This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hey,

I ve an e-mail capture (SMTP) with an attached photo (secret.rtf),

how to extract this file ??

http://posting.org/image/pz9dzx9uh

asked 26 May '14, 12:12

Mahfoudi%20Mohamed's gravatar image

Mahfoudi Moh...
11113
accept rate: 0%

edited 26 May '14, 17:19


permanent link

answered 30 May '14, 03:10

Alexis%20La%20Goutte's gravatar image

Alexis La Go...
1104
accept rate: 25%

hey, thanks for your reply

NetworkMiner
(error opening pcap file ...) juste for .pcap (i've .cap) // pcapng.com gives Invalid PcapNg file

tcpxtract
[email protected]:#tcpxtract --file d.cap --output output //Couldn't open file d.cap: unknown file format

foremost [email protected]:#foremost -v -i d.raw 0 FILES EXTRACTED

tcpflow -r d.cap tcpflow[3850]: unknown file format

...!!

(30 May '14, 12:34) Mahfoudi Moh...

NetworkMiner works great, you'll just have to convert the PcapNG file to PCAP first. Use Wireshark's File > Save As and select libpcap format in the File format drop down list.

You can also convert the PcapNG file online at http://pcapng.com

Kurt's suggestion to use editcap also works fine of course!

(02 Jun '14, 04:02) Netresec_LJ

You can use Wireshark and do it manually: Select one frame of the SMTP conversation. Then right click it and select Follow TCP Stream. In the pop-up window, copy the encoded file (Windows selection and copy mechanisms - CTRL-C, etc.) and save the content to disk. Then use a decoder to extract the file itself (either local tool or online - search for "MIME UUDECODE BASE64 online").

Sample capture to test with:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=sample-TNEF.pcap.gz

alt text

Alternatively please check my answer to the following question, for external tools.

http://ask.wireshark.org/questions/31557/how-to-extract-email-files/31565

Regards
Kurt

permanent link

answered 26 May '14, 16:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 May '14, 07:10

I just realized, that the link to my answer of another questions did not work. I fixed it.

In that answer you'll find some links to data extraction tools (including Networkminer). Some of them do support pcap-ng, some don't.

If you convert your pcap-ng to pcap, you can use anyone of the mentioned tools.

editcap -F pcap input.pcapng output.pcap

(31 May '14, 07:13) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×26
×25
×6

question asked: 26 May '14, 12:12

question was seen: 23,521 times

last updated: 02 Jun '14, 04:02

p​o​w​e​r​e​d by O​S​Q​A