As I am doing research on Wireshark since many days, a question popped into my mind – Can we find out which is the file been transferred and the size of this file? Can we recreate files which are being captured while they are transferred or downloaded from websites? I was pretty confident that if the traffic is plain (i.e. not encrypted) then YES, it should be possible to extract any files which are being transferred.
I started searching for websites which have PDF files and use HTTP protocol. Luckily, found many such websites and used one of them for Eg: http://unec.edu.az/application/uploads/2014/12/pdf-sample.pdf. I started the packet capture before opening the web page and downloading the PDF file present in it.
Opened the capture in Wireshark to analyse it. The packet was requesting PDF and received a 200 OK status.
The packet number 553 contained the reassembled packet.
Upon right-clicking this packet’s header selected Export Packet Bytes
Used ‘sample.pdf’ as file name while saving the file. Specified PDF as the file type
These steps are similar with EXE and ZIP files as well. While exporting the particular packet header, the file name and the file format extension must be specified accordingly.
Had a good experience doing this. The interesting part was we can extract all the files which were transferred or downloaded while capturing packets. Using Wireshark, open packet capture:
Inside file menu, click on ‘Export Objects’ and select HTTP
On clicking “Save All”, all the files which were in the packet capture are saved.