This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi there, some files are sent to mail server (using SMTP port 25).if i captured them and save as test.pcapng,then how can i extract these files using wireshark? best regards, Kanan

asked 05 Apr '14, 14:45

warrior289's gravatar image

warrior289
1111
accept rate: 0%


NetworkMiner automatically extracts all email and attachments from a PCAP file. https://www.netresec.com/?page=Networkminer

NetworkMiner with extracted emails in "Messages" tab, extracted files are in the "Files" tab

NetworkMiner with extracted emails in "Messages" tab, extracted files are in the "Files" tab

You'll need to save the PCAP-NG file in the old PCAP format first though. You can do that from wireshark (use File > Save As and select libpcap format in the File format drop down list).

You can also convert the PCAP-NG file to plain old PCAP over at http://pcapng.com

permanent link

answered 02 Jun '14, 03:59

Netresec_LJ's gravatar image

Netresec_LJ
264
accept rate: 0%

edited 24 Jan '17, 23:00

I've captured the packets. NetworkMiner opens the file. I click on MESSAGES but nothing is there. If I go to cleartext I see one massive block of text with Emails. I have NetworkMiner 1.6.1. So if anyone else sees this same problem, you are not alone. Not sure what I'm missing. (PCAP is from a firewall and not Wireshark.)

(24 Jan '17, 14:04) Tim Naami

@tim-naami Please use the latest version of NetworkMiner (currently 2.1.1), which has support for SMTP, POP3 and IMAP. Here's a blog that covers how to extract emails in more detail: http://netres.ec/?b=17124C4

(24 Jan '17, 23:02) Netresec_LJ

If the email was not encrypted, follow the TCP stream, copy the attachment - it will be in ASCII - and convert it with a Base64 decoder. Or use another software that can do it automatically.

permanent link

answered 05 Apr '14, 15:54

Roland's gravatar image

Roland
7642415
accept rate: 13%

There is no simple way to extract files (attachments) sent through SMTP with Wireshark. If you want/need (semi) automatic way, you should probably check other tools, like those mentioned here

http://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961

or this one

https://code.google.com/p/nfex/

Regards
Kurt

permanent link

answered 06 Apr '14, 05:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Apr '14, 05:28

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1

question asked: 05 Apr '14, 14:45

question was seen: 17,884 times

last updated: 24 Jan '17, 23:02

Related questions

p​o​w​e​r​e​d by O​S​Q​A