Ubuntu – grep string from a pcap file

grep

I'm trying to figure out the correct command syntax. I have a pcap file, and I want to use grep, and grep only to take out all of the uniq ip addresses from without the file

So assuming the file is called capture.pcap and is in my home folder, what should I write?

I assume the regex can be '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
and that sort and uniq must be included also, but it seems the pcap doesn't respond well with grep, for example using the normal syntax of grep file word doesn't work, if I run: grep 239 ./capture.pcap I get the replay Binary file ./capture/pcap matches

Best Answer

Try adding the -a or --binary-file=text options

grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap
or 
grep --binary-file=text -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap


This appears to work for a random pcap file that I downloaded from wiki.wireshark.org i.e.

$ grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Binary file NTLM-wenchao.pcap matches

but

$ grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Host: 192.168.0.55
Host: 192.168.0.55
Host: 192.168.0.55
Location: http://192.168.0.55/default.aspx
MicrosoftSharePointTeamServices: 12.0.0.6421
<body><h1>Object Moved</h1>This document may be found <a HREF="http://192.168.0."_?"_Ea@yÀ¨[À¨ÃPþµû%RÑ_Pü>ÕGET /default.aspx HTTP/1.1
Host: 192.168.0.55

etc.

Be aware of the warning (from the man page man grep) that 

If TYPE is text, grep processes a binary file as if  it
were  text;  this is equivalent to the -a option.  Warning: grep
--binary-files=text might output binary garbage, which can  have
nasty  side  effects  if  the  output  is  a terminal and if the
terminal driver interprets some of it as commands.


Note that although you can use the \d regex (for digit), it is only supported by grep in PCRE mode (i.e. with the -P switch).

Related Question