rail grepping

rail grepping (from Phil Hagen, who teaches the SANS FOR572 Advanced Network Forensics and Analysis class), is a way to quickly go through a large number of pcaps and determine if they might contain data you're looking for.
Scenario: You're given 25 pcaps from a certain time frame and asked to determine if there's any emails in them to or from bob@xyz.com. You need a way to determine what pcaps might have this data in it. You can use rail grepping to determine this.

rail grepping is named after the parameters you'll use with grep to do your search.

They are:
r - search sub-directories recursively
a - treat binary files like text and search the ASCII, human readable portions of the file for the string
i - case insensitive
l - only show the files that match instead of the matches themselves.

So our command would look like this:

grep -rail 'bob@xyz.com' . If you are in a sub-directory containing only the pcaps, you could substitute * instead.

grep will rip through the pcaps looking for your email address and return the name of each file it finds a match in.