In a recent rage of boredom I decided to do some messing around with my network (MY NETWORK). I booted backtrack 3, connected to my wireless router, opened ettercap to perform an arp-poison, opened driftnet to capture images, and started wireshark to monitor packets in real-time.
As I watched the traffic while I surfed the web I decided to see if I could get the files out of the pcap file afterwards. As I searched the net I found some articles in "File Carving". Most of them where on using the program "foremost" so I gave it a try. To my amazement foremost had created several neatly organized folders and placed in them files by extension. This was cool!
Sadly all my images seamed to be corrupted, so I began my search again. After some time I figured what they heck and stopped in to the remote-exploit irc channel. I asked if there was a way to extract files from my pcap files and was told to check out "chaosreader". That was all the information I needed. After typing chaosreader -h into the console I read through the examples and gave it a try.
Fantastic! it worked perfectly. All my images where viewable. The downside was some of the files where named funky but after viewing the index.html and images.html I quickly found out what was what.
After some more testing and reading I found that larger pcap files could not be processed by chaosreader due to my 1gig of ram. One article stated that chaosreader could use 5 times the ram as the file size. So my 100mb cap file would need 500mb of ram to process plus more ram to create files and run my OS. So I used the file splitter option built into wireshark to make smaller files.
As further tests I downloaded a zip file I created and watched a movie. To my surprise (somewhat) I was able to extract my zip file and the video I had watched. Which kind of begs the question why do online video services spend so much on protecting their videos when all someone needs to do is capture the stream and extract the video? Lucky for me I watched a free video from a public domain site. :)
Eventually I would like to test this with other data streams, such as audio and maybe try it out with xbox live audio chat. I don't see much reason why it would not work but it gives me something to do.