Extracting JPEG Images from the network (Wireshark)

 We work with image formats like JPEG all the time—for example, when uploading pictures to a server, downloading them from the internet, or sending photos to friends through email and other platforms.

Using Wireshark, we can easily monitor our network traffic and see who is sending or receiving image files across the network. This is especially useful for analyzing data transfers and understanding how files move over HTTP or other protocols.

Below is a sample capture that includes JPEG images. While you may not immediately see the image packets, they will become visible once we apply the appropriate filters in Wireshark.

           Image source: Wireshark interface

Once you apply the filter command, you'll see results similar to the example below—showing only HTTP traffic that contains JPEG image content.

           Image source: Wireshark interface

Keep in mind that JPEG files can be transferred using various protocols—not just HTTP. As mentioned earlier, if a JPEG was sent over the network using an application like FileZilla, you would see FTP (File Transfer Protocol) listed under the "Protocol" column in Wireshark. However, in our example above, the image was downloaded from the internet, which is why you see HTTP as the protocol.


Next, select the first packet and then click on JPEG tab in the middle pane.

           Image source: Wireshark interface


Right click JPEG and then click "Export Packet Bytes".


           Image source: Wireshark interface

This will open File Explorer, allowing you to save the file to any location on your system. Just make sure to save it with a .jpg extension—otherwise, the operating system may not recognize it as an image file.


           Image source: Wireshark interface

Here is the final image you will get.


           Image source: Wireshark interface

There is also another method to extract images from the capture.

If you click on the File menu in the top-left corner of Wireshark and choose Export Objects, you'll see a list of available protocols. From there, select HTTP to view and export all objects—such as images—that were transferred over HTTP during the capture.


           Image source: Wireshark interface

This will open the Object List, where you can find all related objects from the capture—such as JPEG images, PNG files, executable files, and more.


           Image source: Wireshark interface

You can filter and see only the jpegs.

           Image source: Wireshark interface

You can then select the file you want to extract and then hit save.


           Image source: Wireshark interface

This will once again open File Explorer, allowing you to save the file to any location you choose. Unlike the first method, you don’t need to manually type .jpg—Wireshark already recognizes the file type and labels it as a JPEG.

In our first method, the exported file was in raw byte format, and it was the operating system that interpreted it as a JPEG when we added the .jpg extension.

 (but here it won't hurt even if you type bg2.jpg, you will still get the same result).


           Image source: Wireshark interface

I’d also like to dive deeper into how JPEG files are actually transferred over the network, but to keep this blog concise, I’ll save that for a separate post. In that follow-up, I’ll briefly explain what happens behind the scenes when images like JPEGs are sent or received over various protocols.

Hopefully, this all makes sense. Feel free to let me know if I missed anything or if you notice any mistakes—I'm always open to feedback.



Comments

Post a Comment

Popular posts from this blog

Image
Wireshark (capturing traffic) Given that you have already downloaded and installed Wireshark on your PC (here's the link if you have not  https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html ), this is the screen where you will end up once you open Wireshark.     Image source: Wireshark interface   Arrow 1 : From here you can choose the interface you want to capture the traffic from, in my case I only have traffic on my WIFI interface (as you can see the spikes, right next to it), the bottom one is the loopback traffic interface it shows traffic going from your device to itself. The other options are LAN (Ethernet options).  Arrow 2: Once you click your interface (WIFI), click the blue shark fin, and this will start your network traffic capture.      Image source: Wireshark interface After clicking the blue shark fin button, it will bring you to this screen, and you can see all the traffic generating. ...
Read more
Image
 Wireshark (What is middle pane in Wireshark?) As we mentioned in the previous post, we would cover the middle pane in Wireshark. In this post, I’ll briefly go over a few elements in each section of that pane. But before that, I’d like you to review the OSI model (shown below). You may be surprised, but the middle pane in Wireshark is actually organized in the same sequence as the OSI model — from bottom to top.                   Image source: Wireshark interface I have randomly selected this packet — it’s a TCP packet. The packet is highlighted in red because the connection was reset (as indicated by the RST flag in the Info column). There could be a variety of reasons for this, but most commonly, it’s due to latency issues or an application crash.  Image source: Wireshark interface The first section is the Frame, which corresponds to the Physical layer of the OSI model. This is where the actual conversion of bits into electr...
Read more