Solved

Looking for tcpdump command to search for text

Posted on 2007-12-03
3
915 Views
Last Modified: 2013-12-16
Hello -

Looking for a way to use tcpdump to search for a specific text.   Any ideas on what the syntax would be - if possible?
0
Comment
Question by:newtontech4
  • 2
3 Comments
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
Comment Utility
You want to start by using tcpdump -A which prints packet contents in Ascii. Also you want to capture full packets (1500 bytes) rather than the default 68 bytes. So you want to use the option "-s 1500".
Now you can pipe the output from tcpdump into grep to find your text.

-A is a fairly new addition to tcpdump; somewhat earlier the -X option was added to give combined Hex & Ascii. Like -X, -A prints non-prinying characters a full stops, but unlike -X spaces are printed as spaces and linefeeds are printed as CrLf.

Sample output from "tcpdump -A -s 1500 tcp"

07:42:46.190074 IP dimstar.local.net.36966 > cf-in-f99.google.com.http: P 1300:1883(583) ack 11574 win 248 <nop,nop,timestamp 80067 1270955866>
E..{..@.@.H.
...J}.c.f.P...p&Hs.....jN.....
..8.K.?ZGET /favicon.ico HTTP/1.1
Host: www.google.com.au
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: NID=5=Y_F9_9kJsrZbXU8cHYvXBmR5z906ggA  [truncated]
0
 

Author Comment

by:newtontech4
Comment Utility
thank you - where is this output stored?
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 500 total points
Comment Utility
Oh sorry - I guess you must be new to this.
The output from tcpdump as for most programs goes to something called "standard output (aka stdout)" (in fact, file unit 1). The unix concept of "piping" means that output can easily be redirected to become input to another program. "grep" is a program that searches for strings or string patterns, so I suggested "Now you can pipe the output from tcpdump into grep to find your text".
You likely want to type "man grep" in a command-line window to read more about what the program can do for you. Here's an example:

19:31:45$ tcpdump -A -s 1500 tcp|grep x86_64
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
[lots more of these]

This example is a search for text lines in the tcp stream that contain the word "x86_64". You can substitute your text string of choice.

The reason the first 2 lines of output show up even though they don't match "x86_64" is that they weren't written to stdout - they were written to standard error (stderr) (file unit 2). The shell pipe symbol; "|" gives stdout to the next program (connects it to its standard input (stdin)) but output to other file units still goes where it would have gone previously - so stderr goes to the console.

Your final output is still going to go to the screen unless you do something about it. For that, you use the output redirection operator ">"

20:27:59$ tcpdump -A -s 1500 tcp|grep x86_64 > sample_output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
[Type Control-C to stop it]
285 packets captured
285 packets received by filter
0 packets dropped by kernel

20:29:11$ head sample_output
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11


The output file doesn't contain the first 2 non-matching lines because they were sent to the console, and anyway ">" only redirects stdout. "man bash" will tell you more (rather a lot more really)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now