Comparison of tools that extract files from PCAP

One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used to transfer files across a network.

But there are other tools that also can extract files from PCAP files, such as Wireshark and Zeek. The file extraction support in these alternative solutions sometimes complement and sometimes overlap with that of NetworkMiner. Either way it is good that there are multiple tools that are designed to perform the same task. This allows us to compare the output from the different implementations, for example if the results from one tool seems strange or is suspected to be incorrect or incomplete.

Tools that can reassemble and extract files from network traffic or PCAP files:

• Chaosreader (hasn't been updated since 2014)
• NetworkMiner
• Suricata
• tcpflow (-e all)
• Wireshark's Export Objects
• Zeek's extract-all-files.zeek

All of these tools can extract files from HTTP and FTP, but when it comes to other protocols the support varies. The following table summarizes which protocols each tool supports:

I’ve been quite forgiving when compiling the table above. Tools are listed as supporting a protocol even if they only work under very specific conditions. I don’t want to name-and-shame any tool, but I strongly recommend that you verify the tools you’re using by comparing what they extract to one or two alternative tools. As an example, some tools only support a few specific commands for the protocol they claim to support. Additionally, some tools only support file extraction in one direction for protocols like HTTP or FTP, even though these protocols are regularly used to download as well as upload files.

Posted by Erik Hjelmvik on Monday, 05 May 2025 16:05:00 (UTC/GMT)

Tags: #Extract​ #PCAP​ #NetworkMiner​ #Suricata​ #tcpflow​ #Wireshark​ #Zeek​ #FTP​ #HTTP​ #IEC-104​ #IMAP​ #LPD​ #LPR​ #njRAT​ #POP3​ #SMB​ #SMB2​ #SMTP​