'Packet CAPture Forensic Evidence eXtractor' is a tool that finds and extracts files from packet capture files.

It was developed by Viktor Winkelmann as part of a bachelor thesis.

The power of pcapfex lies in it's ease of use. You only provide it a pcap-file and are rewarded a structured export of all files found in it. pcacpfex allows data extraction even if non-standard protocols were used. It's easy to understand plugin-system offers python developers a quick way to add more file-types, encodings or even complex protocols.

pcapfex was developed and tested for Linux environments only. Due to missing optimizations and tests, there is no guarantee for it to work under Windows (though it should work).

pcapfex depends on Python 2.7 and the dpkt package. You can install it via

sudo pip install dpkt

To achieve better performance using a multithreaded search for file objects, you should install the regex package.

sudo pip install regex

However, this step is only optional.

To analyze a pcap-file samplefile.pcap just use

pcapfex.py samplefile.pcap

For more detailed usage information see

pcapfex.py -h

Please make sure to use the -nv flag, if the machine that captured the traffic was sending data as well. This will circumvent wrong checksums stored in the pcap-file caused by TCP-Checksum-Offloading.

pcapfex is published under the Apache 2.0 license.