I tried this:
tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)' I need only the ascii part of it. How do I remove the rest?
- 1with tshark you can do it with: tshark -l -i eth0 -f 'port 6667 and greater 74' -T field -e dataMarcin– Marcin2010-11-28 17:02:54 +00:00Commented Nov 28, 2010 at 17:02
- It says 28 packets captured but doesn't print anything to STDOUT.coder– coder2010-11-29 16:47:54 +00:00Commented Nov 29, 2010 at 16:47
- Do you mean ASCII7?Mircea Vutcovici– Mircea Vutcovici2011-04-14 16:05:16 +00:00Commented Apr 14, 2011 at 16:05
Add a comment |
6 Answers
As Josh suggests, tcpflow can print just the TCP packet data to a file or STDOUT. You can pipe tcpdump to tcpflow like this:
tcpdump -i lo -l -w - port 23 | tcpflow -C -r - To only view one side of the conversation, you can use filters for tcpdump, e.g. dst port 23.
- 4Why would you need to start
tcpflowas root?Ruslan– Ruslan2014-03-13 08:56:44 +00:00Commented Mar 13, 2014 at 8:56
I feel the most elegant solution is just to ditch tcpdump. No pipes of any kind:
tcpflow -c port 6667 And that's it.
answered Jun 25, 2017 at 22:29
- 1You saved my life, I want to buy you a cookiegdaras– gdaras2018-12-10 13:25:20 +00:00Commented Dec 10, 2018 at 13:25
- 1And you can use
-Dto print the data in hex, in case your traffic isn't textual.Ruslan– Ruslan2020-12-04 05:45:09 +00:00Commented Dec 4, 2020 at 5:45 - Want to show all TCP trafic from/to a specific IP in hex format?
tcpflow -Dc host xx.xx.xx.xEpoc– Epoc2023-11-23 12:42:11 +00:00Commented Nov 23, 2023 at 12:42
I'm not sure about the exact syntax for tcpdump... in fact, I have marked this question as a favorite because I would like to know! But as an alternative solution, you could try using tcpflow instead. It works essentially the same way, but it prints ASCII output much better; it excluded the headers and prints packets sequentially as a flow, so it's easier to read and follow at times than tcpdump.
A quick and dirty way to do this is to filter the output through strings:
tcpdump -nli eth0 '(port 6667) and (length > 74)' -s 0 -w - | strings Sometimes you don't have other tools and for a quick peek into the payload this is enough. It's no good if you need the exact payload for injection or an exact analysis, of course.
answered Apr 14, 2011 at 15:34
If you need only the ASCII part you can use: tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)'|sed 's/\.//g' or with ngrep: ngrep -d eth0 -lq . '(port 6667) and (length > 74)' |sed -rn '/^ /s/\.//gp'
answered Apr 14, 2011 at 16:04
I had the same problem last week - I used the wireshark gui instead and did a "copy readable ascii" for the interesting packets.
I was (successfully) trying to pin down a problem with a http request to a web-service and its XML-answer.
