|
The original pcap-util allowed you to split large dump files into smaller chunks of x MB in size, or to extract packets which fell within a certain time period. A little while later I added the ability to filter the dump using the standard libpcap filtering language. This languag can extract data using most of the structures/fields used in layers 2-4 of the IP stack. The new version of pcap-util adds two new functions which can be used to search for arbritary strings within the application data of the packet: 1. Modify: This function allows you to search for a regular expression within the capture file, and replace it with another string. This is really useful if a vendor has asked you for a tcpdump, to help diagnose a problem, but you need to ensure that you're not storing or sending any sensitive information within the data. Really useful if you need to adhere to PCI DSS guidelines. An example: Remove all Credit Card numbers from a capture file: ./pcap-util modify input.pcap output.pcap "\d{12}" "XXXXXXXXXXXXX" 2. Search: This function was added by me, and really just re-uses Damiens matchng code, but without the replacement. Search will look for packets containing the data you are searching for and copy them into the output file. Last update : 30-08-2009 10:51
|
