Hi

Can anyone help me recreate files from a packet capture.

I have found a good page on hex headers (http://www.garykessler.net/library/file_sigs.html), and I know that there are at least two bmp images and one zip file.

I have tried copying them all to notepad, then loading them up in a hex editor, and saving them as the required file type, but if I try opening them up in paint, or winzip, I just get a "file is corrupt" message.

Is there a step I am missing?

NetWitness is great, like Don indicated.   I've used it and it really makes viewing HTML, Email, and other types of documents amazingly easy as they travel across the wire.

Wireshark can also do this, depending on the protocol.  Files transmitted through HTTP can be exported using the File, Export, Objects menu.    For other protocols, you would have to isolate the packets that belong to your file, and then export the packets.   Wireshark will put the fragments of the transmission back together for you.  You can use the Follow TCP Stream feature for this.

Thanks for the hint about NetWitness, haven't heard about it before. Definitely sounds interesting and useful.

So I have an AIM conversation in which a document was exchanged via AIM's file sharing function.

NetWitness recreated the conversation from my pcap file and shows the document name.

I am having trouble reconstructing the attachment document. I know it is a word doc but how can I actually reconstruct the document?

Thanks in advance

Nice.  I've not worked with the Netwitness Investigator program before.  My first interaction with Netwitness was out at an afterparty with some of the folks in Vegas this year.  And watching my girlfriend verbally emasculate one of their VPs as he drunkenly tried to impress/pick her up.  It was one of those times where I was reminded on why I want to marry her hehehe.

I used the site too (about pulling hex from pcap). It allowed me to finish the ISC.SANS.Org puzzle. Which I actually had a lot of fun doing. While TCPXtract was close at pulling the file out, and it worked on my nix box with Open Office, it didnt' work on my office window's box with office 2k3 (with 2k7 plugin).