Try adding the -a
or --binary-file=text
options
grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap
or
grep --binary-file=text -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' file.pcap
This appears to work for a random pcap file that I downloaded from wiki.wireshark.org i.e.
$ grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Binary file NTLM-wenchao.pcap matches
but
$ grep -aE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' NTLM-wenchao.pcap
Host: 192.168.0.55
Host: 192.168.0.55
Host: 192.168.0.55
Location: http://192.168.0.55/default.aspx
MicrosoftSharePointTeamServices: 12.0.0.6421
<body><h1>Object Moved</h1>This document may be found <a HREF="http://192.168.0."_?"_Ea@yÀ¨[À¨ÃPþµû%RÑ_Pü>ÕGET /default.aspx HTTP/1.1
Host: 192.168.0.55
etc.
Be aware of the warning (from the man page man grep
) that
If TYPE is text, grep processes a binary file as if it
were text; this is equivalent to the -a option. Warning: grep
--binary-files=text might output binary garbage, which can have
nasty side effects if the output is a terminal and if the
terminal driver interprets some of it as commands.
Note that although you can use the \d
regex (for digit), it is only supported by grep in PCRE mode (i.e. with the -P
switch).
You could use awk
with some redirection:
awk -F/ '/^PAT/{close(file);file = $NF; next} /./{print >> file}' foo
The result:
$ head page0*
==> page01 <==
ABC
DEF
==> page02 <==
GHI
JKL
==> page03 <==
MNO
PQR
Essentially, for each line beginning with PAT
, I'm saving the last field (via a field separator of /
) the variable file
, and then printing every non-empty line (/./
matches lines with at least one character) to the name contained in file
.
Note that it's important to close the previous file at each loop to prevent a "makes too many open files"
error when there's "a lot" of file created.
Best Answer
Thanks to @terdon and @jhilmer for making the quoting decidedly less tricky
If you want the
'
If you don't want the
'
Explanation
-o
just show the matched part-E
use ERE so we can use|
to search for multiple patterns"
start quoting/stop quoting(THIS|THAT)
matchTHIS
orTHAT
.*
match any number of any characters\'
literal'
[^']*
any number of any characters except'