I've started playing with ngrep so I'm going to write some scripts which use ngrep to filter pcap files then parse the output. I'll probably combine all these into one large script at some point but for now I'll just post individual ones.

This script uses ngrep to find all the dns traffic then pulls out the domain names. A problem with this is that the . separator between the parts of the domain name - www.abc - don't come out as an ASCII dot, they come out as various other hex characters. This is why the script uses the -P flag to set non-printable characters to a # so I know what to look for when going through the output.

This is a quick script written in a break while teaching so feel free to point out any improvements.

#!/usr/bin/env ruby
 
def usage
    puts "get_dns 1.0 Robin Wood ([email protected]) (www.digininja.org)\n\n"
 
    puts "Usage: get_dns [OPTION] ... PCAP"
    puts "        --help, -h: show help"
    puts
    puts"         PCAP: The pcap file to search"
    puts
end
 
if ARGV.length != 1
    usage
    exit
end
 
if ARGV[0] == "-h" || ARGV[0] == "--help"
    usage
    exit
end
 
pcap = ARGV[0]
 
if !File.exist?(pcap)
    puts "pcap not found"
    exit
end
 
cmd="ngrep  -t '' 'dst port 53' -I #{pcap} -q -P '#'"
 
res=%x{#{cmd}}
 
domains = []
 
res.each { |line|
    line.strip!
    if /\#\#\#\#\#([^\#].*)\#\#\#\#\#$/.match(line)
        domain = $1.gsub("#",".")
        domains << domain
    end
}
 
domains.sort!
domains.uniq!
 
puts domains