WiresharkAs you know, Wireshark is the most popular network protocol analyzer. It is capable of extracting all the files which were downloaded and captured.
If you load the pcap file in you Wireshark and use the command below...
http contains "in DOS mode"
... you can check that some executables were downloaded.
In the picture below shows you the files which are been recovered.
We use the command below to filter only the executables.
If we get the SHA256 checksum of the PE files, we can see that the results are exactly the same than using Wireshark. We have got the sames files.