Try adding the -a
or --binary-file=text
options
grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap
or
grep --binary-file=text -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap
This appears to work for a random pcap file that I downloaded from wiki.wireshark.org i.e.
$ grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Binary file NTLM-wenchao.pcap matches
but
$ grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Host: 192.168.0.55
Host: 192.168.0.55
Host: 192.168.0.55
Location: http://192.168.0.55/default.aspx
MicrosoftSharePointTeamServices: 12.0.0.6421
<body><h1>Object Moved</h1>This document may be found <a HREF="http://192.168.0."_?"_Ea@yÀ¨[À¨ÃPþµû%RÑ_Pü>ÕGET /default.aspx HTTP/1.1
Host: 192.168.0.55
etc.
Be aware of the warning (from the man page man grep
) that
If TYPE is text, grep processes a binary file as if it
were text; this is equivalent to the -a option. Warning: grep
--binary-files=text might output binary garbage, which can have
nasty side effects if the output is a terminal and if the
terminal driver interprets some of it as commands.
Note that although you can use the \d
regex (for digit), it is only supported by grep in PCRE mode (i.e. with the -P
switch).
Best Answer
This could be solved using a regular expression with negative lookbehind (which is experimentally supported in
grep
as pointed out by the comment from arrange):Since the support is just experimental, you might want to use
perl
instead: