Retrieve data from wireshark (PCAPNG)

Question

I have a PCAPNG file and I need to retrieve two files from it, one is a TXT and the other one is a PNG. The provided file does not have FTP-DATA, it only have ARP, DHCP, DNS, FTP, HTTP, IGMPv3, OCSP, SSDP, TCP, TLSv1.2, TLSv1.3 and UDP packets.

This is the followed TCP Stream and required files:

220 pyftpdlib 1.5.5 ready.
USER anonymous
331 Username ok, send password.
PASS pass
230 Login successful.
SYST
215 UNIX Type: L8
TYPE I
200 Type set to: Binary.
PORT 192,168,0,101,184,151
200 Active data connection established.
STOR top_secret_XOR.png
125 Data connection already open. Transfer starting.
226 Transfer complete.
PORT 192,168,0,101,189,23
200 Active data connection established.
STOR old_password.txt
125 Data connection already open. Transfer starting.
226 Transfer complete.
QUIT
221 Goodbye.

How can I retrieve or at least see the contents of this files?

score 0 · Answer 1 · answered Nov 20 '19 at 18:11

0

PORT 192,168,0,101,184,151
...
STOR top_secret_XOR.png

This means the data connection will have a destination of 192.168.0.101 port 47255 (184*256+151). If there is a TCP stream matching this destination IP address then the full payload of the stream is the transferred file, i.e. you can just follow the stream and save its contents to a file.

answered Nov 20 '19 at 18:11

Steffen Ullrich

13,227
27
39

Thank you for taking the time to answer, it did not work. – Mateo Gutierrez Nov 20 '19 at 19:17

Retrieve data from wireshark (PCAPNG)

1 Answers1