grep string from a pcap file

Question

I'm trying to figure out the correct command syntax. I have a pcap file, and I want to use grep, and grep only to take out all of the uniq ip addresses from without the file

So assuming the file is called capture.pcap and is in my home folder, what should I write?

I assume the regex can be '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' and that sort and uniq must be included also, but it seems the pcap doesn't respond well with grep, for example using the normal syntax of grep file word doesn't work, if I run: grep 239 ./capture.pcap I get the replay Binary file ./capture/pcap matches

score 2 · Answer 1 · answered Dec 16 '13 at 01:18

Try adding the -a or --binary-file=text options

grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap

or

grep --binary-file=text -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap

This appears to work for a random pcap file that I downloaded from wiki.wireshark.org i.e.

$ grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Binary file NTLM-wenchao.pcap matches

but

$ grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Host: 192.168.0.55
Host: 192.168.0.55
Host: 192.168.0.55
Location: http://192.168.0.55/default.aspx
MicrosoftSharePointTeamServices: 12.0.0.6421
<body><h1>Object Moved</h1>This document may be found <a HREF="http://192.168.0."_?"_Ea@yÀ¨[À¨ÃPþµû%RÑ_Pü>ÕGET /default.aspx HTTP/1.1
Host: 192.168.0.55

etc.

Be aware of the warning (from the man page man grep) that

If TYPE is text, grep processes a binary file as if  it
were  text;  this is equivalent to the -a option.  Warning: grep
--binary-files=text might output binary garbage, which can  have
nasty  side  effects  if  the  output  is  a terminal and if the
terminal driver interprets some of it as commands.

Note that although you can use the \d regex (for digit), it is only supported by grep in PCRE mode (i.e. with the -P switch).

That is only going to pull plain text strings out of it, which in your case happens to include some http requests that contain plain text IP addresses. — psusi, Dec 16 '13 at 02:26
well actually, amazingly, that works! id rate you up but im not 15 reputation yet! - also for some reason i cant seem to sort this to only show each address once.. i thought i need to use | uniq but that doesnt work for me.. — Giladiald, Dec 16 '13 at 13:57
Look at the -o flag for grep and sort -u instead of uniq (which only works on pre-sorted data). Also please see the comment from @psusi - I don't work with pcap files, so I don't know if this really does what you need, I just added it to illustrate generically how to get grep to work with binary files. — steeldriver, Dec 16 '13 at 14:29

score 1 · Answer 2 · edited Apr 13 '17 at 12:23

1

grep works on text, the .pcap file is a binary file, which means using grep only you can't do what you want. The .pcap file format With using grep only you could only find those IP-s in the .pcap file, which are in the packet data section. (e.g. the capture file contains the packets of a webpage download, where the webpage is about IP-s) So to be short, using grep only you can't do that.

But why do you have to use only grep? Is this some kind of homework? (I answered a very similar question 3 days ago.

edited Apr 13 '17 at 12:23

Community

1

answered Dec 15 '13 at 21:36

falconer

15,026
3
48
68

yes exactly its a homework assignment! so according to your other answer, shouldnt grep -e solve the issue for me entirely? even tho the file is binary? im having trouble believing its impossible because if it is ill have to kill my teacher. – Giladiald Dec 15 '13 at 23:00
1

How would grep -e change anything? It still only searches for text. I can't imagine how would it be possible. I will be amazed if your teacher does present a solution for this. But anyway, homework is off-topic here. – falconer Dec 15 '13 at 23:14
well it doesn't have to be regarded as homework, its just a way to know alternative methods to do something. many things can be done in many diff ways in ubuntu - that being "homework" is an excuse to learn many methods. – Giladiald Dec 16 '13 at 13:47

score 0 · Answer 3 · answered Oct 10 '20 at 11:03

0

Why not just use strings command, with grep ?

e.g:

your pcap file: abc.pcap

strings abc.pcap | grep "Your Search String Goes Here"

answered Oct 10 '20 at 11:03

William Martens

1,003

1

The IP addresses in .pcap file are not in string format, they are in native binary format (just 4 bytes). To decode a .pcap file, tcpdump should be used, and then one can grep the output of tcpdump. – raj Oct 10 '20 at 11:28
Yeah, You're right I agree – William Martens Oct 10 '20 at 11:30

grep string from a pcap file

3 Answers3