This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing packets and extracting files from pcap

0

Hello everybody! I am attempting to capture the packets on my own computer, in the hopes of being able to extract any files downloaded from the resulting pcap file. From what I understand this should be possible, but I am having no success in doing so. When in wireshark after the capture, I understand that doing file>export objects>HTTP should extract the files from the capture session, but I do not see either of the two .exe files that I downloaded during my session when using this method. I am not using any filters, and I am sniffing on the ethernet that my computer is connected to.

Help is appreciated!

asked 07 Oct '15, 05:39

surfing123's gravatar image

surfing123
6113
accept rate: 0%

Show us the capture file, just put it on CloudShark.

(07 Oct '15, 07:34) Jaap ♦

If the download was through HTTPS, you won't see anything!

(07 Oct '15, 07:42) Kurt Knochner ♦

Ok. Here is the link. The pcap should contain a single exe file, which I am attempting to extract. https://www.cloudshark.org/captures/d6503563cbc6

(07 Oct '15, 07:56) surfing123

Ok, so it appears that when I used networkminer to extract files from the pcap I just posted, I was able to grab the file. The difference between this pcap and the original one is that the original pcap contained larger exe files. Could this be the reason I was originally unable to extra the exe files? Is there some sort of size limitation in play? I was unable to upload the original pcap because cloudshark limits to 2mb.

(07 Oct '15, 08:00) surfing123

Kurt, is there no way to extract a file downloaded over an HTTPS connection?

(07 Oct '15, 08:03) surfing123

One Answer:

0

I was able to extract and run the file PortRptr.exe from the trace you posted on Cloudshark.

Go to Edit > Preferences > Protocols > TCP and enable "Allow subdissector to reassemble TCP streams." Then go to File > Export Objects > HTTP. Find and highlight the file and click "Save As."

If you normally have "Allow subdissector to reassemble streams" off, then turn it back off when you're done saving the file.

answered 07 Oct '15, 08:30

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%