Solved

Looking for tcpdump command to search for text

Posted on 2007-12-03
3
924 Views
Last Modified: 2013-12-16
Hello -

Looking for a way to use tcpdump to search for a specific text.   Any ideas on what the syntax would be - if possible?
0
Comment
Question by:newtontech4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 20398545
You want to start by using tcpdump -A which prints packet contents in Ascii. Also you want to capture full packets (1500 bytes) rather than the default 68 bytes. So you want to use the option "-s 1500".
Now you can pipe the output from tcpdump into grep to find your text.

-A is a fairly new addition to tcpdump; somewhat earlier the -X option was added to give combined Hex & Ascii. Like -X, -A prints non-prinying characters a full stops, but unlike -X spaces are printed as spaces and linefeeds are printed as CrLf.

Sample output from "tcpdump -A -s 1500 tcp"

07:42:46.190074 IP dimstar.local.net.36966 > cf-in-f99.google.com.http: P 1300:1883(583) ack 11574 win 248 <nop,nop,timestamp 80067 1270955866>
E..{..@.@.H.
...J}.c.f.P...p&Hs.....jN.....
..8.K.?ZGET /favicon.ico HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: NID=5=Y_F9_9kJsrZbXU8cHYvXBmR5z906ggA  [truncated]
0
 

Author Comment

by:newtontech4
ID: 20398595
thank you - where is this output stored?
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 500 total points
ID: 20401758
Oh sorry - I guess you must be new to this.
The output from tcpdump as for most programs goes to something called "standard output (aka stdout)" (in fact, file unit 1). The unix concept of "piping" means that output can easily be redirected to become input to another program. "grep" is a program that searches for strings or string patterns, so I suggested "Now you can pipe the output from tcpdump into grep to find your text".
You likely want to type "man grep" in a command-line window to read more about what the program can do for you. Here's an example:

19:31:45$ tcpdump -A -s 1500 tcp|grep x86_64
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
[lots more of these]

This example is a search for text lines in the tcp stream that contain the word "x86_64". You can substitute your text string of choice.

The reason the first 2 lines of output show up even though they don't match "x86_64" is that they weren't written to stdout - they were written to standard error (stderr) (file unit 2). The shell pipe symbol; "|" gives stdout to the next program (connects it to its standard input (stdin)) but output to other file units still goes where it would have gone previously - so stderr goes to the console.

Your final output is still going to go to the screen unless you do something about it. For that, you use the output redirection operator ">"

20:27:59$ tcpdump -A -s 1500 tcp|grep x86_64 > sample_output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
[Type Control-C to stop it]
285 packets captured
285 packets received by filter
0 packets dropped by kernel

20:29:11$ head sample_output
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11


The output file doesn't contain the first 2 non-matching lines because they were sent to the console, and anyway ">" only redirects stdout. "man bash" will tell you more (rather a lot more really)
0

Featured Post

More Than Just A Video Library

Train for your certification. Learn the latest DevOps tools. Grow your skillset to do better work.

At Linux Academy, we release new training modules every week so you'll always be up to date on the latest tech.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question