Various protocols allow transferring files (e.g: HTTP, POP3) and some are made for the sole purpose of transferring files (FTP, SMB etc).
From a network security monitoring perspective, transferred files are interesting because they can contain malicious software or prohibited content.
Netcap extracts files from HTTP and saves them to disk, for both HTTP responses and HTTP requests.
It uses the File audit record type to model the extracted information.
Future versions will add file extraction support for other protocols as well.
File Audit Records
The audit record definition for a file looks like this:
As can be seen, the content type indicated by the HTTP header is included, as well as the content type that was detected. In addition, the source of the File is specified (e.g: from HTTP, Mail attachment etc), as well the identifier of the connection where it originated from.
The Hash field currently holds an MD5 hash of the file, Location points to the path on disk where the file is stored.
This will likely be replaced with a stronger hash function in the future.
To enable file capture, set the -fileStorage flag and supply a path to store the files to (will be created if it does not exist):
$ net capture -read traffic.pcap -fileStorage files
After capturing, lets inspect the directory contents: