1

I have a tcpdump (pcap) capture file and want to extract all domains. I do it with the following command:

strings capture_file | grep -oiE '([a-zA-Z0-9][a-zA-Z0-9-]{1,61}\.){1,}(\.?[a-zA-Z]{2,}){1,}' | sort -u > out

But I want to extract only those related to the string "Client Hello". Example in Wireshark:

Handshake Protocol: Client Hello
Server Name: example.com

Is there any way of doing this?

acgbox
  • 891
  • 4
  • 11
  • 32
  • Where is the `Client Hello` coming from? The text you show has this as part of the `Handshake Protocol` which implies that this is a protocol that tcpdump knows about and is decoding. In this case the string `Client Hello` comes from tcpdump rather than the packet. So what protocol are you looking at? The normal approach to this kind of problem would be to use tcpdump with both `-r` and `-w` flags and an expression to select just the packets which match. Using `wireshark` or `tshark` and `lua` might be slightly more efficient. – icarus Jul 09 '20 at 23:41
  • @icarus solved. Read update question. Thanks – acgbox Jul 10 '20 at 00:16
  • Hello ajcg, please take the time to place your solution as an actual answer down below. Thank you! – Panki Jul 10 '20 at 08:15

1 Answers1

0

Open pcap file in Wireshark. Select lines "Client Hello", Then select "Export Packet Dissections" and save "As Plain Text". Save file as "export.txt"

enter image description here

An then run:

grep -i "Server Name" export.txt | grep -oiE '([a-zA-Z0-9][a-zA-Z0-9-]{1,61}\.){1,}(\.?[a-zA-Z]{2,}){1,}' | sort -u > out
acgbox
  • 891
  • 4
  • 11
  • 32