Getting Images Out of Wireshark

While researching extracting images with scapy I found a page describing image extraction with Wireshark, I am not sure why I didn't think to try this first. Of course Wireshark can do this super useful network task, their mission is to make the ultimate network diagnostic tool.

The information on that page seems to be a little out of date, on my Wireshark build the PDU tracing and http follow options were already selected.

Grab a dump of a http session, then feed it into Wireshark:

# tcpdump -w webimage.pcap host adventurist.me and port 80

I visited this page which I know has an image on it in FireFox's porn mode.

http.response.code==200

In Wireshark I used a http 200 response code to find all of the assets in the stream. This left only three items, the page itself, the css style sheet and the image. Expand out the TCP block in Wireshark, right click on the JPEG block and choose 'Export Packet Bytes'. I saved this as .bin, moved it to a .jpeg and was able to open the image.

Reading: Abaddon's Gate