Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ipstrings(8)		    System Manager's Manual		  ipstrings(8)

NAME
       ipstrings - Reads strings from pcap dump	files

SYNOPSIS
       ipstrings [-cefimnprstuwvz] [interface]

DESCRIPTION
       ipstrings reads text strings from all traffic on	a network interface or
       from a pcap format data file (produced by tcpdump and other programs).

OPTIONS
       interface
	      Network interface	to read	data from.

       -c <npacket>
	      Terminate	program	after reading <npacket>	packets.

       -e     Print source and destination ethernet address with each string.

       -f     Filter incoming packets according	to filter string.   For	 exam-
	      ple,

		 ipstrings -f "host 137.99.17.17" eth0

	      will  pass  the string "host 137.99.17.17" to the	pcap library's
	      filter routine.  Thus  ipstrings	will  only  see	 packets  with
	      137.99.17.17  in	one  of	the two	ip addresses.  The filter com-
	      mands are	extensive and are explained fully in the  tcpdump  man
	      page.

       -i     Print source and destination ip address with each	string.

       -m     Do not enter promiscuous mode when reading network interface.

       -n <nchar>
	      Consider strings to be any set of	printable characters (ASCII 32
	      to 126) <NCHAR> characters long or greater.  When	<NCHAR>	is set
	      to  zero,	then only those	sets of	printable characters which are
	      terminated by an ASCII 0 are printed.

       -p     Print protocol number, source and	destination  port  number  for
	      packets for each string printed.	If protocol number is not 6 or
	      17 (tcp or udp) then port	values are printed as 0.

       -r <dumpfile>
	      Reads network info from <dumpfile> instead of reading live  from
	      network.	 Such  a dumpfile could	have been produced by the pro-
	      grams ipstrings ,	 tcpdump  or  ethereal	(http://www.zing.org).
	      You  can	read  from  standard input using '-' as	the file name,
	      this feature is provided by the pcap libarary.

       -s <nlen>
	      Read no more than	first <nlen> packet  bytes.   Default  is  96,
	      minimum is 68.

       -t     Write packet time	in format HH:MM:SS.SSSS	for string printed.

       -u     Write packet time	in GMT time instead of the default local time.

       -w <dumpfile>
	      Writes  first <nlen> bytes of every packet to <dumpfile> in pcap
	      format (see -s option about <nlen>).  Can	later be read by  pro-
	      grams  such  as  ipaudit , ipstrings , tcpdump or	ethereal , Use
	      '-' to write to standard out (this is a feature provided by  the
	      pcap library).

       -v     Print version information.

       -z     Write packet size	in bytes (size of ip portion, does not include
	      ethernet or other	header).

INPUT EXAMPLES
       To read strings from packets going by interface eth0
	  ipstrings eth0

       To read all strings from	a pcap dump file 'pcap.dump'
	  ipstrings -r pcap.dump

       To read only for	host 10.2.2.2
	  ipstrings -r pcap.dump -f "host 10.2.2.2"

       To read 'pcap.dump' only	for host 10.2.2.2 and port 21 (ftp)
	  ipstrings -r pcap.dump -f "host 10.2.2.2 and port 21"

       To read gzip'ed 'pcap.dump.gz" for all hosts and	only port 23 (telnet)
	  zcat pcap.dump.gz | ipstrings	-r- "port 23"

OUTPUT EXAMPLES
       A short FTP session to 127.0.0.1	was captured in	 pcap.file.   When  we
       give the	command
	  ipstrings -ip	-rpcap.fil

       the output is

	  127.000.000.001  127.000.000.001   6	   21	1323  220 bluebird FTP
       server (Versi
	  127.000.000.001 127.000.000.001   6	1323	 21  USER jibe
	  127.000.000.001 127.000.000.001   6	  21   1323  331 Password  re-
       quired for jibe
	  127.000.000.001 127.000.000.001   6	1323	 21  PASS xxxxxxxx
	  127.000.000.001  127.000.000.001    6	     21	   1323	 230 User jibe
       logged in.
	  127.000.000.001 127.000.000.001   6	1323	 21  SYST
	  127.000.000.001 127.000.000.001   6	  21   1323  215 UNIX Type: L8
	  127.000.000.001 127.000.000.001   6	1323	 21  QUIT
	  127.000.000.001 127.000.000.001    6	    21	  1323	 221-You  have
       transferred 0 byt
	  127.000.000.001 127.000.000.001   6	  21   1323  221-Total traffic
       for this	ses

       The first two columns are the  source  and  destination	ip  addresses.
       Column  three  is  the  protocol, in this example all are 6 meaning all
       packets are tcp.	 Columns four and five are the source and  destination
       port  numbers.	Starting in the	sixth column are the printable strings
       that were found in the packets.

BUGS
       Report any to jon.rifkin@uconn.edu.

URL
       http://ipaudit.sourceforge.net

VERSION
       1.0 Oct 13, 2005

SEE ALSO
       tcpdump(1) pcap(3) ipaudit(1)

ipstrings 1.0			 October 2005			  ipstrings(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | INPUT EXAMPLES | OUTPUT EXAMPLES | BUGS | URL | VERSION | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipstrings&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help