Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Looking for tcpdump command to search for text

Posted on 2007-12-03
3
Medium Priority
?
932 Views
Last Modified: 2013-12-16
Hello -

Looking for a way to use tcpdump to search for a specific text.   Any ideas on what the syntax would be - if possible?
0
Comment
Question by:newtontech4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 2000 total points
ID: 20398545
You want to start by using tcpdump -A which prints packet contents in Ascii. Also you want to capture full packets (1500 bytes) rather than the default 68 bytes. So you want to use the option "-s 1500".
Now you can pipe the output from tcpdump into grep to find your text.

-A is a fairly new addition to tcpdump; somewhat earlier the -X option was added to give combined Hex & Ascii. Like -X, -A prints non-prinying characters a full stops, but unlike -X spaces are printed as spaces and linefeeds are printed as CrLf.

Sample output from "tcpdump -A -s 1500 tcp"

07:42:46.190074 IP dimstar.local.net.36966 > cf-in-f99.google.com.http: P 1300:1883(583) ack 11574 win 248 <nop,nop,timestamp 80067 1270955866>
E..{..@.@.H.
...J}.c.f.P...p&Hs.....jN.....
..8.K.?ZGET /favicon.ico HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: NID=5=Y_F9_9kJsrZbXU8cHYvXBmR5z906ggA  [truncated]
0
 

Author Comment

by:newtontech4
ID: 20398595
thank you - where is this output stored?
0
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 2000 total points
ID: 20401758
Oh sorry - I guess you must be new to this.
The output from tcpdump as for most programs goes to something called "standard output (aka stdout)" (in fact, file unit 1). The unix concept of "piping" means that output can easily be redirected to become input to another program. "grep" is a program that searches for strings or string patterns, so I suggested "Now you can pipe the output from tcpdump into grep to find your text".
You likely want to type "man grep" in a command-line window to read more about what the program can do for you. Here's an example:

19:31:45$ tcpdump -A -s 1500 tcp|grep x86_64
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
[lots more of these]

This example is a search for text lines in the tcp stream that contain the word "x86_64". You can substitute your text string of choice.

The reason the first 2 lines of output show up even though they don't match "x86_64" is that they weren't written to stdout - they were written to standard error (stderr) (file unit 2). The shell pipe symbol; "|" gives stdout to the next program (connects it to its standard input (stdin)) but output to other file units still goes where it would have gone previously - so stderr goes to the console.

Your final output is still going to go to the screen unless you do something about it. For that, you use the output redirection operator ">"

20:27:59$ tcpdump -A -s 1500 tcp|grep x86_64 > sample_output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
[Type Control-C to stop it]
285 packets captured
285 packets received by filter
0 packets dropped by kernel

20:29:11$ head sample_output
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11


The output file doesn't contain the first 2 non-matching lines because they were sent to the console, and anyway ">" only redirects stdout. "man bash" will tell you more (rather a lot more really)
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question