Home page logo
/

wireshark logo Wireshark mailing list archives

Rép. : Re: Copy Hex from a follow TCP stream
From: "FRANCIS PROVENCHER" <FRANCIS.PROVENCHER () msp gouv qc ca>
Date: Mon, 19 Aug 2013 16:13:29 -0400

Thanks,

That partialy work, the hex numer are remove, but the ASCII trailer is
alway present (im really bad in regex, can you help me please?)

 00 6e 0b 00                                                            
      .n..

 4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81            MZ.....[
REU.....

 12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0               .......W
h....P..

 68 f0 b5 a2 56 68 05 00  00 00 50 ff d3 00 00 00               h...Vh..
..P.....

 00 00 00 00 00 00 00 00  00 00 00 00 e0 00 00 00             ........
........

Thanks you so much!






Francis Provencher
Conseiller en sécurité de l'information
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-6777 #30083 BlackBerry; 1 418 473 6419
Courriel:   Francis.provencher () msp gouv qc ca

 
Certifié;  SANS GCIA, SANS GPEN, SANS GSEC, C|EH, SSCP, Security +

ronnie sahlberg <ronniesahlberg () gmail com> 19/08/13 15:43 >>>
sed -e "s/[^ ]* //"

On Mon, Aug 19, 2013 at 12:21 PM, FRANCIS PROVENCHER
<FRANCIS.PROVENCHER () msp gouv qc ca> wrote:
Hi,

I want to extract an exe from a TCP Stream.

First i add a filter on wireshark, "tcp.stream eq 2010"

I see after the 3 way handshack, the start of the .exe (HEX file
Signature
"4D 5a")

The download of this executable is on 52000 packets, to extract the
file, i
have choose the option "follow TCP Stream" and after click on "Hex
Dump"
option.

The output look like this;

    00000000  00 6e 0b 00
.n..
    00000004  4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81
MZ.....[ REU.....
    00000014  12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0
.......W h....P..
    00000024  68 f0 b5 a2 56 68 05 00  00 00 50 ff d3 00 00 00
h...Vh.. ..P.....
    00000034  00 00 00 00 00 00 00 00  00 00 00 00 e0 00 00 00
........ ........
    00000044  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68
........ !..L.!Th
    00000054  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f
is progr am canno
    00000064  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20
t be run  in DOS
    00000074  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00
mode.... $.......


How can i remove hex number and ascii trailer from this output to have
some
thing like this?

      00 6e 0b 00
      4d 5a e8 00 00 00 00 5b  52 45 55 89 e5 81 c3 81
      12 00 00 ff d3 89 c3 57  68 04 00 00 00 50 ff d0


Thanks all!

Francis Provencher
Conseiller en sécurité de l'information
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-6777 #30083 BlackBerry; 1 418 473 6419
Courriel:   Francis.provencher () msp gouv qc ca

Certifié;  SANS GCIA, SANS GPEN, SANS GSEC, C|EH, SSCP, Security +



___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            
mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault