https://stackoverflow.com/questions/22691096
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAfter capturing traffic and writing it to disk in the PCAP format you can separate each flow into individual files using tcpflow and then run a file carving tool such as foremost on the flow files which can carve out specific file types from each stream. The following example will extract Window PE files and PDF's from the flows:
$ tcpflow -r traffic.pcap -o flows/
$ cat flows/* > big.flow
$ foremost -t exe,pdf -i big.flow
Another tool that is capable of extracting common file types is tcpxtract:
$ tcpxtract --file traffic.pcap -o output/
Other tools include ChaosReader and Bro's File Analyzer.
