ngrep is a pretty useful tool and should be useful to any network security work. It is NOT the same as tcpdump, in case anyone was wondering. I may be a little off in my explanation tonight, but ngrep does something so much better than tcpdump: searches for regex's.
So, to search for a hostname, as a whole word, in DNS traffic in an already captured traffic file:
ngrep -w 'somehost' -I /stored/mypcaps.pcap port 53
No comments:
Post a Comment