Extract All Files from .pcap

SFD · February 27, 2023, 6:15am

Hello all,

When I asked ChatGPT to find out which file types were extracted, I saw that files such as portable *
executable files, office documents, pdf documents, archives, javascript files, html files, images, audio and video files can be obtained when configured with the appropriate file extraction policy.

In directory which is /opt/zeek/share/zeek/policy/frameworks/files, there is a zeek file extract-all-files.zeek. Could all content be extracted from the pcap file to be used, or is a config file required for each file type?

How can I find a solution about that?

Christian · February 28, 2023, 2:25am

Hi there,

The extract-all-files.zeek script is a very basic setup for extracting any file Zeek encounters to disk, with minimal polish. I suggest you try it out to see what it does. For more details, take a look at our documentation, and for an off-the-shelf solution for configurable file extraction, take a look at this Zeek package.

Best,
Christian

Topic		Replies	Views
Extract files from pcap Zeek	2	237	May 9, 2023
Question on using dir.zeek Zeek	1	152	June 16, 2023
Exfiltration of data Zeek	2	84	May 6, 2022
Try.zeek and local zeek6.0.1 : missing entries Zeek logging	2	203	September 19, 2023
Tracking PCAP file sources? Zeek	1	94	May 6, 2022

Extract All Files from .pcap

Related Topics