Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ipstrings(8)		    System Manager's Manual		  ipstrings(8)

       ipstrings - Reads strings from pcap dump	files

       ipstrings [-cefimnprstuwvz] [interface]

       ipstrings reads text strings from all traffic on	a network interface or
       from a pcap format data file (produced by tcpdump and other programs).

	      Network interface	to read	data from.

       -c <npacket>
	      Terminate	program	after reading <npacket>	packets.

       -e     Print source and destination ethernet address with each string.

       -f     Filter incoming packets according	to filter string.   For	 exam-

		 ipstrings -f "host" eth0

	      will  pass  the string "host" to the	pcap library's
	      filter routine.  Thus  ipstrings	will  only  see	 packets  with  in	one  of	the two	ip addresses.  The filter com-
	      mands are	extensive and are explained fully in the  tcpdump  man

       -i     Print source and destination ip address with each	string.

       -m     Do not enter promiscuous mode when reading network interface.

       -n <nchar>
	      Consider strings to be any set of	printable characters (ASCII 32
	      to 126) <NCHAR> characters long or greater.  When	<NCHAR>	is set
	      to  zero,	then only those	sets of	printable characters which are
	      terminated by an ASCII 0 are printed.

       -p     Print protocol number, source and	destination  port  number  for
	      packets for each string printed.	If protocol number is not 6 or
	      17 (tcp or udp) then port	values are printed as 0.

       -r <dumpfile>
	      Reads network info from <dumpfile> instead of reading live  from
	      network.	 Such  a dumpfile could	have been produced by the pro-
	      grams ipstrings ,	 tcpdump  or  ethereal	(
	      You  can	read  from  standard input using '-' as	the file name,
	      this feature is provided by the pcap libarary.

       -s <nlen>
	      Read no more than	first <nlen> packet  bytes.   Default  is  96,
	      minimum is 68.

       -t     Write packet time	in format HH:MM:SS.SSSS	for string printed.

       -u     Write packet time	in GMT time instead of the default local time.

       -w <dumpfile>
	      Writes  first <nlen> bytes of every packet to <dumpfile> in pcap
	      format (see -s option about <nlen>).  Can	later be read by  pro-
	      grams  such  as  ipaudit , ipstrings , tcpdump or	ethereal , Use
	      '-' to write to standard out (this is a feature provided by  the
	      pcap library).

       -v     Print version information.

       -z     Write packet size	in bytes (size of ip portion, does not include
	      ethernet or other	header).

       To read strings from packets going by interface eth0
	  ipstrings eth0

       To read all strings from	a pcap dump file 'pcap.dump'
	  ipstrings -r pcap.dump

       To read only for	host
	  ipstrings -r pcap.dump -f "host"

       To read 'pcap.dump' only	for host and port 21 (ftp)
	  ipstrings -r pcap.dump -f "host and port 21"

       To read gzip'ed 'pcap.dump.gz" for all hosts and	only port 23 (telnet)
	  zcat pcap.dump.gz | ipstrings	-r- "port 23"

       A short FTP session to	was captured in	 pcap.file.   When  we
       give the	command
	  ipstrings -ip	-rpcap.fil

       the output is   6	   21	1323  220 bluebird FTP
       server (Versi   6	1323	 21  USER jibe   6	  21   1323  331 Password  re-
       quired for jibe   6	1323	 21  PASS xxxxxxxx    6	     21	   1323	 230 User jibe
       logged in.   6	1323	 21  SYST   6	  21   1323  215 UNIX Type: L8   6	1323	 21  QUIT    6	    21	  1323	 221-You  have
       transferred 0 byt   6	  21   1323  221-Total traffic
       for this	ses

       The first two columns are the  source  and  destination	ip  addresses.
       Column  three  is  the  protocol, in this example all are 6 meaning all
       packets are tcp.	 Columns four and five are the source and  destination
       port  numbers.	Starting in the	sixth column are the printable strings
       that were found in the packets.

       Report any to


       1.0 Oct 13, 2005

       tcpdump(1) pcap(3) ipaudit(1)

ipstrings 1.0			 October 2005			  ipstrings(8)


Want to link to this manual page? Use this URL:

home | help