Wireshark-users: Re: [Wireshark-users] Extracting files from pcap
Yes, one-by-one seems to work fine for me too - thanks.
Now, on large pcap files one-by-one will be quite tedious.  Do you (or anyone) know what programs are out there to automate extraction of various files from a pcap?  I have used Network Miner and it works quite well on pcap files of moderate size.  Is this the best tool, or are there other alternatives out there?

--- On Sun, 10/12/08, [email protected] <[email protected]> wrote:
From: [email protected] <[email protected]>
Subject: Re: [Wireshark-users] Extracting files from pcap
To: [email protected], "Community support list for Wireshark" <[email protected]>
Date: Sunday, October 12, 2008, 1:03 PM

Hi Jim,

In my experience you better save the items one by one (Save As in stead of
Save All).
Most of the times there are a lot of "/" or "?" and you can
not use these
for filenames.


>-- Oorspronkelijk bericht --
>Date: Sun, 12 Oct 2008 12:41:56 -0700 (PDT)
>From: Jim Balo <[email protected]>
>To: Community support list for Wireshark
<[email protected]>,
>	Abhik Sarkar <[email protected]>
>Subject: Re: [Wireshark-users] Extracting files from pcap
>Reply-To: [email protected],
>	Community support list for Wireshark <[email protected]>
>Thanks for the reply.
>I tried this, but Wireshark just hung when trying "Save All"
(been sitting
>there for 30 minutes now. The pcap is small - only 90K).? I'll try
>only select objects, etc. later and see if that works better.? Have you
>using it w/o problems?
>If the file is transferred using HTTP, you could try File > Export >
>Objects > HTTP.
>On Sun, Oct 12, 2008 at 8:57 AM, Jim Balo <[email protected]>
>> Hi,
>> I am trying to learn how to extract transferred files from pcap dumps.
>> I have a pcap file with an http data transfer that is gzip-encoded
>> ("Accept-encoding: gzip,deflate" in the http header).  I
>selecting and
>> exporting the data portion of the two packages that seemed to be part
>> this transfer and then concatenate them, but when I try to gunzip it,
>> "unexpected end of file."  Using Network Miner, the file
>just fine.
>> I would like to learn how to do this using only Wireshark - does
>Wireshark-users mailing list
>[email protected]