Although Wireshark does not have a nice feature to export SMB2 objects, you can extract transferred files from the capture files.
In this article I will show you how to extract small files, a pdf and a exe, from Wireshark capture files.
PDF
The sample file smb2-pdf_02.pcap contains the file willhackforsushi.com_80211_Pocket_Reference_Guide.pdf from Will Hack For Sushi.
You can download the files here:
• sample capture file smb2-pdf_02.pcap
• pdf willhackforsushi.com_80211_Pocket_Reference_Guide.pdf
Open the file smb2-pdf_02.pcap.
To check if "Allow subdissector to reassemble TCP streams" is turned on, go to:
• right-click Transmission Control Protocol in the Packet Details pane
• Protocol Preferences
• "Allow subdissector to reassemble TCP streams"
• apply Display Filter: "smb2.write_data"
There is only one match: packet 73.
• expand SMB2 in the Packet Details pane
• right-click "Write Data"
• select "Copy" | "Bytes" | "Hex Stream" from the context menu
• open a new file in a hex-editor (HxD is a freeware Hex Editor and Disk Editor)
• paste the bytes
• save the file as pdf.pdf
Compare files
• open also the original file, willhackforsushi.com_80211_Pocket_Reference_Guide.pdf, in HxD
• go to "Analysis" | "File-compare" | "Compare…"
The result: "The chosen files are identical".
EXE
The sample file smb2-exe_02.pcap contains the file diff.exe.
You can download the files here:
• sample capture file smb2-exe_01.pcap
• executable diff.exe
Note
You can use diff.exe to compare two text files and print the lines that are different.
Open the file smb2-exe_01.pcap.
• apply Display Filter: "smb2.write_data"
Two packets match the filter criteria.
• select packet 86
• expand SMB2 in the Packet Details pane
• right-click "Write Data"
• select "Copy" | "Bytes" | "Hex Stream" from the context menu
• open a new file in a hex-editor
• paste the bytes
• save the file as exe.exe
• select packet 88
• again right-click "Write Data", copy the "Hex Stream"
• append the bytes to the existing file exe.exe and save the changes
Compare files
• open also the original file, diff.exe, in HxD
• go to "Analysis" | "File-compare" | "Compare…"
The result: "The chosen files are identical"
Final test
Run exe.exe
Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List or Ask Wireshark.
What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.
Recent Comments