Reconstructing files from Wireshark Packets

             In this post, I am going to exemplify the reconstruction of a file using 2 well-known protocols, HTTP and FTP . Let me give a quick introduction about the two protocols. HTTP stands for Hyper Text Transfer Protocol, which is an application layer protocol designed within the framework of IP suite. It is designed for an effective communication between Client and Server. It uses TCP as it’s underlying protocol. As an example, if we give a request for an URL, from our web-browser, it goes as a Request message to the server. The server then processes and Responds back to the client with a HTML page.

FTP stands for File transfer protocol, which is used to transfer files from one host to other. It makes use of two separate connections (Control and Data connections) before transferring  files. It uses TCP as it’s underlying network. Most widely used applications are FileZilla (Windows,Linux, and Mac) and ftp (Linux).

       I will be using Wireshark tool for the demo. First will start with HTTP objects. Extracting HTTP objects, from the captured packet is too easy. Just open the packet in your Wireshark, then in the menu list, select File -> Export Objects -> HTTP. Then save the required or all the files in a Directory.


          Pretty simple right? Now will look at on how to extract the files which are transfered via FTP protocol. Actually, for past few months, when i was working with CTF packet challenges, i didn’t had any practical knowledge about carving the transferred files (via FTP protocol) from the captured packers. Indeed it is simple, if you are familiar with File Signatures. I read 2-3 blogs and I came up with some ideas, to strip the files, which are transfered via FTP protocol. Take a look at this snap shot,


          Firstly, the Client ( makes a request to the Server ( for transferring a file. After that, 4 to 5, request and response messages are transferred between the two machines. Take a close look at Packet No. 10967, the client makes a request to the server for getting a file named “flag.rar”. In the next packet, server tries to send the file to the requested machine. Finally packet no 11091 indicates the transfer of file named “flag.rar” to Ok now how to extract the RAR file from the packet? You can either, write a script to extract the bytes from the captured packet and then reconstruct the entire file or you can follow the steps given below.

Understanding the Transferred file :

          Here, our transferred file is a RAR file and we know that every file which is used in this computer world, is identified by it’s File Signatures. Just Google for RAR file’s header, you will get the file signature. RAR file’s hex signature is found to be ” 52 61 72 21 1A 07 00 “. Just use this pattern to locate the file. Press CTRL + F , select the “hex value”, and then enter the pattern.


There you go! The RAR file is found in packet no.10988. Now right click and select, Follow TCP stream. Then select Raw and  Save it with a name. Alright you are done with the extraction. Use file command in Linux to check, whether we have extracted the RAR file completely from the captured packet.

h1dd3ntru7h@f0r3n51c5:~/Desktop/VolgaCTF13/200$ file Flag.rar
Flag.rar: RAR archive data, v40,

Pingo! We got the right one! :D.