Plaintext Files

Export Files

Export 5 file types from captures
2 min |  Ross Jacobs |  July 7, 2019

Table of Contents

Quicklinks: Wireshark Docs | Code: export_object.c

You must have tshark 2.4.0 or higher to use the --export-files flag.

Export Functionality

Some packet captures contain files in transit. Wireshark can extract several of these types. As of v3.0.0, Wireshark can extract these protocols:

  • dicom: medical image
  • http: web document
  • imf: email contents
  • smb: Windows network share file
  • tftp: Unsecured file

To do this in tshark, use tshark -r ${file} --export-object ${protocol},${path} (WS > File > Export Objects >). If you would like to extract files from a TLS-encrypted capture, you will need to first decrypt it.

Example: Capture HTTP object in transit

To get a pcap containing a file by starting a capture and then opening a webpage. In this example, we will be using to avoid the need to decrypt.

1. Setup environment

These variables are arbitrary and included for readability.

cd $dest_dir

2. Start capture and curl website

If you are not able to extract the files on a slow connection, increase the sleep timers so that $download_program has enough time.

Curl is used because it sends the site’s HTML to stdout natively. This is used later on to verify the extracted file.

# -Q quietly -a wait 5 sec
tshark -Q -a duration:5 -w $pcap_file &
curl $website > $html_file

firefox can be useful instead if you want to see all of the available files. For some websites, this will include JSON, scripts, media, and other files. For this website, the initial html uses javascript to redirect to the final destination. Firefox will capture this 2nd html file and it will be called online.

On Macos, you may need to first kill other firefox instances with killall firefox to use headless firefox.

tshark -Q -a duration:5 -w $pcap_file
firefox --headless $website & ffpid=$!
sleep 5 && kill -9 $ffpid

Extract HTML file

To extract a file, read in a file, use the --export-objects flag and specify the protocol and directory to save the files. Without -Q, tshark will read packets and send to stdout even though it is exporting objects.

tshark -Q -r $pcap_file --export-objects $protocol,$dest_dir

Note tha --export-objects can be shortened up to --ex (i.e. --export-object is also valid).

Verify results (curl only)

If you used Curl to download the file, you will now have at least two files: neverssl.html and %2f extracted from tshark. If the extraction was successful, diff neverssl.html '%2f' will return nothing.

Further Reading