Ethereal-users: RE: [Ethereal-users] Searching for a string

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Thu, 14 Jun 2001 12:45:49 -0500
With a moderate amount of work it could be done using 'tethereal -V -x -r
<file>' and perl, assuming you have enough memory to deal with the sheer
amonut of output spewed by tethereal.

Algorithm for perl script:

# Check input file for readability.
# Convert search string to hex.
# Convert hex search string to regexp.
# Open input file, or use something like:
	@STUFF = `tethereal -V -x -r capture.file`;

# Parse the input file using something like this:
PARSE: foreach $line ( @STUFF ) {
	if ( $line =~ /^Frame (\d+)/ ) {

		# Before we update the frame counter,
		# Search the total data in the *last*
		# frame for the search string.
		if ( $data =~ /$searchstring/ ) {
			print "Found pattern in Frame $framenumber.\n";
		}
		$framenumber = $1;
		next PARSE;
	}

	# Figure out a way to concatenate all of the hex
	# 	data within the frame to one long string.
	# 	You can use $data .= $newstuff to help.
}
# Don't forget to close your input file.

print "Done.\n";

Known bugs in this implementation:  The last frame will probably not get
searched.  Try using a do-while loop or just perform the check one last time
after the PARSE loop (kludge!).

You could also re-search the data field every time new data from the next
line of output is concatenated, but that's a *lot* of pattern matching
(inefficient).

The best way is to figure out a pattern that matches the *end* of the frame
before the "Frame 4234" beginning of the next frame, and parse the previous
frame's data when you've matched the EndOfFrame pattern.

--J

> -----Original Message-----
> From: Tom Trenker [mailto:ttrenker@xxxxxxxxxxxxx]
> Sent: Thursday, June 14, 2001 12:28 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Searching for a string
> 
> 
> Hi,
> Is there a way that ethereal can search through captured data 
> for a text
> string? I looked at the 'find frame' function, but it doesn't 
> appear to be
> intended for finding text. Am I missing something?
> 
> I used xbed(a binary editor) to search the captured data, and 
> while this
> works, I get lost in a sea of data. Is there a better 
> alternative? The only
> other alternative I could think of was to export the file in sniffer
> format, and search for it on a PC running sniffer, but I'ld 
> prefer to stick
> to ethereal if possible.
> 
> By the way, kudos to all the developers of ethereal, I'm 
> quite impressed by
> it and use it in preference to sniffer whenever possible.
> 
> Thanks, - Tom
> 
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>