I have a Wireshark network trace where there's a Telnet conversation. Here, a PDF file is transferred over Netcat. The PDF source code is sent in multiple packets, but if I Right click -> Follow -> TCP stream I'm able to see the full PDF source (from %PDF tag to %%EOF). I want to export this PDF and see its content visually.
I've tried to do 'Save As' and save with .pdf extension, but can't have the reader to read it.
Does someone know how to do it?
I transferred a .pdf file using nc and captured the result. After loading the capture file into Wireshark, right-clicking and choosing "Follow -> TCP Stream", I then changed the capture selection from "Entire Conversation" to just the direction in which the data was transferred and lastly I changed "Show data as -> ASCII" to "Show data as -> Raw". After that, I chose "Save as..." and saved it as a .pdf file. I was able to successfully open the file with Adobe Reader.
To ensure the transferred file was identical to the original file, I compared hashes of both files and they were identical. You can probably leave the setting to "Entire Conversation" since there's only data flowing in one direction anyway, but it doesn't hurt to isolate the direction of data flow. The key part that I think you likely missed was changing ASCII to Raw.
(NOTE: If this isn't the answer to your question/problem, then as @ross-jacobs mentioned, we'll likely need to take a look at the pcap file.)