Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== ngrep Tools ======
+I've started playing with ngrep so I'm going to write some scripts which use ngrep to filter pcap files then parse the output. I'll probably combine all these into one large script at some point but for now I'll just post individual ones.
+===== get_dns =====
+This script uses ngrep to find all the dns traffic then pulls out the domain names. A problem with this is that the . separator between the parts of the domain name - www.abc - don't come out as an ASCII dot, they come out as various other hex characters. This is why the script uses the -P flag to set non-printable characters to a # so I know what to look for when going through the output.
+This is a quick script written in a break while teaching so feel free to point out any improvements.
+<code ruby>
+#!/usr/bin/env ruby
+def usage
+    puts "get_dns 1.0 Robin Wood (dninja@gmail.com) (www.digininja.org)\n\n"
+    puts "Usage: get_dns [OPTION] ... PCAP"
+    puts "        --help, -h: show help"
+    puts
+    puts"         PCAP: The pcap file to search"
+    puts
+end
+if ARGV.length != 1
+    usage
+    exit
+end
+if ARGV[0] == "-h" || ARGV[0] == "--help"
+    usage
+    exit
+end
+pcap = ARGV[0]
+if !File.exist?(pcap)
+    puts "pcap not found"
+    exit
+end
+cmd="ngrep  -t '' 'dst port 53' -I #{pcap} -q -P '#'"
+res=%x{#{cmd}}
+domains = []
+res.each { |line|
+    line.strip!
+    if /\#\#\#\#\#([^\#].*)\#\#\#\#\#$/.match(line)
+        domain = $1.gsub("#",".")
+        domains << domain
+    end
+}
+domains.sort!
+domains.uniq!
+puts domains
+</code>