Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

Looking for tcpdump command to search for text

Hello -

Looking for a way to use tcpdump to search for a specific text.   Any ideas on what the syntax would be - if possible?
0
newtontech4
Asked:
newtontech4
  • 2
2 Solutions
 
Duncan RoeSoftware DeveloperCommented:
You want to start by using tcpdump -A which prints packet contents in Ascii. Also you want to capture full packets (1500 bytes) rather than the default 68 bytes. So you want to use the option "-s 1500".
Now you can pipe the output from tcpdump into grep to find your text.

-A is a fairly new addition to tcpdump; somewhat earlier the -X option was added to give combined Hex & Ascii. Like -X, -A prints non-prinying characters a full stops, but unlike -X spaces are printed as spaces and linefeeds are printed as CrLf.

Sample output from "tcpdump -A -s 1500 tcp"

07:42:46.190074 IP dimstar.local.net.36966 > cf-in-f99.google.com.http: P 1300:1883(583) ack 11574 win 248 <nop,nop,timestamp 80067 1270955866>
E..{..@.@.H.
...J}.c.f.P...p&Hs.....jN.....
..8.K.?ZGET /favicon.ico HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: NID=5=Y_F9_9kJsrZbXU8cHYvXBmR5z906ggA  [truncated]
0
 
newtontech4Author Commented:
thank you - where is this output stored?
0
 
Duncan RoeSoftware DeveloperCommented:
Oh sorry - I guess you must be new to this.
The output from tcpdump as for most programs goes to something called "standard output (aka stdout)" (in fact, file unit 1). The unix concept of "piping" means that output can easily be redirected to become input to another program. "grep" is a program that searches for strings or string patterns, so I suggested "Now you can pipe the output from tcpdump into grep to find your text".
You likely want to type "man grep" in a command-line window to read more about what the program can do for you. Here's an example:

19:31:45$ tcpdump -A -s 1500 tcp|grep x86_64
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
[lots more of these]

This example is a search for text lines in the tcp stream that contain the word "x86_64". You can substitute your text string of choice.

The reason the first 2 lines of output show up even though they don't match "x86_64" is that they weren't written to stdout - they were written to standard error (stderr) (file unit 2). The shell pipe symbol; "|" gives stdout to the next program (connects it to its standard input (stdin)) but output to other file units still goes where it would have gone previously - so stderr goes to the console.

Your final output is still going to go to the screen unless you do something about it. For that, you use the output redirection operator ">"

20:27:59$ tcpdump -A -s 1500 tcp|grep x86_64 > sample_output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
[Type Control-C to stop it]
285 packets captured
285 packets received by filter
0 packets dropped by kernel

20:29:11$ head sample_output
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11


The output file doesn't contain the first 2 non-matching lines because they were sent to the console, and anyway ">" only redirects stdout. "man bash" will tell you more (rather a lot more really)
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now