rafind2
Help
Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[e|s|S] str] [-x hex] file ..
-a [align] only accept aligned hits
-b [size] set block size
-e [regex] search for regex matches (can be used multiple times)
-f [from] start searching from address 'from'
-h show this help
-i identify filetype (r2 -nqcpm file)
-m magic search, file-type carver
-M [str] set a binary mask to be applied on keywords
-n do not stop on read errors
-r print using radare commands
-s [str] search for a specific string (can be used multiple times)
-S [str] search for a specific wide string (can be used multiple times)
-t [to] stop search at address 'to'
-v print version and exit
-x [hex] search for hexpair string (909090) (can be used multiple times)
-X show hexdump of search results
-z search for zero-terminated strings
-Z show string found on each search hit
rafind2 man page
RAFIND2(1) BSD General Commands Manual RAFIND2(1)
NAME
rafind2 — Advanced commandline hexadecimal editor
SYNOPSIS
rafind2 [-izZXnrhv] [-b size] [-f from] [-t to] [-[m|s|e] str] [-x hex] file
DESCRIPTION
rafind2 is a program to find byte patterns into files
The options are:
-z Search for zero-terminated strings
-a align Only accept aligned hits
-s str Search for a specific string
-S str Search for a specific wide string
-e regex Search for a regular expression string matches
-x hex Search for an hexpair string
-i Identify filetype (like file, uses r2 -qcpm)
-m Carve for known file-types using the r_magic signatures
-M mask Set binary mask to be applied
-f from Specify the source adddress
-t to Specify the target adddress
-X Display hexdump of search results
-Z Display zero-terminated strings results
-n Do not stop the search when a read error occurs
-r Show output in radare commands
-b size Define block size
-h Show help message
-v Print version and exit
SEE ALSO
radare2(1), rahash2(1), rabin2(1), radiff2(1), rasm2(1), ragg2(1), rarun2(1), rax2(1),
AUTHORS
pancake <pancake@nopcode.org>
Oct 19, 2015
pcaps
- rafind2 -X -s "DOS mode" traffic.pcap
- rafind2 -Z -s "Subject" smtp.pcap