Hi there, some files are sent to mail server (using SMTP port 25).if i captured them and save as test.pcapng,then how can i extract these files using wireshark? best regards, Kanan asked 05 Apr '14, 14:45  warrior289 |
3 Answers:
NetworkMiner automatically extracts all email and attachments from a PCAP file. https://www.netresec.com/?page=Networkminer
NetworkMiner with extracted emails in "Messages" tab, extracted files are in the "Files" tab You'll need to save the PCAP-NG file in the old PCAP format first though. You can do that from wireshark (use File > Save As and select libpcap format in the File format drop down list). You can also convert the PCAP-NG file to plain old PCAP over at http://pcapng.com answered 02 Jun '14, 03:59  Netresec_LJ edited 24 Jan '17, 23:00 |
If the email was not encrypted, follow the TCP stream, copy the attachment - it will be in ASCII - and convert it with a Base64 decoder. Or use another software that can do it automatically. answered 05 Apr '14, 15:54  Roland |
There is no simple way to extract files (attachments) sent through SMTP with Wireshark. If you want/need (semi) automatic way, you should probably check other tools, like those mentioned here
or this one Regards answered 06 Apr '14, 05:26  Kurt Knochner ♦ edited 06 Apr '14, 05:28 |
I've captured the packets. NetworkMiner opens the file. I click on MESSAGES but nothing is there. If I go to cleartext I see one massive block of text with Emails. I have NetworkMiner 1.6.1. So if anyone else sees this same problem, you are not alone. Not sure what I'm missing. (PCAP is from a firewall and not Wireshark.)
@tim-naami Please use the latest version of NetworkMiner (currently 2.1.1), which has support for SMTP, POP3 and IMAP. Here's a blog that covers how to extract emails in more detail: http://netres.ec/?b=17124C4