📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. Introduction
Security analysts often investigate network traffic captures to identify malicious activities such as malware downloads, unauthorized file transfers, or data exfiltration.
One common investigation task is extracting files from a TCP stream inside a packet capture file (PCAP).
A PCAP file contains captured network packets from a network interface. These packets may include:
- Web downloads
- Email attachments
- File transfers
- Malware payloads
- Documents transferred over the network
Using Wireshark, analysts can reconstruct the communication sessions and recover the original files transmitted across the network.
This is an important skill for cybersecurity analysts because attackers often transfer malicious files through network connections.
2. What is a PCAP File?
A PCAP (Packet Capture) file stores raw network packets captured from a network interface.
The file contains detailed information such as:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Protocol used
- Packet payload (actual transmitted data)
PCAP files are created by packet capture tools such as:
- Wireshark
- tcpdump
- TShark
Security analysts analyze PCAP files to understand what happened on the network during a security incident.
3. What is a TCP Stream?
A TCP stream is the complete communication session between two devices using the Transmission Control Protocol (TCP).
TCP ensures reliable communication between systems.
A TCP session includes:
- Connection setup (3‑way handshake)
- Data transfer
- Connection termination
When a file is transferred across the network (for example via HTTP, FTP, or email), the file is split into many packets and sent across the network.
Each packet contains part of the file.
The TCP stream represents all packets belonging to the same session, which allows analysts to reconstruct the original file.
4. Why Extract Files from TCP Streams?
In cybersecurity investigations, analysts often need to recover files transmitted across the network to determine whether they are malicious.
Common investigation scenarios include:
1. Malware Download Investigation
An attacker downloads a malicious executable from a remote server. Analysts extract the file from the PCAP and analyze it.
2. Data Exfiltration Detection
Sensitive files may be transferred outside the organization. Extracting the file helps verify what data was stolen.
3. Email Attachment Analysis
Attackers may send malicious attachments via email protocols.
4. Suspicious Web Downloads
A compromised system may download suspicious files from a website.
Extracting files allows analysts to perform malware analysis and threat investigation.
5. Understanding TCP Stream Reassembly
When files travel across the network:
- They are divided into many TCP packets
- Packets may arrive out of order
- Each packet contains partial data
Tools like Wireshark automatically reassemble TCP streams by:
- Collecting packets belonging to the same session
- Ordering them correctly
- Reconstructing the original data
This allows analysts to view or export the transmitted file.
6. Using Wireshark to Extract Files from a TCP Stream
The most common tool used in the CyberOps exam for this task is Wireshark.
The process usually involves:
- Opening the PCAP file
- Identifying relevant traffic
- Following the TCP stream
- Extracting the transmitted file
7. Step‑by‑Step Process to Extract Files
Step 1: Open the PCAP File
- Launch Wireshark
- Click File → Open
- Load the PCAP file
Wireshark will display a list of captured packets.
Each row represents a packet with information such as:
- Time
- Source
- Destination
- Protocol
- Length
- Info
Step 2: Identify Relevant Traffic
Look for protocols that commonly transfer files.
Examples include:
| Protocol | Possible File Transfer |
|---|---|
| HTTP | Web downloads |
| FTP | File transfers |
| SMTP | Email attachments |
| SMB | Windows file sharing |
| HTTPS | Encrypted web downloads |
You can apply filters to locate relevant traffic.
Example filters:
http
ftp
smtp
tcp.port == 80
Filters help analysts focus on packets likely containing files.
Step 3: Locate the TCP Stream
Once you find relevant packets:
- Right‑click on the packet
- Select Follow
- Click TCP Stream
Wireshark will reconstruct the full TCP conversation between the client and server.
The TCP stream window shows:
- Client requests
- Server responses
- Data transmitted during the session
Step 4: Inspect the Data
Inside the TCP stream window you may see:
- HTTP responses
- Encoded data
- Binary data
- File content
For example, a web download may contain an HTTP response header such as:
HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Length: 15200
This indicates that a PDF file was transferred.
Step 5: Save the Extracted Data
Wireshark allows analysts to save the reconstructed data.
Steps:
- In the Follow TCP Stream window
- Change Show and Save Data As
- Select Raw
- Click Save As
Save the file with the correct extension, such as:
.exe.pdf.zip.docx
This creates the reconstructed file from the TCP stream.
8. Alternative File Extraction Method
Wireshark also provides an automatic extraction feature.
Export Objects Feature
Menu:
File → Export Objects
Available options include:
- HTTP
- SMB
- DICOM
- IMF (Email)
Example:
File → Export Objects → HTTP
Wireshark will display all files transferred through HTTP.
From there you can:
- View file names
- View file sizes
- Save selected files
This is often faster than manually following TCP streams.
9. Example IT Environment Scenario
In a corporate security operations center (SOC), analysts may investigate a suspicious network alert.
Steps the analyst performs:
- Review captured network traffic from a monitoring system
- Open the PCAP file in Wireshark
- Identify HTTP traffic from a compromised workstation
- Follow the TCP stream
- Extract a downloaded executable file
- Submit the file for malware analysis
This process helps determine:
- Whether the file is malicious
- How the system was infected
- What actions attackers performed
10. Important Indicators When Extracting Files
During analysis, analysts should pay attention to:
Suspicious File Types
Examples:
.exe.dll.ps1.zip.js
These may contain malicious code.
Suspicious File Sources
Look for files downloaded from:
- Unknown domains
- Suspicious IP addresses
- Newly registered domains
Large Data Transfers
Large outgoing data streams may indicate data exfiltration.
11. Limitations of File Extraction
There are some challenges when extracting files.
1. Encrypted Traffic
Protocols like:
- HTTPS
- SSH
- VPN traffic
encrypt data, preventing analysts from seeing the file contents.
2. Packet Loss
If packets are missing from the PCAP file, the file may be incomplete.
3. Fragmented Streams
Some files may be transmitted in multiple sessions, making reconstruction difficult.
12. Skills Required for the Exam
For the CyberOps Associate exam, you should understand how to:
- Identify file transfers in PCAP files
- Use Wireshark filters
- Follow TCP streams
- Reassemble network sessions
- Export files from captured traffic
- Identify suspicious downloads
13. Quick Exam Summary
Key points to remember:
- A PCAP file stores captured network packets.
- Files transferred over a network are split into TCP packets.
- A TCP stream represents the full communication session.
- Wireshark can reconstruct the stream and recover the transmitted file.
- Files can be extracted by:
- Follow TCP Stream
- Export Objects
- Extracted files help analysts investigate:
- Malware downloads
- Data exfiltration
- Suspicious attachments
✅ Core Concept for the Exam
Security analysts analyze PCAP files in Wireshark to reconstruct TCP streams and extract transmitted files for forensic investigation.
