


ipstrings(1)					     ipstrings(1)


NAME
       ipstrings - Reads strings from pcap dump files


SYNOPSIS
       ipstrings [-cefimnprstwvz] [interface]



DESCRIPTION
       ipstrings reads text strings from all traffic on a network
       interface or from a pcap format	data  file  (produced  by
       tcpdump and other programs).


OPTIONS
       interface
	      Network interface to read data from.


       -c <npacket>
	      Terminate	 program after reading <npacket> packets.


       -e     Print source and destination ethernet address  with
	      each string.


       -f     Filter incoming packets according to filter string.
	      For example,

		 ipstrings -f "host 137.99.17.17" eth0

	      will pass the string  "host  137.99.17.17"  to  the
	      pcap library's filter routine.  Thus ipstrings will
	      only see packets with 137.99.17.17 in  one  of  the
	      two  ip  addresses.  The filter commands are exten-
	      sive and are explained fully  in	the  tcpdump  man
	      page.


       -i     Print  source  and destination ip address with each
	      string.


       -m     Do not enter promiscuous mode when reading  network
	      interface.


       -n <nchar>
	      Consider strings to be any set of printable charac-
	      ters (ASCII 32 to 126) <NCHAR> characters	 long  or
	      greater.	 When  <NCHAR>	is set to zero, then only
	      those  sets  of  printable  characters  which   are



ipstrings 0.5		   22 May 2000				1





ipstrings(1)					     ipstrings(1)


	      terminated by an ASCII 0 are printed.


       -p     Print  protocol number, source and destination port
	      number for packets for  each  string  printed.   If
	      protocol	number	is  not 6 or 17 (tcp or udp) then
	      port values are printed as 0.


       -r <dumpfile>
	      Reads network info from <dumpfile> instead of read-
	      ing  live from network.  Such a dumpfile could have
	      been produced by the programs ipstrings  ,  tcpdump
	      or  ethereal  (http://www.zing.org).   You can read
	      from standard input using '-'  as	 the  file  name,
	      this feature is provided by the pcap libarary.


       -s <nlen>
	      Read  no	more  than  first  <nlen>  packet  bytes.
	      Default is 96, minimum is 68.



       -t     Write  packet  time  in  format  HH:MM:SS.SSSS  for
	      string printed.


       -w <dumpfile>
	      Writes first <nlen> bytes of every packet to <dump-
	      file> in pcap format (see -s option about	 <nlen>).
	      Can  later  be  read  by programs such as ipaudit ,
	      ipstrings , tcpdump or ethereal , Use '-' to  write
	      to  standard out (this is a feature provided by the
	      pcap library).


       -v     Print version information.


       -z     Write packet size in bytes  (size	 of  ip	 portion,
	      does not include ethernet or other header).




INPUT EXAMPLES
       To read strings from packets going by interface eth0
	  ipstrings eth0

       To read all strings from a pcap dump file 'pcap.dump'
	  ipstrings -r pcap.dump

       To read only for host 10.2.2.2



ipstrings 0.5		   22 May 2000				2





ipstrings(1)					     ipstrings(1)


	  ipstrings -r pcap.dump -f "host 10.2.2.2"

       To  read	 'pcap.dump'  only  for host 10.2.2.2 and port 21
       (ftp)
	  ipstrings -r pcap.dump -f "host 10.2.2.2 and port 21"

       To read gzip'ed 'pcap.dump.gz" for all hosts and only port
       23 (telnet)
	  zcat pcap.dump.gz | ipstrings -r- "port 23"


OUTPUT EXAMPLES
       A   short   FTP	session	 to  127.0.0.1	was  captured  in
       pcap.file.  When we give the command
	  ipstrings -i -rpcap.fil

       the output is

	  127.000.000.001 127.000.000.001   6	  21   1323   220
       bluebird FTP server (Versi
	  127.000.000.001 127.000.000.001   6	1323	 21  USER
       jibe
	  127.000.000.001 127.000.000.001   6	  21   1323   331
       Password required for jibe
	  127.000.000.001 127.000.000.001   6	1323	 21  PASS
       xxxxxxxx
	  127.000.000.001 127.000.000.001   6	  21   1323   230
       User jibe logged in.
	  127.000.000.001 127.000.000.001   6	1323	 21  SYST
	  127.000.000.001 127.000.000.001   6	  21   1323   215
       UNIX Type: L8
	  127.000.000.001 127.000.000.001   6	1323	 21  QUIT
	  127.000.000.001  127.000.000.001    6	      21     1323
       221-You have transferred 0 byt
	  127.000.000.001   127.000.000.001	6      21    1323
       221-Total traffic for this ses

       The first two columns are the source  and  destination  ip
       addresses.   Column three is the protocol, in this example
       all are 6 meaning all packets are tcp.  Columns	four  and
       five  are the source and destination port numbers.  Start-
       ing in the sixth column are  the	 printable  strings  that
       were found in the packets.


BUGS
       Report any to jon.rifkin@uconn.edu.


URL
       http://www.sp.uconn.edu/~jrifkin/ipstrings/






ipstrings 0.5		   22 May 2000				3





ipstrings(1)					     ipstrings(1)


VERSION
       0.5 May 25, 2000


SEE ALSO
       tcpdump(1) pcap(3) ipaudit(1)



















































ipstrings 0.5		   22 May 2000				4


