Hi,

I would like to know who login on application and I see that by fltering the port 1100 and I have this type of line : 192.168.101.xxx 192.168.101.10 TCP 55482 > mctp [PSH, ACK] Seq=1352 Ack=195886 Win=65656 Len=163 But there are too many lines with this filter I need to filter data for this string "LoginData" but not after, during the capture, to not have too much lines (270Mb for one hour, and I want to make statistics on one month).

Thx in advance

asked 11 Dec '12, 07:51

Pheslot's gravatar image

Pheslot
1111
accept rate: 0%


Capture filters are based on BPF and are executed in kernel space for speed. BPF is a sort of virtual machine with a limited instruction set. To optimize for speed and to make sure it is impossible to end up in an infinite loop, there is no way in BPF to search for a specific string in the whole packet. It can only look for strings at specific offsets.

So unless the string "LoginData" is always at the same offset in a packet, there is no way to do this with BPF.

However, if the string "LoginData" is always at the start of the packet, the following packet-filter might just be your friend :-)

tcp[0:4]=0x4c6f6769 and tcp[4:4]=0x6e446174 and tcp[8:1]=0x61
link

answered 11 Dec '12, 10:28

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

Hi SYN-bit,

Thank you but I'm not very familiar with that, what I can tell you it is that the whole packet is like that :

alt text

(12 Dec '12, 01:51) Pheslot

In this frame, the string LoginData starts at offset 0x006a. Since the packet looks like binary data (and not html for instance), it might just be that the string LoginData always starts at this offset. The filter would then become:

tcp[0x6a:4]=0x4c6f6769 and tcp[0x6e:4]=0x6e446174 and tcp[0x72:1]=0x61
(13 Dec '12, 15:28) SYN-bit ♦♦

I suggest to check ngrep.

http://ngrep.sourceforge.net/usage.html

This tools allows to search for strings in IP packets and if it finds the string, it will dump the content of the packet.

It does work on Linux and it should work on Windows.

Regards
Kurt

link

answered 14 Dec '12, 10:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
16.9k732166
accept rate: 15%

edited 14 Dec '12, 10:47

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×303
×167

Asked: 11 Dec '12, 07:51

Seen: 1,158 times

Last updated: 14 Dec '12, 10:47

powered by OSQA