Zeek is not storing files, even after script was loaded. What am I missing?

I'm trying to configure Zeek in order to store files (every file) on disc, but without any success. OS I'm using: Debian 10.

What I did so far:

• I've installed this module: https://github.com/hosom/file-extraction (even after following this site https://www.ericooi.com/zeekurity-zen-part-vi-zeek-file-analysis-framework, I couldn't put it to work).

• I've loaded frameworks/files/extract-all-files script.

I can see the scripts are loaded, after checking loaded_scripts.log

I'm a beginner on Zeek, and I'd like to learn how to enable zeek to save files (that is traversing the network) and store on disk. The only sort of files that is being stored: HTTP and SSL.

I'm sure I'm making many mistakes, but I'm not able to find the correct way.

EDIT

Zeek version I'm using: zeek version 4.1.0-dev.545.

I'm processing traffic. I haven't tried anything with pcap, but I'll try what you've suggested with "zeek -r the.pcap policy/scripts/frameworks/files/extract-all-files.zeek".

On Zeek server, I've installed (in order to test) a FTP and a HTTP server. At html folder, I created a pdf file (so I can download it later). I've put two files (a pdf and a plain text file), and I downloaded (using a browser on another computer in the local network) that pdf file. As a result, I can see (looking at ftp.log and http.log) all the files that I mentioned, but those files aren't stored on disc. My doubt is: should they be stored by Zeek?

A common problem when running traffic through Zeek is that packets may have invalid checksums. Zeek by default skips such packets, so the net result is missing logs/files/artifacts that the user expects to be there. Often those invalid checksums are caused by checksum offloading, where the packet capture process grabs transmitted packets before the NIC had a chance to fix the checksums.

Zeek normally warns when it encounters invalid checksums -- look for the something resembling the following on stderr, or in reporter.log:

Your trace file likely has invalid TCP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable.

(This is from find-checksum-offloading.zeek, which is included in Zeek's default configuration.)

You have many options here. You can:

• run Zeek with -C, as per the above
• say redef ignore_checksums=T; in a script (usually local.zeek)
• add the redef at the command line: zeek -r the.pcap ... ignore_checksums=T
• fix the checksums in the pcap, e.g. with tcprewrite -C -i input.pcap -o fixed.pcap (tcprewrite ships with tcpreplay) -- this is best if others will consume your pcap too.