Wireshark is an amazing feature-rich tool. It is filled with things that make the life of a Packet Detective, like me, easier. One of my favorites is file exporting. Whether you need to compare content as it passed the capture point with the user experience, or you are hunting for malicious content, exporting gives a vital clue to an investigation.
This article is an update from one written by Joke Snelders in 2015. I'll be using Wireshark 3.0rc2. Download the latest version of Wireshark here.
There are few preferences that need to be checked first when exporting a file transported via SMB or SMB2:
TCP - Allow subdissectors to reassemble
SMB - Use the full file name as file id when exporting an SMB object
SMB2 - Use the full file name as file id when exporting an SMB2 object
Feel free to download an SMB profile to make things easier. Instructions and file are here.
Exporting files can be done during a live capture, or you can use the trace file shown in this post. The file has an .gz.zip extension. It had to be zipped for the web page link, but it was saved as a gz file in Wireshark. Only unzip, un-gziping is not needed the gz file can be opened unchanged in Wireshark. Just go with me on that one :).
Step 1:
Open the SMB2 file referenced above, or capture your own machine downloading a file from a Windows server. If you are capturing live, use smb2.filename == "yourfolder\\yourfolder\\yourfolder\\yourfilename.pdf" to confirm you have captured the file transfer.
Step 2:
Go to: File | Export Objects | SMB
Notice there are a few others that you can export. DICOM is especially scary thing since that is the protocol used to transfer X-Ray and MRI data.
The dialog box below will display. It will list all of the files and their size. Use the Text Filter if you downloaded more files than you expected.
Since you cannot selectively click, it's one or all, save all.
Locate the folder where you want the files. The selection is "Open" versus "OK" as you are selecting a folder versus a file.
Now you're done.
Giant caveat: If the file is infected and you open it, you will be infected. Proceed with great caution to the next step.
Use Finder or Windows Explorer to preview the file. Two steps and you are in the users shoes.
Read more about SMB2 in Wireshark at https://wiki.wireshark.org/SMB2.
Author Profile - Betty DuBois is the Chief Detective for Packet Detectives, and has been solving mysteries since 1997. She troubleshoots the root cause of network and/or application issues. Experienced with a range of hardware and software solutions, she captures the right data, in the right place, and at the right time. Using packets to solve crimes against the network and applications, is her passion. Teaching others how to do the same, is her calling.