This is our old Q&A Site. Please post any new questions and answers at


I ve an e-mail capture (SMTP) with an attached photo (secret.rtf),

how to extract this file ??

asked 26 May '14, 12:12

Mahfoudi%20Mohamed's gravatar image

Mahfoudi Moh...
accept rate: 0%

edited 26 May '14, 17:19

permanent link

answered 30 May '14, 03:10

Alexis%20La%20Goutte's gravatar image

Alexis La Go...
accept rate: 25%

hey, thanks for your reply

(error opening pcap file ...) juste for .pcap (i've .cap) // gives Invalid PcapNg file

[email protected]:#tcpxtract --file d.cap --output output //Couldn't open file d.cap: unknown file format

foremost [email protected]:#foremost -v -i d.raw 0 FILES EXTRACTED

tcpflow -r d.cap tcpflow[3850]: unknown file format


(30 May '14, 12:34) Mahfoudi Moh...

NetworkMiner works great, you'll just have to convert the PcapNG file to PCAP first. Use Wireshark's File > Save As and select libpcap format in the File format drop down list.

You can also convert the PcapNG file online at

Kurt's suggestion to use editcap also works fine of course!

(02 Jun '14, 04:02) Netresec_LJ

You can use Wireshark and do it manually: Select one frame of the SMTP conversation. Then right click it and select Follow TCP Stream. In the pop-up window, copy the encoded file (Windows selection and copy mechanisms - CTRL-C, etc.) and save the content to disk. Then use a decoder to extract the file itself (either local tool or online - search for "MIME UUDECODE BASE64 online").

Sample capture to test with:

alt text

Alternatively please check my answer to the following question, for external tools.


permanent link

answered 26 May '14, 16:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 31 May '14, 07:10

I just realized, that the link to my answer of another questions did not work. I fixed it.

In that answer you'll find some links to data extraction tools (including Networkminer). Some of them do support pcap-ng, some don't.

If you convert your pcap-ng to pcap, you can use anyone of the mentioned tools.

editcap -F pcap input.pcapng output.pcap

(31 May '14, 07:13) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 26 May '14, 12:12

question was seen: 23,016 times

last updated: 02 Jun '14, 04:02

p​o​w​e​r​e​d by O​S​Q​A