Complete reconstruction of TCP Session (HTML pages) from WireShark pcaps, any tools for this?

Question

I wonder if there is a way in wireshark to reconstruct a complete TCP Session (HTML page(s)) if we have wireshark pcaps, can wireshark do the reconstruction? or is there any

Answer 1

You can also use Bro if you prefer a command-line interface. Simply load it with the contents script:

bro -r trace.pcap -f 'port 80' contents

(You can skip the optional BPF filter expression -f port 80.) This extracts the full TCP stream and writes it to files of the form:

contents..-.

As Christian mentioned, the reassembly is highly robust and has been tested thoroughly.