This is our old Q&A Site. Please post any new questions and answers at

Hi there, some files are sent to mail server (using SMTP port 25).if i captured them and save as test.pcapng,then how can i extract these files using wireshark? best regards, Kanan

asked 05 Apr '14, 14:45

warrior289's gravatar image

accept rate: 0%

NetworkMiner automatically extracts all email and attachments from a PCAP file.

NetworkMiner with extracted emails in "Messages" tab, extracted files are in the "Files" tab

NetworkMiner with extracted emails in "Messages" tab, extracted files are in the "Files" tab

You'll need to save the PCAP-NG file in the old PCAP format first though. You can do that from wireshark (use File > Save As and select libpcap format in the File format drop down list).

You can also convert the PCAP-NG file to plain old PCAP over at

permanent link

answered 02 Jun '14, 03:59

Netresec_LJ's gravatar image

accept rate: 0%

edited 24 Jan '17, 23:00

I've captured the packets. NetworkMiner opens the file. I click on MESSAGES but nothing is there. If I go to cleartext I see one massive block of text with Emails. I have NetworkMiner 1.6.1. So if anyone else sees this same problem, you are not alone. Not sure what I'm missing. (PCAP is from a firewall and not Wireshark.)

(24 Jan '17, 14:04) Tim Naami

@tim-naami Please use the latest version of NetworkMiner (currently 2.1.1), which has support for SMTP, POP3 and IMAP. Here's a blog that covers how to extract emails in more detail:

(24 Jan '17, 23:02) Netresec_LJ

If the email was not encrypted, follow the TCP stream, copy the attachment - it will be in ASCII - and convert it with a Base64 decoder. Or use another software that can do it automatically.

permanent link

answered 05 Apr '14, 15:54

Roland's gravatar image

accept rate: 13%

There is no simple way to extract files (attachments) sent through SMTP with Wireshark. If you want/need (semi) automatic way, you should probably check other tools, like those mentioned here

or this one


permanent link

answered 06 Apr '14, 05:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 06 Apr '14, 05:28

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 05 Apr '14, 14:45

question was seen: 17,884 times

last updated: 24 Jan '17, 23:02

Related questions

p​o​w​e​r​e​d by O​S​Q​A