tcpdump - just packet data
5,633
Solution 1
Hope this helps:
$ tshark -r test.pcap -O http -Vx -R "image-jfif" > test.txt
I'm running:
$ tshark -v
TShark 1.6.1 (SVN Rev 38096 from /trunk-1.6)
Solution 2
Actually the wireshark package contains a command line tool, tshark. The following invocation gets close to what I think you want.
tshark -i eth0 -n -Eheader=n
Related videos on Youtube
23 : 20
tcpdump - Traffic Capture & Analysis
16 : 53
packet capture tutorial using tcpdump
07 : 45
Introduction to Packet Analysis - Part 7: Capturing Network Traffic with TCPDump (Part 1)
02 : 06
Analyzing the tcpdump data
02 : 04
tcpdump - just packet data (2 Solutions!!)
Author by
Eamorr
Updated on September 18, 2022Comments
-
Eamorr over 1 year
When using tcpdump, how can I print just the packet data?
For example (anonymized):
sudo tcpdump -X 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' 10:23:59.521551 IP dhcp227.asdfasdf.com.47142 > sjc-not7.sjc.dropbox.com.www: Flags [P.], seq 5074:5341, ack 6420, win 2448, options [nop,nop,TS val 7955335 ecr 585615613], length 267 0x0000: 4500 013f 7913 4000 4006 72ee ac10 01e3 E..?y.@[email protected]..... 0x0010: c732 d894 b826 0050 9455 3f65 51f9 a5f4 ./...&.P.U?eQ... 0x0020: 8018 0990 4ee9 0000 0101 080a 0079 6387 ....N........yc. 0x0030: 22e7 c8fd 4745 5420 2f73 7562 7363 7269 "...GET./subscri 0x0040: 6265 3f68 6f73 745f 696e 743d 3832 3335 be?host_int=8232 0x0050: 3635 3738 266e 735f 6d61 703d 3532 3434 6578&ns_map=3244 0x0060: 3035 3238 5f31 3236 3932 3638 3038 3030 0528_12691680800 0x0070: 3230 382c 3138 3635 3538 3235 5f32 3430 208,18655825_240 0x0080: 3230 3033 3432 3836 3132 3738 352c 3330 2003428616785,30 0x0090: 3331 3637 3932 5f34 3239 3532 3730 3436 316795_432527046 0x00a0: 3339 352c 3430 3039 3039 3337 5f32 3335 395,40090937_235 0x00b0: 3134 3831 3734 3937 3439 3034 3926 7473 1481749749049&ts 0x00c0: 3d31 3331 3131 3532 3833 3920 4854 5450 =1311153839.HTTP 0x00d0: 2f31 2e31 0d0a 486f 7374 3a20 6e6f 7469 /1.1..Host:.noti 0x00e0: 6679 372e 6472 6f70 626f 782e 636f 6d0d fy7.dropbox.com. 0x00f0: 0a41 6363 6570 742d 456e 636f 6469 6e67 .Accept-Encoding 0x0100: 3a20 6964 656e 7469 7479 0d0a 436f 6e6e :.identity..Conn 0x0110: 6563 7469 6f6e 3a20 6b65 6570 2d61 6c69 ection:.keep-ali 0x0120: 7665 0d0a 582d 4472 6f70 626f 782d 4c6f ve..X-Dropbox-Lo 0x0130: 6361 6c65 3a20 656e 5f55 530d 0a0d 0a cale:.en_US....I just want it to print the right hand column (preferably all on one line). Is this even possible? I can't use Wireshark as I have to do it all on the command line.
-
rogerdpack almost 11 yearssee also serverfault.com/questions/206734/…
-
-
Eamorr almost 13 yearsHi, I tried that, but it still doesn't give me the right-hand column I'm interested in though. Tshark is certainly a tool I have overlooked.
-
Keith almost 13 yearsHm, it prints what looks like the right hand column, but on one line. Could you be more specific on what you're looking for?
-
Eamorr almost 13 yearsHi, sorry for the late reply. I'm looking to analyse the packet stream and pick out HTTP headers of type
image/jpeg. I'm hoping to pipe the output of tshark/tcpdump into a custom C program so that I can pick out the raw jpeg data for further analysis. As you can probably tell, I'm very new to all this. Any other comments you may have are greatly appreciated. -
Keith almost 13 yearsSounds like you may actually need something more customizable. In the Python world there is scapy. That lets you pick apart packets with Python scripts. If you're on a switch you can set a monitor/span port to send traffic to it.
