------------------------- > > Never Miss an Email > > Stay connected with Yahoo! Mail on your mobile. Get started! > -- > Hans Nilsson > [email protected] > > -- > http://www.fastmail.fm - A no graphics, no pop-ups email service > > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > --------------------------------- > Finding fabulous fares is fun. > Let Yahoo! FareChase search your favorite travel sites to find flight and > hotel bargains. -- Hans Nilsson [email protected] -- http://www.fastmail.fm - IMAP accessible web-mail
- Prev by Date: Re: [Wireshark-users] V0.99.5 & Coloring Rules
- Next by Date: Re: [Wireshark-users] V0.99.5 & Coloring Rules
- Previous by thread: Re: [Wireshark-users] Reassemble packets from Gnutella download?
- Next by thread: Re: [Wireshark-users] OUI Look Up Tool on Wireshark site?