Sunday, July 10, 2011

ngrep oneliner: look for a domain name in DNS traffic

ngrep is a pretty useful tool and should be useful to any network security work. It is NOT the same as tcpdump, in case anyone was wondering. I may be a little off in my explanation tonight, but ngrep does something so much better than tcpdump: searches for regex's.

So, to search for a hostname, as a whole word, in DNS traffic in an already captured traffic file:

ngrep -w 'somehost' -I /stored/mypcaps.pcap port 53