EN1GMA-PCAP-Forensic-Extractor

A PCAP file extractor tool to recover embedded images and data files from network capture files (.pcap/.pcapng). The tool provides both a command-line interface (CLI) and a GUI built with PyQt5, and is designed to run on Windows (also works on Linux/macOS).

Features

• Multi-format support:
  Extracts common file types i.e. JPEG, PNG, BMP, PDF, Office documents, ZIP/GZIP, MP3, MP4, etc.) from PCAPs.

• CLI mode:
  Script-based usage with options to select file types (e.g., --jpg, --png, or --all).

• GUI mode:
  User-friendly Qt interface with progress bar and status messages. PCAP/PCAPNG: Supports both pcap and pcapng formats.

• Self-contained executable:
  Can build a single Windows .EXE using PyInstaller (no Python install needed on target).

• Lightweight:
  No heavy dependencies beyond PyQt5; uses native tshark for packet parsing.

Requirements

• Python: Version 3.6 or higher.
• PyQt5: GUI framework (install via pip install PyQt5).
• Wireshark/TShark:
  The tshark CLI tool (usually included with Wireshark) must be installed and in your system PATH.
• PyInstaller: (Optional)
  Only needed if you want to build a standalone executable.

Installation

1. Clone the repository or download the source code.
2. Install dependencies: pip install PyQt5
3. Install Wireshark: Download and install Wireshark for your OS. Ensure that the tshark executable is accessible (add it to your PATH on Windows).
4. PyInstaller: (Optional) If you plan to create an executable, install PyInstaller: pip install pyinstaller

Usage

CLI (Command-Line)

• Run the CLI script directly with Python. For example, to extract all supported file types from a PCAP:

    python PCAP_Extractor.py path/to/capture.pcap --all -o output_dir
  

• This scans capture.pcap, extracts every supported file type, and saves results under output_dir/ (created if needed). The script prints progress messages and a summary. You can also specify individual types instead of --all. For example, to extract only images:

    python PCAP_Extractor.py capture.pcap --jpg --png --gif -o images_out
  

• If no types are selected (and --all is not used), the tool will prompt you to choose something.

GUI (PyQt5)

• Launch the GUI version to use a graphical interface:

     python PCAP_Extractor_GUI.py
  

• In the GUI window, click Browse to select the input PCAP file and the output directory. Check the boxes for the file types you want to extract (or click Select All). Then click Start Extraction. The progress bar will update and a status message will appear when done.

• The GUI window is themed in dark mode. It uses the provided icon.png as the application icon. (On Windows, the title bar and taskbar icon will show this icon.)

Building a Windows Executable

• To create a standalone Windows executable with PyInstaller, run the following commands in your project directory:

    pip install pyinstaller
    pyinstaller --onefile --windowed --icon=icon.png PCAP_Extractor_GUI.py
  

• The --onefile option bundles everything into a single EXE.

• The --windowed flag (or --noconsole) prevents a console window from appearing (useful for GUI apps).

• --icon=icon.png tells PyInstaller to use the provided icon.png as the application’s icon.

• After running PyInstaller, you’ll find PCAP_Extractor_GUI.exe in the dist/ folder. You can similarly build a CLI executable (without --windowed) by running:

    pyinstaller --onefile PCAP_Extractor.py

Note: On Windows, run these commands in the Command Prompt or PowerShell. Make sure icon.png is in the current directory so PyInstaller can include it.

Considerations

• Encrypted/Unsupported Traffic: Encrypted streams (HTTPS, TLS) or proprietary protocols will not yield extractable data. Only clear-text TCP payloads are scanned.
• TShark dependency: This tool relies on the external tshark utility. The PCAP is fed to tshark (via subprocess) to extract raw TCP payloads. If tshark is not installed or not in PATH, extraction will fail.
• File Types: Only the file signatures listed in the code are detected. Files using the same headers but different formats may be falsely identified.
• Performance: Very large PCAP files may consume significant memory and time, as all TCP payloads are concatenated in memory before scanning. Use adequate system resources.
• Filename Collisions: Extracted files are named with a timestamp to reduce collisions, but if run rapidly, files may overwrite. You can change the naming scheme in the code if needed.
• Windows Paths: On Windows, avoid extremely long file paths. Use short directory names or run from a root directory if path-length errors occur.

Credits

• Developer: Developed by Uzzam Arif.
• Libraries: Built with PyQt5 and Python’s standard library.
• Tools: Extraction logic leverages Wireshark Tshark for packet parsing.
• Icon: The GUI icon is provided (icon.png) – sourced from the public domain.
• Inspiration: This tool was inspired by various network forensics scripts and exercises in packet analysis.

License

This project is released under the MIT License. See the LICENSE file for details.