Home page logo

wireshark logo Wireshark mailing list archives

Re: Copy Hex from a follow TCP stream
From: Jim Aragon <Jim () agdatasystems com>
Date: Mon, 19 Aug 2013 12:41:04 -0700

On 8/19/2013 12:21 PM, FRANCIS PROVENCHER wrote:

I want to extract an exe from a TCP Stream.

First i add a filter on wireshark, "tcp.stream eq 2010"

I see after the 3 way handshack, the start of the .exe (HEX file
Signature "4D 5a")

The download of this executable is on 52000 packets, to extract the
file, i have choose the option "follow TCP Stream" and after click on
"Hex Dump" option.

How can i remove hex number and ascii trailer from this output to have
some thing like this?

       00 6e 0b 00
       4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81
       12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0

If you actually want to extract the .exe file, instead of a hex dump of the contents, leave the output type at "Raw" instead of "Hex Dump."


Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]