I am trying to HTTP traffic to port 8007 in a file and then view them later.
# tcpdump -i eth0 -s0 -n -w /tmp/capture port 8007 &
# tcpdump -r /tmp/capture -A | grep '10.2.1.50'
I expected to see packet data in ASCII but that does not happen. What I get instead is something like:
23:03:16.819935 IP 10.2.1.50.8007 > 10.2.1.120.57469: . ack 1369 win 272 <nop,nop,timestamp 188139705 215355175>
23:03:16.819943 IP 10.2.1.120.57469 > 10.2.1.50.8007: P 1369:1592(223) ack 1 win 12 <nop,nop,timestamp 215355175 188139703>
23:03:16.819947 IP 10.2.1.50.8007 > 10.2.1.120.57469: . ack 1592 win 272 <nop,nop,timestamp 188139705 215355175>
23:03:17.029587 IP 10.2.1.50.8007 > 10.2.1.120.57469: P 1:780(779) ack 1592 win 272 <nop,nop,timestamp 188139758 215355175>
23:03:17.029736 IP 10.2.1.50.8007 > 10.2.1.153.49989: F 822:822(0) ack 3494 win 272 <nop,nop,timestamp 188139758 1641992210>
23:03:17.040759 IP 10.2.1.120.57469 > 10.2.1.50.8007: . ack 780 win 15 <nop,nop,timestamp 215355396 188139758>
23:03:17.079305 IP 10.2.1.153.49989 > 10.2.1.50.8007: . ack 823 win 15 <nop,nop,timestamp 1642053303 188139758>
How do I fix the write or read to see the actual content? I have tried other options such as -v but that's not for content. I am using SLES 11 SP2. Is tcpdump
the right tool for this?
Thanks a lot.
--EDIT
# tcpdump --version
tcpdump version 3.9.8
libpcap version 0.9-PRE-CVS
I also tried with -X option but still do not see the payload data.