Wireshark is a network protocol analyzer utility that helps you monitor the security of your network. The program also lets you intercept data over the network and reassemble it in its original form, including attached image files in emails. Once you have captured an email with an attachment, you can save it to the computer's local hard drive.
Double-click the "Wireshark" icon on your computer.
Click the "Edit" menu on the top navigation bar and select "Preferences." Alternatively, press the "Shift," "Ctrl" and "P" keys simultaneously on your keyboard.
Click the "+" icon next to the "Protocols" option in the new window's left sidebar. Go to "TCP" in the expanded protocol list. You have to scroll down quite a bit, as the list is extensive.
Check the box for the "Allow subdissector to reassamble TCP streams" option. It should be enabled now.
Go back to the protocol list in the left sidebar and click the "HTTP" protocol option to pull it up.
Check the boxes for "Reassamble HTTP headers spanning multiple TCP segments" and "Reassemble HTTP bodies spanning multiple TCP segments." Click the "Apply" button to save your changes, then click "OK" to exit the preferences screen.
Click the "Capture" menu from the top bar and select "Start." Alternatively, hit the "Ctrl" and "E" keys to begin capturing data over the network. Allow the program to capture enough data, then stop the capture process.
Go to the capture menu below and search for a packet in the list that is marked "HTTP/1.1 200 OK (JPEG JPG)" in the "Info" column. Click that packet line.
Find the "JPEG File Interchange Format" text in the panel below, right-click it and select "Export Selected Packet Bytes." Save the content to a file on your computer.