You can pull files directly out of packet captures using Wireshark’s "Export Objects" feature, and it’s surprisingly versatile for both HTTP and SMB traffic.
Let’s see it in action. Imagine you’ve captured some network traffic where a file was downloaded over HTTP. You’ve got the .pcap file, and you want that file back.
First, open your capture file in Wireshark. Then, go to File -> Export Objects -> HTTP....
A new window pops up, listing all the objects Wireshark found that were transferred over HTTP. You’ll see a list of files, their sizes, and their types.
+------------------------------------------------------+
| Export HTTP Objects |
+------------------------------------------------------+
| Object List |
| [ ] my_document.pdf (123456 bytes) |
| [ ] image.jpg (87654 bytes) |
| [ ] script.js (4567 bytes) |
| |
| [Select All] [Deselect All] [Export Selected] [Close]|
+------------------------------------------------------+
Click Select All (or select individual items), then click Export Selected. Wireshark will ask you where to save the files. Choose a directory, and boom – the files are extracted.
This works because HTTP, at its core, is a request-response protocol. When a client requests a file, the server sends it back as the body of an HTTP response. Wireshark can dissect these responses, identify the content type and size, and reassemble the data into its original form.
The same principle applies to SMB (Server Message Block), the protocol Windows uses for file sharing. If you’ve captured traffic where files were copied or accessed over SMB, you can extract them too.
Go to File -> Export Objects -> SMB....
You’ll see a similar list, but this time for SMB objects. It might list things like DOCUMENTS\report.docx or SHARED\config.ini.
+------------------------------------------------------+
| Export SMB Objects |
+------------------------------------------------------+
| Object List |
| [ ] \\SERVER\SHARE\documents\report.docx (56789 bytes)|
| [ ] \\SERVER\SHARE\images\logo.png (9876 bytes) |
| |
| [Select All] [Deselect All] [Export Selected] [Close]|
+------------------------------------------------------+
Again, select the files you want and click Export Selected. Wireshark reconstructs the file data from the SMB packets.
The magic behind SMB extraction is Wireshark’s ability to understand the SMB protocol’s commands for file operations. When it sees packets indicating a file read or write, it can piece together the data chunks being sent between the client and server.
This isn’t just for obvious file downloads. It works for embedded objects in web pages, scripts, and even configuration files accessed over SMB. If Wireshark can identify the data stream as a distinct object being transferred, it can likely export it.
The most surprising thing most people don’t realize is that Wireshark can often reconstruct files even if the capture is fragmented or if some packets are missing, as long as it has enough contiguous data for the object. It relies on the Content-Length header in HTTP or the file size information within SMB commands to know when an object is complete. If these are present and correct, Wireshark does a remarkable job of reassembly.
The next hurdle is often dealing with encrypted traffic, as Wireshark can only export unencrypted objects.