hey, I ve an e-mail capture (SMTP) with an attached photo (secret.rtf), how to extract this file ?? asked 26 May '14, 12:12 Mahfoudi Moh... edited 26 May '14, 17:19 |
2 Answers:
How use NetworkMiner ( http://sourceforge.net/projects/networkminer/ ) answered 30 May '14, 03:10 Alexis La Go... |
You can use Wireshark and do it manually: Select one frame of the SMTP conversation. Then right click it and select Follow TCP Stream. In the pop-up window, copy the encoded file (Windows selection and copy mechanisms - CTRL-C, etc.) and save the content to disk. Then use a decoder to extract the file itself (either local tool or online - search for "MIME UUDECODE BASE64 online"). Sample capture to test with:
Alternatively please check my answer to the following question, for external tools.
Regards answered 26 May '14, 16:43 Kurt Knochner ♦ edited 31 May '14, 07:10 I just realized, that the link to my answer of another questions did not work. I fixed it. In that answer you'll find some links to data extraction tools (including Networkminer). Some of them do support pcap-ng, some don't. If you convert your pcap-ng to pcap, you can use anyone of the mentioned tools.
(31 May '14, 07:13) Kurt Knochner ♦ |
hey, thanks for your reply
NetworkMiner
(error opening pcap file ...) juste for .pcap (i've .cap) // pcapng.com gives Invalid PcapNg file
tcpxtract
[email protected]:#tcpxtract --file d.cap --output output //Couldn't open file d.cap: unknown file format
foremost [email protected]:#foremost -v -i d.raw 0 FILES EXTRACTED
tcpflow -r d.cap tcpflow[3850]: unknown file format
...!!
NetworkMiner works great, you'll just have to convert the PcapNG file to PCAP first. Use Wireshark's File > Save As and select libpcap format in the File format drop down list.
You can also convert the PcapNG file online at http://pcapng.com
Kurt's suggestion to use editcap also works fine of course!