How does one filter pcap (e.g. tcpdump) files by content regex match?
https://stackoverflow.com/questions/9515198
-
14-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have some large pcap (packet capture) files collected with tcpdump. I would like to filter out packets that contain a specific string. I want my output to still be in pcap format. I've found several ways of only displaying packets matching a regex from a pcap file, but what I need is to filter such files rather than filter out the display (e.g. stdout) of the packets. The output needs to be pcap files with the matched packets removed.
I suspect dpkt (a python module) might help, but I'd prefer to do this using an existing (C/C++) tool, if possible. I'll accept code as an answer (maybe a good dpkt example with benchmarks will convince me to just go that way as well ;-)).
Thanks in advance!
Answer:
Per Nim's answer, it's possible to do this via Wireshark/tshark. For others' reference, here's an example commandline, where I check for the string match within udp packets (this example can be built on to do tcp or specific protocol field searching):
tshark -r infile -R 'not udp matches "my_search_string"' -w outfile
Thanks again!
Solution
This website has a very nice example of how you can read the pcap file in C, a quick google search will reveal how you can re-write the file.
Alternatively, AFAIK Wireshark may allow you to do this already - i.e. open the file, apply a filter and save the file (and a quick run through Wireshark - reveals that it does indeed offer this).
