It’s time to extract files from pcaps. If you ever played with packet captures you probably thought it would be cool that you could actually get downloaded files so let’s see not only one way to do this, but four!
1. Wireshark: http export
You can find this at File > Export > Objects > Http, you will be presented with a list of files found in all the http requests. The bad thing about this feature is that even with the latest version (1.6.5 at the time of this writing) you still can’t sort by column or apply any filters which makes finding something specific hard.
2. Wireshark: export bytes
To find this you will have to drill down in the packet you want, depending on the protocol.
Right click > Export selected bytes
The advantage of doing it this way is that you can actually extract files from other protocols other than http (like ftp or smb) and you can use display filters.
3. Network miner http://sourceforge.net/projects/networkminer/
Network miner is a tool for network analysis but with a focus on forensic analysis. It can load a pcap and extract files and other data, there is both a free and a commercial version available.
4. Chaosreader
This tool will analyze and extract session information and files and create an html report you can open in any browser
chaosreader http-data.pcap
It will create a lot of files so you may want to launch it inside an empty dir or make a new one and use the -D option, then you can open index.html
Conclusion
If the data crossed the network it has to be there somewhere. In this post we have seen a few tools you can use to uncover these files and extract them for your own benefit.
Thanks, I was unaware of “chaosreader” and I’m always looking for good command line tools.
nice post!
Also you can use PCAP2XML tool for converting your PCAP file into XML or SQLite for more advanced analysis. Have a look:
Tool: – http://bit.ly/1DxcncQ
Tool Blog: – http://bit.ly/1DxciWG
Hey, that’s a pretty cool tool! Thanks for letting us know 🙂