I would like to know who login on application and I see that by fltering the port 1100 and I have this type of line : 192.168.101.xxx 192.168.101.10 TCP 55482 > mctp [PSH, ACK] Seq=1352 Ack=195886 Win=65656 Len=163 But there are too many lines with this filter I need to filter data for this string "LoginData" but not after, during the capture, to not have too much lines (270Mb for one hour, and I want to make statistics on one month).
Thx in advance
asked 11 Dec '12, 07:51
Capture filters are based on BPF and are executed in kernel space for speed. BPF is a sort of virtual machine with a limited instruction set. To optimize for speed and to make sure it is impossible to end up in an infinite loop, there is no way in BPF to search for a specific string in the whole packet. It can only look for strings at specific offsets.
So unless the string "LoginData" is always at the same offset in a packet, there is no way to do this with BPF.
However, if the string "LoginData" is always at the start of the packet, the following packet-filter might just be your friend :-)
answered 11 Dec '12, 10:28
I suggest to check ngrep.
This tools allows to search for strings in IP packets and if it finds the string, it will dump the content of the packet.
It does work on Linux and it should work on Windows.