Ethereal-users: RE: [Ethereal-users] (No Subject)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Thu, 15 Aug 2002 00:57:12 +0100
Guy, Ade et al,

> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxx] 
> On Wed, Aug 14, 2002 at 10:35:28PM +0100, 
> Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx wrote:
> > I'm not quite sure what you mean by "trigger".
> 
> I assume by "trigger" he means what it means (from what I 
> remember) in some other packet analyzers, namely a Boolean 
> expression that tests the contents of packets, and that 
> causes packets to start to be saved when a packet for which 
> the expression is true is seen.

Ah..., I see the problem. Although I've never wanted this in the past I can
see it has it's uses. Being the tethereal/perl fan that I am, I've worked up
a skeleton script which can parse tethereal -x and provide a hook into
almost any boolean expression you'd like. 

Suppose you wanted to find which user opened a certain file on an NT file
server. You set up a trace of all traffic to the server using a ring buffer.
When each ring buffer file is complete you parse the output of tethereal -x
on the file to see if the text "weird_application.exe" was in a SMB frame.
If found, then you editcap out the good stuff.

Not exactly elegant. But it solves the problem without resorting to
kilo-dollar software :-)


Alistair, 
# Thoroughly under-tested and unsupported code follows






use strict;
# Usage Tethereal -x -r <infile> | perl find_trigger.pl 
# Returns the corrent editcap to extract the required traffic
# Intended for illustrative purposes only


$/="\n\n"; # Use two hard returns as record delimeter

my $trigger_found=0;

while (<>) {
	my ($frame_no) =split / +/;
	$_=<>;
	my $all_bytes      =pack 'C*', map {hex} /\b([0-9a-f]{2})\b/gm;
	my $printable_ascii=join"", map {substr($_,56)} split /\n/;
	
	if (!$trigger_found and 
	    # I can find a sub string
		$printable_ascii =~ /what I am looking for/ 
		#or 
		# the second 100 bytes are all 1's
		# substr($bytes,100,100) == 0x255 x 100 ) {
	   ) {
		$trigger_found= $frame_no;
	} elsif  ($printable_ascii =~ /All is cool now/) {
		print "Run:  Editcap -r <infile> <outfile>
$trigger_found-$frame_no\n";
		exit 0;
	}	
}
if ($trigger_found) {
	print "Run:  Editcap <infile> <outfile> 1-$trigger_found\n";
} else {
	die "Error: Start criteria not found\n";
}


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422 
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.