This article introduces how to use wireshark and python to automatically and manually restore the file content in the pcap packet.
When wireshark analyzes data packets, it often encounters some data content that wireshark itself cannot decode, as shown in Figure 1 below:
Figure 1
These contents may be Chinese-encoded files, pictures, and videos, which often require specific decoding software to open. For example, if there is GB2312 Chinese encoding content in html, it cannot be displayed in wireshark. It needs to be restored to html format file, and it can be displayed correctly by opening it with chrome browser. In this article, I have listed many possible causes of garbled characters in wireshark, see here .
For the picture file in Figure 1, wireshark can only parse part of the header fields, and can only display the hexadecimal information of the picture. It needs to rely on picture decoding software to display it. The same applies to specific software such as video and office. In my previous article, I described the use of the wireshark lua plug-in to extract pictures, videos, certificates and other file content, see here . Of course, based on that article, more file content types can be restored based on the wireshark extension. This article will introduce another way of manually restoring files and automatically restoring files.