Hi there, some files are sent to mail server (using SMTP port 25).if i captured them and save as test.pcapng,then how can i extract these files using wireshark? best regards, Kanan

NetworkMiner automatically extracts all email and attachments from a PCAP file.

NetworkMiner with extracted emails in "Messages" tab, extracted files are in the "Files" tab

You'll need to save the PCAP-NG file in the old PCAP format first though. You can do that from wireshark (use File > Save As and select libpcap format in the File format drop down list).

You can also convert the PCAP-NG file to plain old PCAP over at

I've captured the packets. NetworkMiner opens the file. I click on MESSAGES but nothing is there. If I go to cleartext I see one massive block of text with Emails. I have NetworkMiner 1.6.1. So if anyone else sees this same problem, you are not alone. Not sure what I'm missing. (PCAP is from a firewall and not Wireshark.)

@tim-naami Please use the latest version of NetworkMiner (currently 2.1.1), which has support for SMTP, POP3 and IMAP. Here's a blog that covers how to extract emails in more detail:

If the email was not encrypted, follow the TCP stream, copy the attachment - it will be in ASCII - and convert it with a Base64 decoder. Or use another software that can do it automatically.

There is no simple way to extract files (attachments) sent through SMTP with Wireshark. If you want/need (semi) automatic way, you should probably check other tools, like those mentioned here

or this one


