How to extract (carve) files from a packet dump (PCAP)

Let’s say you have a PCAP containing some HTTP traffic, and you want to inspect the content to see if any interesting files were downloaded. You can use CapTipper for this.

If you’re using REMnux, you can it like so:

python /opt/remnux-captipper/ -g -d /path/to/output/folder /path/to/pcap

Afterwards, do the following to get an overview of what type of files were involved in the various conversations:

file /path/to/output/folder/*

Let’s say you have a PCAP with other-than-HTTP traffic, and you want to extract files from it. Open it up in Wireshark (consider trimming it down in tshark first) and go to:

File > Export Objects > SMB-or-whatever-your’e-looking-for

To see if any credentials have been passed during the capture, you can use PCredz:

pcredz -f /path/to/pcap-file