Currently I am using tshark with the command below to capture only packets which contain a GET request. Problem is the capture file is still to big, and reducing capture time is locked in at 1 hour captures. Does anyone know how I could modify the command below to capture only GET requests that contain ".exe" or ".jar" somewhere in them. Or if someones knows of another command-line capture utility which can do this please let me know, thanks.
asked 01 Jan '15, 21:11
Unfortunately, that would require looping over the packet contents, and the mechanism used for capture filtering doesn't support loops (the filters are, on most OSes, interpreted in the kernel, so strict limits are placed on what they can do, so that, for example, a program can't cause an infinite loop) and doesn't have a pattern-matching primitive, so that's not possible.
answered 02 Jan '15, 14:08
Guy Harris ♦♦
Take a look at ngrep.
See also my answer to a similar question:
Please read the ngrep man page for the filter syntax.
answered 04 Jan '15, 02:45
Kurt Knochner ♦
edited 04 Jan '15, 03:32