Most networkers are familiar with the basic capabilities available in Wireshark. Packet captures are very helpful when troubleshooting a host of network problems. One feature folks may be less familiar with in Wireshark is it’s ability to actually save files that were seen as part of a packet capture.
To get started capture some traffic. I would suggest capturing with a capture filter to limit what you actually get. On Linux systems I like to use tcpdump to capture since its fairly easy to use and included in most installations by default. If you’re looking for HTTP or FTP traffic filter accordingly. Also, filtering on specific IP addresses can also be helpful to limit the amount of traffic you end up with.
Once you have the capture file open it with wireshark if it’s not already. You can use display filters to further simplify the results if you need to. Ensure you have the “GET” requests and responses for the file you are interested in exporting if you are exporting from an HTTP stream. Next, navigate to the “File” menu. Scroll down to “Export”, “Objects” and then select the protocol that was used to transport the data.
A window will open showing all of the files available to export. Select the one you are after, Choose “Save As” give the file a name (or use the default) and save.
That’s really all there is to it. I have tested this to work with text, PDF, JPG and many other common files types assuming there are no missing packets. As a final note, be sure to use this knowledge responsibly!