How to make tcpdump (or other tool) to actually dump TCP stream?
19,561
Solution 1
tcpdump normally displays packet information, as opposed to actual data.
Use the -A flag to dump ASCII contents. It will still dump a lot of other data (like ARP and DNS packets, for example), but you should be able to get what you want through filters.
Solution 2
Try
tcpflow -v -i iface
This will create a lot of files having filenames like "IP_A.port.-IP_B.port".
Related videos on Youtube
23 : 20
tcpdump - Traffic Capture & Analysis
16 : 02
EXPLAINED: TCPDUMP and How to Sniff and Analyse tcp packet (Step-by-step Guide)
06 : 01
How to use Packet capturing tools - Tcpdump and Wireshark
06 : 21
TCP Dump - What is it and how to use it?
02 : 02
How to make tcpdump (or other tool) to actually dump TCP stream? (2 Solutions!!)
Author by
Vi.
Updated on September 18, 2022Comments
-
Vi. almost 2 years
I expect something like this:
$ nc example.com 80 GET / HTTP/1.0 HTTP/1.0 500 K.O. Content-Type: application/null Content-Length: -1 $ Meanwhile: # tcpdump -i eth0 --actually-dump-all-tcp 217.21.51.1:56812->192.0.43.10:80 GET / HTTP/1.0 217.21.51.1:56812->192.0.43.10:80 217.21.51.1:56812<-192.0.43.10:80 HTTP/1.0 500 K.O. 217.21.51.1:56812<-192.0.43.10:80 Content-Type: application/null 217.21.51.1:56812<-192.0.43.10:80 Content-Length: -1Now I use Wireshark, but while it is loading the connection cat get finished several times.
-
Admin almost 13 years@Flimzy No, he wants to dump in ASCII.
-
-
Vi. almost 13 yearsDirty oneliner to print in form that is closer to mine:
tcpdump -n -A -i eth0 | perl -ne 'if(/\d\d:\d\d:\d\d\.\d{6} IP (\d+\.\d+\.\d+\.\d+)\.(\d+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:.*length (\d+)/) { $preamble="$1:$2->$3:$4 "; } else { print "$preamble$_"; }' -
new123456 almost 13 years@Vi If my brain weren't fortified from working with
setjmp/longjmphackery, that Perl would have fried my brain. I'm sure Douglas would have a fit if he saw that ;)
