NSM also allows you to audit binary downloads (EXE’s and DLL’s) and extract those executables from network traffic via tools like “tcpxtract” The analyst can then determine if the binary is hostile, and if possible determine its characteristics, i.e. C&C sites etc which aids in further detection and response. This level of analysis would not be possible without NSM. The times I’ve seen it, altering the user-agent has been enough to get the malicious file so it matches the behavior described in the writeup.”]
Source: https://taosecurity.blogspot.com/2007/11/great-papers-from-honeynet-project.html