Thursday, March 26, 2009

File Carving pcap files.

In a recent rage of boredom I decided to do some messing around with my network (MY NETWORK). I booted backtrack 3, connected to my wireless router, opened ettercap to perform an arp-poison, opened driftnet to capture images, and started wireshark to monitor packets in real-time.

As I watched the traffic while I surfed the web I decided to see if I could get the files out of the pcap file afterwards. As I searched the net I found some articles in "File Carving". Most of them where on using the program "foremost" so I gave it a try. To my amazement foremost had created several neatly organized folders and placed in them files by extension. This was cool!

Sadly all my images seamed to be corrupted, so I began my search again. After some time I figured what they heck and stopped in to the remote-exploit irc channel. I asked if there was a way to extract files from my pcap files and was told to check out "chaosreader". That was all the information I needed. After typing chaosreader -h into the console I read through the examples and gave it a try.

Fantastic! it worked perfectly. All my images where viewable. The downside was some of the files where named funky but after viewing the index.html and images.html I quickly found out what was what.

After some more testing and reading I found that larger pcap files could not be processed by chaosreader due to my 1gig of ram. One article stated that chaosreader could use 5 times the ram as the file size. So my 100mb cap file would need 500mb of ram to process plus more ram to create files and run my OS. So I used the file splitter option built into wireshark to make smaller files.

As further tests I downloaded a zip file I created and watched a movie. To my surprise (somewhat) I was able to extract my zip file and the video I had watched. Which kind of begs the question why do online video services spend so much on protecting their videos when all someone needs to do is capture the stream and extract the video? Lucky for me I watched a free video from a public domain site. :)

Eventually I would like to test this with other data streams, such as audio and maybe try it out with xbox live audio chat. I don't see much reason why it would not work but it gives me something to do.



  1. A great tool to extract and reassemble files sent with HTTP, FTP, TFTP or SMB is Network Miner

    Just open a pcap file and all transfered files are extracted to the "Files" tab in NetworkMiner. There is also a driftnet-like functionality under the "Images" tab that show all images that are transfered with any of these protocols.

    NetworkMiner is available here:

  2. Hi Jei,

    Did you ever get anywhere with carving xbox live audio chat or text chat out of pcaps? I'm also interested in recording VoIP convos from my XBox and think that capturing packets for later reconstruction might be a good way to do it.


  3. Unfortunately we ended our xbox live account shortly after this blog due to moving. But I have seen a lot of VoIP based carving. Chat messages are fairly easy to do when using something like foremost as it will try to extract all text strings. The best way I have found is either opening the file in wireshark and setting the filter to the chat protocol such as "MSNMSG" or something close to that. Also using tcpreplay has allowed me to do live re-captures of certain packets in other applications. For example there are a few windows only programs for instant messenger sniffing, so I can replay the packets from linux into an interface connected to a hub and the windows machine (plugged into the same hub) will pick up on the conversations. With any luck later this year I will get a chance to do more playing around. Check out for videos on VoIP and other network items. His site is a bit old school, but his videos are top notch.