Hello, I am using Zeek to analyze some PCAP files. I used extract-all-files script to extract all the files, and corresponding metadata (files.log) and other logs. However, most of the image files (jpeg, pngs) extracted by the script are incomplete. A small part of the image is visible and the rest is blank, as if the image hasn’t loaded. Also, many images are unreadable/unloadable by usual image viewers. I assumed that the packets were either missing or corrupted during capture. But, when I used Wireshark/tshark for sanity check, the same image files were saved to the disk in complete form, although a few of the incomplete image files extracted by Zeek were not extracted by Wireshark/tshark. I would like to know if there are some options or flags I need to enable to extract and save complete image files using Zeek extract-all-files. I would greatly appreciate any advice on path forward. Thank you very much for your time!
Hello @pkgurram ,
Would you be able to share a few pcaps with such artifacts? Preferably prepared via tcpdump such that it only contains the image transfer.
If you cannot, could you provide the corresponding conn.log entries for the connections over which the files are transferred?
Thanks,
Arne