Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
ipstrings(8)		    System Manager's Manual		  ipstrings(8)

NAME
       ipstrings - Reads strings from pcap dump	files

SYNOPSIS
       ipstrings [-cefimnprstuwvz] [interface]

DESCRIPTION
       ipstrings reads text strings from all traffic on	a network interface or
       from a pcap format data file (produced by tcpdump and other programs).

OPTIONS
       interface
	      Network interface	to read	data from.

       -c <npacket>
	      Terminate	program	after reading <npacket>	packets.

       -e     Print source and destination ethernet address with each string.

       -f     Filter  incoming	packets	according to filter string.  For exam-
	      ple,

		 ipstrings -f "host 137.99.17.17" eth0

	      will pass	the string "host 137.99.17.17" to the  pcap  library's
	      filter  routine.	 Thus  ipstrings  will	only  see packets with
	      137.99.17.17 in one of the two ip	addresses.   The  filter  com-
	      mands  are  extensive and	are explained fully in the tcpdump man
	      page.

       -i     Print source and destination ip address with each	string.

       -m     Do not enter promiscuous mode when reading network interface.

       -n <nchar>
	      Consider strings to be any set of	printable characters (ASCII 32
	      to 126) <NCHAR> characters long or greater.  When	<NCHAR>	is set
	      to zero, then only those sets of printable characters which  are
	      terminated by an ASCII 0 are printed.

       -p     Print  protocol  number,	source and destination port number for
	      packets for each string printed.	If protocol number is not 6 or
	      17 (tcp or udp) then port	values are printed as 0.

       -r <dumpfile>
	      Reads network info from <dumpfile> instead of reading live  from
	      network.	 Such  a dumpfile could	have been produced by the pro-
	      grams ipstrings ,	 tcpdump  or  ethereal	(http://www.zing.org).
	      You  can	read  from  standard input using '-' as	the file name,
	      this feature is provided by the pcap libarary.

       -s <nlen>
	      Read no more than	first <nlen> packet  bytes.   Default  is  96,
	      minimum is 68.

       -t     Write packet time	in format HH:MM:SS.SSSS	for string printed.

       -u     Write packet time	in GMT time instead of the default local time.

       -w <dumpfile>
	      Writes  first <nlen> bytes of every packet to <dumpfile> in pcap
	      format (see -s option about <nlen>).  Can	later be read by  pro-
	      grams  such  as  ipaudit , ipstrings , tcpdump or	ethereal , Use
	      '-' to write to standard out (this is a feature provided by  the
	      pcap library).

       -v     Print version information.

       -z     Write packet size	in bytes (size of ip portion, does not include
	      ethernet or other	header).

INPUT EXAMPLES
       To read strings from packets going by interface eth0
	  ipstrings eth0

       To read all strings from	a pcap dump file 'pcap.dump'
	  ipstrings -r pcap.dump

       To read only for	host 10.2.2.2
	  ipstrings -r pcap.dump -f "host 10.2.2.2"

       To read 'pcap.dump' only	for host 10.2.2.2 and port 21 (ftp)
	  ipstrings -r pcap.dump -f "host 10.2.2.2 and port 21"

       To read gzip'ed 'pcap.dump.gz" for all hosts and	only port 23 (telnet)
	  zcat pcap.dump.gz | ipstrings	-r- "port 23"

OUTPUT EXAMPLES
       A  short	 FTP  session to 127.0.0.1 was captured	in pcap.file.  When we
       give the	command
	  ipstrings -ip	-rpcap.fil

       the output is

	  127.000.000.001 127.000.000.001   6	  21   1323  220 bluebird  FTP
       server (Versi
	  127.000.000.001 127.000.000.001   6	1323	 21  USER jibe
	  127.000.000.001  127.000.000.001   6	   21	1323  331 Password re-
       quired for jibe
	  127.000.000.001 127.000.000.001   6	1323	 21  PASS xxxxxxxx
	  127.000.000.001 127.000.000.001   6	  21	1323   230  User  jibe
       logged in.
	  127.000.000.001 127.000.000.001   6	1323	 21  SYST
	  127.000.000.001 127.000.000.001   6	  21   1323  215 UNIX Type: L8
	  127.000.000.001 127.000.000.001   6	1323	 21  QUIT
	  127.000.000.001  127.000.000.001    6	     21	   1323	  221-You have
       transferred 0 byt
	  127.000.000.001 127.000.000.001   6	  21   1323  221-Total traffic
       for this	ses

       The first two columns are the  source  and  destination	ip  addresses.
       Column  three  is  the  protocol, in this example all are 6 meaning all
       packets are tcp.	 Columns four and five are the source and  destination
       port  numbers.	Starting in the	sixth column are the printable strings
       that were found in the packets.

BUGS
       Report any to jon.rifkin@uconn.edu.

URL
       http://ipaudit.sourceforge.net

VERSION
       1.0 Oct 13, 2005

SEE ALSO
       tcpdump(1) pcap(3) ipaudit(1)

ipstrings 1.0			 October 2005			  ipstrings(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipstrings&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help