- extract file from SMB2

antwerp_log · June 13, 2021, 8:36am

Hi everyone

I have a pcap recording of a SMB2 file transfer to a network share.
In wireshark I can extract the transferred file, whilst in Zeek the file is not extracted.

I am using zeek 3.0 with extract-all-files.zeek script loaded.
Loading dump-events shows that no new_file event is raised.

Any idea what can be the cause of this?

Command line format :
zeek -Cr /tmp/file.pcap local -e “@load /usr/local/share/zeek/policy/misc/dump-events.zeek” -e “@load /usr/local/share/zeek/policy/frameworks/files/extract-all-files.zeek”

Thank you !
Ant

Vlad_Grigorescu · June 14, 2021, 1:09pm

Can you share the PCAP?

BTW, it’s a bit easier to run Zeek as follows:

zeek -Cr /tmp/file.pcap local misc/dump-events frameworks/files/extract-all-files

Topic		Replies	Views
not extracting file transmitted via smb2 Zeek	2	139	May 6, 2022
Extract files from pcap Zeek	2	495	May 9, 2023
Extract All Files from .pcap Zeek	1	416	February 28, 2023
Extract Specific File Types (Not All Files) Zeek	4	724	May 11, 2023
Incomplete/Unreadable Image extraction Zeek	1	13	December 11, 2024

- extract file from SMB2

Related topics