View Contents of docx, pdf and text files obtained in Wireshark through PCAP file

Question

So, I have got a pcap file which I opened with Wireshark tool. Now, there are 4 files I can find through the HTTP filter: 1. A docx file 2. A pdf file 3. A txt file 4. PNG file

I extracted the PNG image file by the following :

Right click on the packet -> follow -> Using TCP -> Converted the file from ASCII to raw -> Searched for 'FFD8' and 'FFD9 and copy pasted the raw network text to HxD Hex editor and saved it as PNG.

I don't know how to view the contents of the rest. I am using a Windows 10 system. Any help would be appreciated.

Thank you in advance.

Ross Jacobs · Answer 1 · 2020-04-19T19:57:44.340

2

Wireshark has the ability to export files from HTTP. On Macos & Windows, you can find this in the GUI as

File > Export Objects > HTTP

You can find more information about this in the Wireshark Guide at https://www.wireshark.org/docs/wsug_html_chunked/ChIOExportSection.html#ChIOExportObjectsDialog

You can also do this with tshark with tshark --export-objects http,$dest_dir. tshark.dev has an article on using this here.

edited Apr 19 '20 at 19:57

answered Apr 19 '20 at 19:13

Ross Jacobs

2,962
1
17
27

I use windows 10. Sorry I didn't mention it in the main post. Edited now – Jibin Apr 19 '20 at 19:18
@Benjamin It's the same menu path in Windows. – Ross Jacobs Apr 19 '20 at 19:58
So there isn't any need for a Hex Editor? Because I need to view the contents of the docx and pdf files.. – Jibin Apr 20 '20 at 05:11

View Contents of docx, pdf and text files obtained in Wireshark through PCAP file

1 Answers1