Solved

Looking for tcpdump command to search for text

Posted on 2007-12-03
3
919 Views
Last Modified: 2013-12-16
Hello -

Looking for a way to use tcpdump to search for a specific text.   Any ideas on what the syntax would be - if possible?
0
Comment
Question by:newtontech4
  • 2
3 Comments
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 20398545
You want to start by using tcpdump -A which prints packet contents in Ascii. Also you want to capture full packets (1500 bytes) rather than the default 68 bytes. So you want to use the option "-s 1500".
Now you can pipe the output from tcpdump into grep to find your text.

-A is a fairly new addition to tcpdump; somewhat earlier the -X option was added to give combined Hex & Ascii. Like -X, -A prints non-prinying characters a full stops, but unlike -X spaces are printed as spaces and linefeeds are printed as CrLf.

Sample output from "tcpdump -A -s 1500 tcp"

07:42:46.190074 IP dimstar.local.net.36966 > cf-in-f99.google.com.http: P 1300:1883(583) ack 11574 win 248 <nop,nop,timestamp 80067 1270955866>
E..{..@.@.H.
...J}.c.f.P...p&Hs.....jN.....
..8.K.?ZGET /favicon.ico HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: NID=5=Y_F9_9kJsrZbXU8cHYvXBmR5z906ggA  [truncated]
0
 

Author Comment

by:newtontech4
ID: 20398595
thank you - where is this output stored?
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 500 total points
ID: 20401758
Oh sorry - I guess you must be new to this.
The output from tcpdump as for most programs goes to something called "standard output (aka stdout)" (in fact, file unit 1). The unix concept of "piping" means that output can easily be redirected to become input to another program. "grep" is a program that searches for strings or string patterns, so I suggested "Now you can pipe the output from tcpdump into grep to find your text".
You likely want to type "man grep" in a command-line window to read more about what the program can do for you. Here's an example:

19:31:45$ tcpdump -A -s 1500 tcp|grep x86_64
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
[lots more of these]

This example is a search for text lines in the tcp stream that contain the word "x86_64". You can substitute your text string of choice.

The reason the first 2 lines of output show up even though they don't match "x86_64" is that they weren't written to stdout - they were written to standard error (stderr) (file unit 2). The shell pipe symbol; "|" gives stdout to the next program (connects it to its standard input (stdin)) but output to other file units still goes where it would have gone previously - so stderr goes to the console.

Your final output is still going to go to the screen unless you do something about it. For that, you use the output redirection operator ">"

20:27:59$ tcpdump -A -s 1500 tcp|grep x86_64 > sample_output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
[Type Control-C to stop it]
285 packets captured
285 packets received by filter
0 packets dropped by kernel

20:29:11$ head sample_output
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11


The output file doesn't contain the first 2 non-matching lines because they were sent to the console, and anyway ">" only redirects stdout. "man bash" will tell you more (rather a lot more really)
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question