'Packet CAPture Forensic Evidence eXtractor Plus' is a tool that finds and extracts files, emails, etc. from packet capture files.
It was developed based on pcapfex
The power of pcapfex lies in it's ease of use. You only provide it a pcap-file and are rewarded a structured export of all files found in it. pcacpfex allows data extraction even if non-standard protocols were used. It's easy to understand plugin-system offers python developers a quick way to add more file-types, encodings or even complex protocols.
pcapfexPlus was developed and tested for Linux environments only. Due to missing optimizations and tests, there is no guarantee for it to work under Windows (though it should work).
pcapfexPlus depends on Python 2.7 and the dpkt,regex package. You can install them via
sudo pip install dpkt
sudo pip install regex
To analyze a pcap-file samplefile.pcap
just use
pcapfex.py samplefile.pcap
For more detailed usage information see
pcapfex.py -h
Please make sure to use the -nv
flag, if the machine
that captured the traffic was sending data as well. This will
circumvent wrong checksums stored in the pcap-file caused by
TCP-Checksum-Offloading.