Ethereal-users: RE: [Ethereal-users] searching capture file for text

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Kevin Cohen" <kcohen@xxxxxxxxxxxxxx>
Date: Fri, 19 Jul 2002 09:06:13 -0700
since you know the source and destination, you can use this command
 
$original_file = binary dump file
$ip1 = your machine
$ip2 = web server
$outfile is new binary containing your just the traffic from your client machine t and the web server
 
 
tethereal -r $original_file -R '(ip.src == $ip1 && ip.dst == $ip2) || (ip.src == $ip2 && ip.dst == $ip1)' -w $output
 
just remember if $ip1 or $ip2 is a name and not a number you have to use eq instead of ==.  That is if your ip address is www.server.com instead of 10.0.0.1
 
Hope this helps.  Also, you should read the man page on tethereal.  Also Snort can separate your large dump file into more manageable dump files.  You should look at Snort and do a man on that also
-----Original Message-----
From: ethereal-users-admin@xxxxxxxxxxxx [mailto:ethereal-users-admin@xxxxxxxxxxxx]On Behalf Of Richard Urwin
Sent: Friday, July 19, 2002 3:17 AM
To: 'John Zeiger'; ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] searching capture file for text

"print" the capture to a text file with full details enabled. Search the text file for your string. Find the packet of interest and then refer to that packet in Ethereal.
 
There is no search-at-unknown-offset facility in Ethereal.

--
Richard Urwin, Private
"No 9000 series computer has ever made a mitsake or corrubiteddatatato."
 

-----Original Message-----
From: John Zeiger [mailto:johnz@xxxxxxxxx]
Sent: Friday, July 19, 2002 4:27 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] searching capture file for text

I have a fairly large capture file with http requests from a large number of users. I'm trying to debug a problem where a particular cookie is missing from the http get request.  Unfortunately, the cookie is not a a fixed offset from the beginning of the http request. 
Ideally, I'd like to create a display filter that searches for all http get requests where the http request contains (anywhere) a particular string.  (Something like "http.request eq 1 and http[?] eq 'xyz'").  I've read the documentation a couple of times, but I can figure out how to do this.  Can anybody help?
 
If you can't do it with a display filter, can anyone suggest an alternative?

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________