by
Jeremy Canfield | Updated March 14th, 2017
Ensure that Wireshark is configured to allow subdissectors to reassemable TCP stream.
- Press Ctrl + Shift + P (or select Edit > Preferences)
- In Preferences, expand Protocols and select TCP
- Ensure allow subdissectors to reassemble tcp streams is selected.
- Select OK.
Prior to capturing the traffic in Wireshark, it is important to recognize that if the web browser has the images cached, Wireshark will not capture the transmission of the image from the server to the client. It is typically a good idea to clear the web browsers history prior to the Wireshark capture.
Start a capture in Wireshark. Navigate to any website that has an image, and then stop the Wireshark capture. Enter HTTP in the filter to only display HTTP packets.
- Select File > Export Objects > HTTP
- Select Save All
- In File Explorer, select a directory to save the images
- Select Close
If the website is using HTTPS, the packets will be encrypted. In this scenario, it will not be possible to locate the image files.
Now, go to the directory, and the image files will be displayed.