Wednesday, March 15, 2017

Wireshark: How to extract HTTP and FTP files from a .pcap file

If you have a packet capture that contains HTTP or FTP files such as images and zip files, you can extract them using Wireshark.

For HTTP files:
1. open the .pcap file in Wireshark
2. go to File -> Export Objects -> HTTP...
3. a file list would pop-up and you can save the desired files

For FTP files:
1. look for the FTP-DATA protocol block of the file you are interested in
2. right-click, Follow > TCP Stream
3. change Show and save data as Raw
4. click Save as...
5. enter the expected file name and extension

No comments: