Ethereal-users: RE: [Ethereal-users] Searching for a string
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Alex Bennee" <Alex.Bennee@xxxxxxxxxxx>
Date: Fri, 15 Jun 2001 08:27:09 +0100
I think this may be a bit of a sledge-hammer to crack a nut. There are tools
like ngrep which allow grep like functionality on network traffic. If your
intention is more towards security auditing (plaintext passwords etc.) then I
suggest investigating dsniff and its tools. If you want to practive a bit of
pearl though then by all means :-)
Alex.
"McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx> on 14/06/2001 18:45:49
To: ethereal-users@xxxxxxxxxxxx
cc: (bcc: Alex Bennee/MAIN/MC1)
Subject: RE: [Ethereal-users] Searching for a string
With a moderate amount of work it could be done using 'tethereal -V -x -r
<file>' and perl, assuming you have enough memory to deal with the sheer
amonut of output spewed by tethereal.
Algorithm for perl script:
# Check input file for readability.
# Convert search string to hex.
# Convert hex search string to regexp.
# Open input file, or use something like:
@STUFF = `tethereal -V -x -r capture.file`;
# Parse the input file using something like this:
PARSE: foreach $line ( @STUFF ) {
if ( $line =~ /^Frame (\d+)/ ) {
# Before we update the frame counter,
# Search the total data in the *last*
# frame for the search string.
if ( $data =~ /$searchstring/ ) {
print "Found pattern in Frame $framenumber.\n";
}
$framenumber = $1;
next PARSE;
}
# Figure out a way to concatenate all of the hex
# data within the frame to one long string.
# You can use $data .= $newstuff to help.
}
# Don't forget to close your input file.
print "Done.\n";
Known bugs in this implementation: The last frame will probably not get
searched. Try using a do-while loop or just perform the check one last time
after the PARSE loop (kludge!).
You could also re-search the data field every time new data from the next
line of output is concatenated, but that's a *lot* of pattern matching
(inefficient).
The best way is to figure out a pattern that matches the *end* of the frame
before the "Frame 4234" beginning of the next frame, and parse the previous
frame's data when you've matched the EndOfFrame pattern.
--J
> -----Original Message-----
> From: Tom Trenker [mailto:ttrenker@xxxxxxxxxxxxx]
> Sent: Thursday, June 14, 2001 12:28 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Searching for a string
>
>
> Hi,
> Is there a way that ethereal can search through captured data
> for a text
> string? I looked at the 'find frame' function, but it doesn't
> appear to be
> intended for finding text. Am I missing something?
>
> I used xbed(a binary editor) to search the captured data, and
> while this
> works, I get lost in a sea of data. Is there a better
> alternative? The only
> other alternative I could think of was to export the file in sniffer
> format, and search for it on a PC running sniffer, but I'ld
> prefer to stick
> to ethereal if possible.
>
> By the way, kudos to all the developers of ethereal, I'm
> quite impressed by
> it and use it in preference to sniffer whenever possible.
>
> Thanks, - Tom
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Attachment:
att1.eml
Description: Binary data
- Prev by Date: Re: [Ethereal-users] Searching for a string
- Next by Date: [Ethereal-users] Compiling/running ethereal 0.8.18 on irix
- Previous by thread: RE: [Ethereal-users] Searching for a string
- Next by thread: [Ethereal-users] Compiling/running ethereal 0.8.18 on irix
- Index(es):
