- extract file from SMB2

antwerp_log · June 13, 2021, 8:36am

Hi everyone

I have a pcap recording of a SMB2 file transfer to a network share.
In wireshark I can extract the transferred file, whilst in Zeek the file is not extracted.

I am using zeek 3.0 with extract-all-files.zeek script loaded.
Loading dump-events shows that no new_file event is raised.

Any idea what can be the cause of this?

Command line format :
zeek -Cr /tmp/file.pcap local -e “@load /usr/local/share/zeek/policy/misc/dump-events.zeek” -e “@load /usr/local/share/zeek/policy/frameworks/files/extract-all-files.zeek”

Thank you !
Ant

Vlad_Grigorescu · June 14, 2021, 1:09pm

Can you share the PCAP?

BTW, it’s a bit easier to run Zeek as follows:

zeek -Cr /tmp/file.pcap local misc/dump-events frameworks/files/extract-all-files

Topic		Replies	Views
not extracting file transmitted via smb2 Zeek	2	108	May 6, 2022
Extract Specific File Types (Not All Files) Zeek	4	479	May 11, 2023
- HTTP extract files from wget Zeek	2	106	May 6, 2022
Analysing PCAPNG files from Wireshark traffic captured with Zeek or Spicy Zeek	6	749	April 11, 2023
File extraction package Zeek	4	115	May 6, 2022

- extract file from SMB2

Related Topics