[BSH] PCAP Email Extractor

This is just a quick post to share a technique I use to extract emails from trigger PCAPs. This can be achieved using tools like Network Miner etc, but I prefer the command line approach as it scales better, its quicker and it can be built upon to add additional functionality as you go.

The 2 main tools for this job are tcpflow to extract the emails and munpack extract the attachments. I use a Linux environment (Ubuntu 18.04) and both of these tools are available from the repo. These tools can then be written into a bash script which can do all this with one simple command. My script can be found by going to the following link:


Just download the script and either drop it into your /usr/local/bin or add it to a custom script location and update /etc/environment with the location of your custom script directory. You may also need to give it execute permissions with sudo chmod +x emailExtract.

This will extract the emails into separate directories and then extract the attachments from the emails. Lastly, it renames the email so it can be viewed in a mail client. This works on both a single PCAP file or a directory with multiple PCAPs.

emailExtract -f <pcap> for single pcap

emailExtract -d <dir> for multiple pcaps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s