I ve an e-mail capture (SMTP) with an attached photo (secret.rtf),

how to extract this file ??

asked 26 May '14, 12:12

Mahfoudi Moh...
edited 26 May '14, 17:19

answered 30 May '14, 03:10

Alexis La Go...
hey, thanks for your reply

(error opening pcap file ...) juste for .pcap (i've .cap) // gives Invalid PcapNg file

[email protected]:#tcpxtract --file d.cap --output output //Couldn't open file d.cap: unknown file format

foremost [email protected]:#foremost -v -i d.raw 0 FILES EXTRACTED

tcpflow -r d.cap tcpflow[3850]: unknown file format


(30 May '14, 12:34) Mahfoudi Moh...

NetworkMiner works great, you'll just have to convert the PcapNG file to PCAP first. Use Wireshark's File > Save As and select libpcap format in the File format drop down list.

You can also convert the PcapNG file online at

Kurt's suggestion to use editcap also works fine of course!

(02 Jun '14, 04:02) Netresec_LJ

You can use Wireshark and do it manually: Select one frame of the SMTP conversation. Then right click it and select Follow TCP Stream. In the pop-up window, copy the encoded file (Windows selection and copy mechanisms - CTRL-C, etc.) and save the content to disk. Then use a decoder to extract the file itself (either local tool or online - search for "MIME UUDECODE BASE64 online").

Sample capture to test with:

alt text

Alternatively please check my answer to the following question, for external tools.


answered 26 May '14, 16:43

Kurt Knochner
edited 31 May '14, 07:10

I just realized, that the link to my answer of another questions did not work. I fixed it.

In that answer you'll find some links to data extraction tools (including Networkminer). Some of them do support pcap-ng, some don't.

If you convert your pcap-ng to pcap, you can use anyone of the mentioned tools.

editcap -F pcap input.pcapng output.pcap

(31 May '14, 07:13) Kurt Knochner
question asked: 26 May '14, 12:12

last updated: 02 Jun '14, 04:02

