pktstrings 1.1.0

Like Unix 'strings' command but packet-aware
pktstrings-1.1.0 is not a library.
Visit the last successful build: pktstrings-1.4.1

pktstrings

build status lint status crate license crate version

Ever ran strings on a PCAP and found something interesting, but left frustrated you have no context of which packet it occurred in?

Pktstrings is like Unix strings command, but packet-aware.

It finds anything looking like an ASCII string in your PCAP and dumps the packet number plus IP 5-tuple (or MACs + Ethertype if not IP) of where the strings were found.

image

Requires libpcap headers (See Dependencies) to build.

Features

  • Support for both offline PCAPs and live network capture
  • Filter which packets are analysed with BPF expressions
  • DNS resolver with local cache (--feature resolve to enable option)
  • Grep friendly (default) and copy friendly (-b, --block-print) output options
  • Support for 802.1Q networks; showing the VLAN ID and IPs if present.

Dependencies

Pktstrings uses the pcap crate and thus requires libpcap (or Npcap/WinPcap on Windows) to be installed before building. Follow the instructions the pcap crate provides to get the correct installation instructions for your system.

https://github.com/rust-pcap/pcap#installing-dependencies

Install

To install binary from crates.io cargo install pktstrings

To install with optional DNS resolver flag (-r, --resolve-dns): cargo install pktstrings --features=resolve

To install with colour output disabled: cargo install pktstrings --features=bland

To install from cloned source: cargo install --path .

Running

Default install location is ~/.cargo/bin/pktstrings. Run pktstrings with -h for help and available options.

TODO (maybe):

  • Other string encodings
  • Support more protocols
  • Full PCAPNG support