We will now go ahead and look at how to extract sensitive files from the traffic data using Wireshark. In order to do this, we could go to the packet capture and load it in Wireshark for analysis.
The underlying concept in order to extract files from network capture is that they are always sent a header specifying the file type to be multipart form data (multipart/form-data). The following are the steps to extract any kind of files from a network traffic capture:
In Wireshark, simply go to Edit and search for the string multipart from our packet details.
Once we get a packet sending a
POST
request (orGET
in extremely rare cases) to a server, right-click on the packet and click on Follow TCP Stream.Thereafter, depending on the file starting values, such as
%PDF
in the case of PDF, selectRaw
from the following options and then save the file with the extension.pdf
. Thus, we have the final PDF, which was being uploaded to a website via the Android...