Recreating PDF and EXE files from captured raw packets

Updated on 21st June 2018
By sumita
1 Minutes Read

As I am doing research on Wireshark since many days, a question popped into my mind – Can we find out which is the file been transferred and the size of this file? Can we recreate files which are being captured while they are transferred or downloaded from websites? I was pretty confident that if the traffic is plain (i.e. not encrypted) then YES, it should be possible to extract any files which are being transferred.

I started searching for websites which have PDF files and use HTTP protocol. Luckily, found many such websites and used one of them for Eg: I started the packet capture before opening the web page and downloading the PDF file present in it.

Opened the capture in Wireshark to analyse it. The packet was requesting PDF and received a 200 OK status.

The packet number 553 contained the reassembled packet.

Upon right-clicking this packet’s header selected Export Packet Bytes

Used ‘sample.pdf’ as file name while saving the file. Specified PDF as the file type


These steps are similar with EXE and ZIP files as well. While exporting the particular packet header, the file name and the file format extension must be specified accordingly.

Had a good experience doing this. The interesting part was we can extract all the files which were transferred or downloaded while capturing packets. Using Wireshark, open packet capture:

Inside file menu, click on ‘Export Objects’ and select HTTP

On clicking “Save All”, all the files which were in the packet capture are saved.

Sumita Narshetty
Sumita Narshetty
Security Researcher at QOS Technology

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn Check Point, Red Team Skills, Wireshark, OSSIM, and Splunk from certified and top-rated security practitionersEnroll Now