Reputation: 3432
Searching through many pcap files with tcpdump
I have a bunch of pcap files that I got with tcpdump. I need to search through all of them for specific keywords and record which files contain these strings. Is there a way to automate the search for these keywords using a tcpdump command perhaps?
Upvotes: 3
Views: 9062
Answers (2)
Reputation: 6254
Probably the most generic solution using tshark would be to run something like:
tshark -r file.pcap -Y "frame contains foo"
... where foo is the string you're searching for. Refer to the wireshark-filter man page for more information on filtering using the contains and other operators, such as the matches operator which supports Perl compatible regular expressions.
Using that command, the output you'll see will be a 1-line summary of each packet matching the filter. You could tailor the output using a number of methods, but for example, suppose you only wanted to know the frame number of the matching packet, you could run:
tshark -r file.pcap -Y "frame contains foo" -T fields -e frame.number
Refer to the tshark man page for more information on the -T and -e options, as well as other options which may be of use to you.
Upvotes: 3
Reputation: 469
There is more powerful version of tcpdump, tshark (it is the command line tool from wireshark package). You could use tshark -T fields|pdml|ps|psml|text to dump packets in format you like, and just grep it. tshark could read tcpdump dumps.
Upvotes: 1
Related Questions
- How to read multiple pcap files >2GB?
- Extract TCP payload from pcap file
- how to read pcap file, filter by ip address and port then write data to another file
- Get all ips in PCAP file
- How do I get a specific range of packets from a large pcap file with tcpdump?
- iterate through pcap file packet for packet using python/scapy
- Listening with a script to tcpdump output pcaps
- Split pcap on multiple IP addresses
- Reading a list of PCAP files
- How does one filter pcap (e.g. tcpdump) files by content regex match?