Wireshark-users: Re: [Wireshark-users] Extracting files from pcap
From: Jim Balo <jimbalo22@xxxxxxxxx>
Date: Sun, 12 Oct 2008 22:45:47 -0700 (PDT)
Yes, one-by-one seems to work fine for me too - thanks.
Now, on large pcap files one-by-one will be quite tedious.  Do you (or anyone) know what programs are out there to automate extraction of various files from a pcap?  I have used Network Miner and it works quite well on pcap files of moderate size.  Is this the best tool, or are there other alternatives out there?

--- On Sun, 10/12/08, j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx> wrote:
From: j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Extracting files from pcap
To: jimbalo22@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Sunday, October 12, 2008, 1:03 PM

Hi Jim,

In my experience you better save the items one by one (Save As in stead of
Save All).
Most of the times there are a lot of "/" or "?" and you can
not use these
for filenames.


>-- Oorspronkelijk bericht --
>Date: Sun, 12 Oct 2008 12:41:56 -0700 (PDT)
>From: Jim Balo <jimbalo22@xxxxxxxxx>
>To: Community support list for Wireshark
>	Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
>Subject: Re: [Wireshark-users] Extracting files from pcap
>Reply-To: jimbalo22@xxxxxxxxx,
>	Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>Thanks for the reply.
>I tried this, but Wireshark just hung when trying "Save All"
(been sitting
>there for 30 minutes now. The pcap is small - only 90K).? I'll try
>only select objects, etc. later and see if that works better.? Have you
>using it w/o problems?
>If the file is transferred using HTTP, you could try File > Export >
>Objects > HTTP.
>On Sun, Oct 12, 2008 at 8:57 AM, Jim Balo <jimbalo22@xxxxxxxxx>
>> Hi,
>> I am trying to learn how to extract transferred files from pcap dumps.
>> I have a pcap file with an http data transfer that is gzip-encoded
>> ("Accept-encoding: gzip,deflate" in the http header).  I
>selecting and
>> exporting the data portion of the two packages that seemed to be part
>> this transfer and then concatenate them, but when I try to gunzip it,
>> "unexpected end of file."  Using Network Miner, the file
>just fine.
>> I would like to learn how to do this using only Wireshark - does
>Wireshark-users mailing list