Following my last post, a new need for adjusting Ngrep has arose.
We needed to let Ngrep identify JSER communication session and to dump the whole req/res into one file so it can be sent to decryption and further analysis.
To address this issue I have added a new option (-m) to Ngrep that identifies the end of object transmitting and exits the pcap_loop upon it.
usage example: ngrep -d 5 -O output.pcap -m -X 0x78 dst host www.mytarget.com
Sources and precompiled windows binary tarball here (sourceforge svn)
A .patch file for use with the original 1.45 distribution can be download here