'Packet CAPture Forensic Evidence eXtractor Plus' is a tool that finds and extracts files, emails, etc. from packet capture files.

It was developed based on pcapfex

The power of pcapfex lies in it's ease of use. You only provide it a pcap-file and are rewarded a structured export of all files found in it. pcacpfex allows data extraction even if non-standard protocols were used. It's easy to understand plugin-system offers python developers a quick way to add more file-types, encodings or even complex protocols.

pcapfexPlus was developed and tested for Linux environments only. Due to missing optimizations and tests, there is no guarantee for it to work under Windows (though it should work).

pcapfexPlus depends on Python 2.7 and the dpkt,regex package. You can install them via

sudo pip install dpkt

sudo pip install regex

To analyze a pcap-file samplefile.pcap just use

pcapfex.py samplefile.pcap

For more detailed usage information see

pcapfex.py -h

Please make sure to use the -nv flag, if the machine that captured the traffic was sending data as well. This will circumvent wrong checksums stored in the pcap-file caused by TCP-Checksum-Offloading.