Some packet captures contain files in transit. Wireshark can extract several of these types. As of v3.0.0, Wireshark can extract these protocols:
To do this in tshark, use tshark -r ${file} --export-object ${protocol},${path} (WS > File > Export Objects >). If you would like to extract files from a TLS-encrypted capture, you will need to first [decrypt it]().
To get a pcap containing a file by starting a capture and then opening a webpage. In this example, we will be using neverssl.com to avoid the need to decrypt.
These variables are arbitrary and included for readability.
dest_dir='/tmp'
cd $dest_dir
pcap_file="$dest_dir/neverssl.pcapng"
html_file="$dest_dir/neverssl.html"
website='http://neverssl.com'
protocol='http'Curl is used because it sends the site’s HTML to stdout natively. This is used later on to verify the extracted file.
tshark -Q -w $pcap_file & tspid=$!
sleep 1 # Wait for tshark to warm up
curl $website > $html_file
kill -9 $tspidfirefox can be useful instead if you want to see all of the available files. For some websites, this will include JSON, scripts, media, and other files. For this website, the initial html uses javascript to redirect to the final destination. Firefox will capture this 2nd html file and it will be called ‘online’.
tshark -Q -w $pcap_file & tspid=$!
sleep 1 # Wait for tshark to warm up
firefox --headless $website & ffpid=$!
sleep 2 # Wait for firefox to warm up
kill -9 $ffpid $tspidTo extract a file, read in a file, use the --export-objects flag and specify the protocol and directory to save the files.
Without -Q, tshark will read packets and send to stdout even though it is exporting objects.
tshark -Q -r $pcap_file --export-objects $protocol,$dest_dirNote tha --export-objects can be shortened up to --ex (i.e. --export-object is also valid).
If you used Curl to download the file, you will now have at least two files: neverssl.html and %2f extracted from tshark.
If the extraction was successful, diff neverssl.html '%2f' will return nothing.