It's been three years since I wrote the first pcap-util perl script for splitting and searching pcap capture files, and now largley thanks to Damien Mascord of tusker.org we have an update. Prepare yourself to be amazed by the sequal: "Pcap Util 2, Attack of the Application Layer"

 

The original pcap-util allowed you to split large dump files into smaller chunks of x MB in size, or to extract packets which fell within a certain time period. A little while later I added the ability to filter the dump using the standard libpcap filtering language. This languag can extract data using most of the structures/fields used in layers 2-4 of the IP stack.

 

The new version of pcap-util adds two new functions which can be used to search for arbritary strings within the application data of the packet:

 

1. Modify: This function allows you to search for a regular expression within the capture file, and replace it with another string. This is really useful if a vendor has asked you for a tcpdump, to help diagnose a problem, but you need to ensure that you're not storing or sending any sensitive information within the data. Really useful if you need to adhere to PCI DSS guidelines. An example: Remove all Credit Card numbers from a capture file:

 

2. Search: This function was added by me, and really just re-uses Damiens matchng code, but without the replacement. Search will look for packets containing the data you are searching for and copy them into the output file.

 

pcap-util2 can be downloaded from here: http://www.badpenguin.co.uk/files/pcap-util2