An rtf file was transferred as FTP-DATA, so I followed the TCP Stream and saved the file. How can I decode this to view the contents?

retag add tags

When I open it, it shows the pcap file, the rtf file and a text file, but just the names of the files, not the content. How do I decode this to view its contents?

Comments

Have you tried to save the stream as a .doc, .txt, or .rtf file and open it with notepad?

elliep (2018-10-10 20:49:14 +0000) edit

add a comment see more comments

Wireshark does not yet support "File -> Export Objects" for FTP data transfers, but you should be able to export the data anyway if you follow this guide:

Select the packet where you see the rtf file of interest indicated in the Info column
In the Packet List Pane, right-click the packet and choose, Follow -> TCP Stream A new window will appear whose contents contains the 2-way data being transferred.
Optional: To be sure you only get the data coming from the FTP server, choose the appropriate direction of data flow instead of Entire conversation. There should only be data flowing in one direction, so if that's the case, then this step isn't necessary.
Next to Show and save data as, be sure to select Raw
Select *Save as..." at the bottom and give it a name, e.g., file.rtf.

You should now have the rtf file. If desired, repeat for the text file or any other transfers.

11.1k

cmaynard

answered 2018-10-12 17:11:10 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

An rtf file was transferred as FTP-DATA, so I followed the TCP Stream and saved the file. How can I decode this to view the contents? edit

Comments

1 Answer

Comments