Monday, August 3, 2009

Ngrep 1.45 for Java Serialized Objects

Following my last post, a new need for adjusting Ngrep has arose.
We needed to let Ngrep identify JSER communication session and to dump the whole req/res into one file so it can be sent to decryption and further analysis.
To address this issue I have added a new option (-m) to Ngrep that identifies the end of object transmitting and exits the pcap_loop upon it.

usage example: ngrep -d 5 -O output.pcap -m -X 0x78 dst host

Sources and precompiled windows binary tarball here (sourceforge svn)

A .patch file for use with the original 1.45 distribution can be download here