Extracting Files from a tcpdump

Occasionally I have to analyze tcp-streams, and occasionally I came to a point where i had to extract files out of huge dumps. What I found during my last research about a year ago was not really usable - i hacked together a few lines of perl to extract exactly what i wanted - this didn't deliver exact files, but was enough to help me solve a problem.

Jim Clausing, one of the more practical guys over at ISC described the same problem recently and asked the readers of the ISC-Blog for software that is able to extract files from pcap-dump. People came out with a load of promising solutions:

* NetworkMiner http://networkminer.sourceforge.ne/

* tcpxtract http://tcpxtract.sourceforge.net/)

* bro http://www.bro-ids.org/

* tcpflow http://www.circlemud.org/~jelson/software/tcpflow/

* foremost http://foremost.sourceforge.net/

* dsniff http://www.monkey.org/~dugsong/dsniff/

* Chaosreader http://chaosreader.sourceforge.net/

* pyflag http://www.pyflag.net/cgi-bin/moin.cgi

* tcptrace http://www.tcptrace.org/

* tcpick http://tcpick.sourceforge.net/

* xtract.py http://www.malforge.com/npeid/xtract.py

Not all of them might do exactly what you want - but this is defintely the best overview on pcap-file-extractors I ever came across.