How to use wireShark's trace stream function to capture and restore files

Introduction

• WireShark's trace flow function can help us grab various files downloaded from the Internet, and then demonstrate how to grab and restore them.

Use Nginx to build a file storage server

• As long as the package is downloaded through the http website, it can be captured by the tracking stream tool. Here for demonstration, temporarily set up an Nginx file storage server.
• First, we prepare an Nginx server and change the default configuration to this. At this time, when we access the corresponding port, the web page will not be displayed, but the files in the download directory will be displayed. The download directory needs to be created by ourselves under /usr/local/nginx, and then put the file in this directory. The download name can be chosen at will, as long as it is consistent with the configuration file.

•   server {
        listen 10088;
        server_name localhost;
  
        location / {
                root download;
                autoindex on;
                autoindex_exact_size off;
        }
    }
  

• I uploaded a notepad++ installation package and a certificate file to see the effect. When we access the corresponding port, the files stored on the Nginx server will be displayed.
  

Capture packets

• Open wireShark to grab, and then click the installation package, it will be downloaded automatically. Once the download is complete, we are ready for analysis. We filter directly with http.
  
• Click on the first GET request initiated by the client, right-click, and select Tracking Stream -> TCP Stream
  
• Then all interactive data streams of the downloaded file will be displayed
  
• Select Show data as raw data at the bottom, and store the data in a file.
  

restore data

• Open the file just now. As you can see, the above is some information of the http request header, delete it, and we can keep the data field part. The exe file starts with MZ by default. We only need to delete all the data in front of MZ to save the file, and then name the file extension as exe.
  
• At this time, the restoration has been successful, and you can directly double-click the file to run it.
  

Restoring data using a binary editor

• In order to prevent accidental deletion of data information, or we do not know what the beginning of the file data is, it is best to use a binary editor to open the data stream file we just saved. I use UltraEdit.
  
• Generally, the HTTP request header and the data field will be divided by two carriage returns, and the hexadecimal notation is 0D 0A 0D 0A. Find 0D 0A 0D 0A, directly delete or paste all the above request header information including 0D 0A 0D 0A, and then save the file again, and the file can also be restored.