Lib.rs

Network programming
#packet #pcap #string-search #networking #regex #packet-analyzer #dns-resolver

bin+lib pktstrings

Like Unix 'strings' command but packet-aware

by Pete Wicken

9 stable releases

1.4.1 Feb 15, 2024
1.4.0 Jun 17, 2023
1.3.0 Apr 6, 2023
1.2.0 Jan 20, 2023
1.0.1 Dec 31, 2022

#518 in Network programming

35 downloads per month

MIT license

225KB
839 lines

pktstrings

build status lint status crate license crate version

Ever ran strings on a PCAP and found something interesting, but left frustrated you have no context of which packet it occurred in?

Pktstrings is like Unix strings command, but packet-aware.

It finds anything looking like an ASCII string in your PCAP and dumps the packet number plus IP 5-tuple (or MACs + Ethertype if not IP) of where the strings were found.

image

Requires libpcap headers (See Dependencies) to build.

Features

  • Support for both offline PCAPs and live network capture.
  • Filter which packets are analysed with BPF expressions.
  • Regex filtering on packets before attempting to find strings.
  • DNS resolver with local cache (--feature resolve to enable option).
  • Grep friendly (default) and copy friendly (-b, --block-print) output options.
  • Support for 802.1Q networks; showing the VLAN ID and IPs if present.

Dependencies

Pktstrings uses the pcap crate and thus requires libpcap (or Npcap/WinPcap on Windows) to be installed before building. Follow the instructions the pcap crate provides to get the correct installation instructions for your system.

https://github.com/rust-pcap/pcap#installing-dependencies

Install

To install binary from crates.io cargo install pktstrings

To install with optional DNS resolver flag (-r, --resolve-dns): cargo install pktstrings --features=resolve

To install with colour output disabled: cargo install pktstrings --features=bland

To install from cloned source: cargo install --path .

Running

Default install location is ~/.cargo/bin/pktstrings. Run pktstrings with -h for help and available options.

About BPF & Regex

Pktstrings provides two ways to filter output noise when dumping strings; BPF expressions and regex. BPF expressions should be preferred as they are by far the fastest way to cut down to packets of interest. However, sometimes it's useful to be able to perform free-form searches rather than fixed place; so pktstrings also supports regular expressions as a way of further filtering down to only packets of interest. The regular expression based filtering passes the entire packet data through Rust's regex engine using the regex::bytes crate; this means as well as being able to match against string expressions we can also match against arbitrary bytes within the packet data. The expressions provided by the user have an implicit .*?.

The BPF and Regex filters act only as a pre-filter stage before performing the string search. Once a packet matches these filters, the data will undergo the standard ASCII string dump as usual.

Examples

Only dump strings from packets that contain a certain string somewhere: pktstrings -f my_capture.pcap -s 'CTF_FLAG{.+}'

Find mDNS chatter on local network: pktstrings -e 'udp port 5353'

Basic auth logins to locally run HTTP server: pktstrings -i en0 -e 'tcp port 80' -s 'POST.+login.php'

HTTP response packets where a specific cookie is being set: pktstrings -f my_capture.pcap --resolve-dns -e 'ip src 192.168.1.100 and tcp port 80' -s 'Set-Cookie:.+\b[Dd]omain=.*some-http-server.com'

Packets containing arbitrary byte pattern followed by a valid UTF-8 encoded string : pktstrings -f my_capture.pcap -s '(?-u)\x7b\xa9(?:[\x80-\xfe]|[\x40-\xff].)(?u:(.*))'

TODO (maybe):

  • Other string encodings
  • Support more protocols
  • Full PCAPNG support

Dependencies

~4–16MB
~138K SLoC