Exporting various objects

When working with a capture, there may be a variety of objects such as files, images and applications within the file. Wireshark reassembles the objects, which can be collected and analyzed, as long as the object is unencrypted.

There are several reasons you may need to collect objects within a capture file.  For example, during an active malware investigation, you may need to see what type of files are being transferred. Or there may be some concern that an individual may be sending sensitive information out of the organization. Wireshark makes it easy to export objects, so that you can take a closer look what type of traffic is being sent across the network.

Some of the possible objects that can be exported include those from the following protocols:

  • Digital Imaging and Communications in Medicine (DICOM)
  • HyperText Transfer Protocol (HTTP)
  • Internet Message Format (IMF)
  • Server Message Block (SMB)
  • Trivial File Transfer Protocol (TFTP)

If you suspect that any of the preceding protocols contains objects, you can export them for examination by going to the File menu choice, and then Export Objects, as shown in the following screenshot:

Export Objects

For example, open the Web Page.pcapng file. Once open, select Export Objects, and then HTTP.... Wireshark will locate all objects such as text/plain, applications/javascript images and text/html. This will take a few seconds, depending on the size of the file. Wireshark will then present a list, as shown in the following screenshot:

HTTP object list

In the dialog box, you can search for text strings. In the lower left-hand corner, you'll see a Text Filter label. Enter footstesp-to-the-summit.jpg, as shown in the following screenshot:

Searching footstesp-to-the-summit.jpg

Select Save, and when the dialog box opens, enter the filename and the appropriate extension. In this case, I used footsteps-to-the-summit.jpg. After you save the object, locate, open, and view the image, as shown in the following screenshot:

Exported HTTP Object

If there are other objects, you can save them as well; alternatively, you can select Save All, and Wireshark will save all objects found in the file.

As you can see, Wireshark provides many ways to preserve and export components and objects. But what happens when you're done working with a file?

While doing analysis, you may know why you are working on a particular capture. However, when you return to the file, you may not remember what caused you to look at the capture in the first place. In addition, if you share the file with a co-worker, they may not be able to identify the significance. In either case, it's best to identify key elements and concerns by adding comments. In order to preserve the reasons why the file was important, Wireshark provides ways to add comments to a single packet or an entire capture, as discussed in the following section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.130.24