Just a quick post to detail a method for searching on ASCII strings in pcap dumps.

Recently, I had an investigation which required me to search for keywords in some very large (over 1 Gig) pcap files. As some of you searching may have realized, there aren’t any tools specifically designed for this task. So, this was my dirty, yet effective, solution to that challenge.

You need the tool tcpflow if you don’t already have it in your arsenal. Tcpflow will read a packet capture and output the payload to files for each discovered tcp conversation. You can instead choose to output the conversations to standard output with the -c parameter. Then pipe that to grep. Grep has a parameter -f which allows you to supply a file with line separated search strings. Below is an example of this in action.

1. First, create a file with a seperate search term or phrase on each line.echo "dog" >> keywords
echo "cat" >> keywords
echo "mouse" >> keywords
2. Now search for those words in your capture:tcpflow -r yourcapture.pcap -c | grep -i -f keywords > keyword_hits
   The -i parameter to grep means case insensitive.

That’s all there is to it. Enjoy!