Hi, I would like to know who login on application and I see that by fltering the port 1100 and I have this type of line : 192.168.101.xxx 192.168.101.10 TCP 55482 > mctp [PSH, ACK] Seq=1352 Ack=195886 Win=65656 Len=163 But there are too many lines with this filter I need to filter data for this string "LoginData" but not after, during the capture, to not have too much lines (270Mb for one hour, and I want to make statistics on one month). Thx in advance asked 11 Dec '12, 07:51  Pheslot |
2 Answers:
Capture filters are based on BPF and are executed in kernel space for speed. BPF is a sort of virtual machine with a limited instruction set. To optimize for speed and to make sure it is impossible to end up in an infinite loop, there is no way in BPF to search for a specific string in the whole packet. It can only look for strings at specific offsets. So unless the string "LoginData" is always at the same offset in a packet, there is no way to do this with BPF. However, if the string "LoginData" is always at the start of the packet, the following packet-filter might just be your friend :-) answered 11 Dec '12, 10:28  SYN-bit ♦♦ |
I suggest to check ngrep.
This tools allows to search for strings in IP packets and if it finds the string, it will dump the content of the packet. It does work on Linux and it should work on Windows. Regards answered 14 Dec '12, 10:41  Kurt Knochner ♦ edited 14 Dec '12, 10:47 |
Hi SYN-bit,
Thank you but I'm not very familiar with that, what I can tell you it is that the whole packet is like that :
In this frame, the string LoginData starts at offset 0x006a. Since the packet looks like binary data (and not html for instance), it might just be that the string LoginData always starts at this offset. The filter would then become: