The following content is mainly quoted from an experimental case in Hetian Network Security: Hacker A uses Wireshark to obtain network traffic information in the entire LAN through ARP spoofing. Inadvertently, he discovered that someone had uploaded a file on a website. But he doesn't know how to restore this file through Wireshark. There is no way. He saves the monitored data packets as a Wireshark monitoring record and plans to ask you for advice. Can you help him find that uploaded file?
We can prepare a picture test.jpg by ourselves, and find a website that allows uploading, and then use Wireshark to capture the uploading process. Here I have saved my capture result as a file catchme.pcapng and put it in the attachment Available for download.
After opening the packet capture file, you will find a total of 344 data records. If you simply audit one by one from the beginning to the end, it is very laborious.
Here we use the display filter to filter. Since the uploaded file adopts the HTTP protocol, the filter rule "http" is used. After filtering, it is found that the data packets have changed from the original 344 to 137, so it is easy to help us analyze. . After careful analysis, we will see the word upload in the info of the 209th data packet. We suspect that this is the data packet involved in uploading.
Since the uploaded files are all using the POST method, we can also use the filter rule "http.request.method==POST" for more precise filtering. At this time, there are only 47 data packets. Therefore, mastering packet filtering is one of the necessary skills for mastering Wireshark.
Although we have seen the upload keyword and the POST method, we are not sure if it is really the request to upload the file. Double-click the No. 209 data packet for special analysis. In the application layer data, you can see that the file is indeed uploaded, and the file name is test.jpg.
As can be seen in the transport layer part, because the file is relatively large, the TCP protocol divides it into 16 data segments, each data segment is an independent data packet, click on each Frame, you can see the content of the data packet .
But the problem is that each data package only contains a part of the uploaded file. To restore the uploaded file, these fragmented data packages must be reassembled into a whole. Wireshark provides a "stream trace" feature that can do this.
Go back to the main interface of Wireshark, right-click on packet 209, and select "Track Stream/TCP Stream",
At this point, the entire TCP stream will be displayed in a separate window. We notice that the files in this window are displayed in two colors, where red is used to indicate the traffic from the source address to the destination address, and blue is used to distinguish The opposite direction is the traffic from the destination address to the source address. The color mark here is based on which party starts the communication first. Generally, the client initiates the connection with the server actively, so most of the client's communication is displayed in red.
Since the uploaded files are submitted in the data part sent by the client, we can filter out the response information sent back by the server. In the data flow direction below, select the flow direction from the client to the server. At this time, there is no response part.
Save the data stream as a raw file for further processing. It should be noted that the display format of the data must be set to "raw data" before saving.
Here the file extension is specified as .bin to save the file in binary form.
