37

I am trying to HTTP traffic to port 8007 in a file and then view them later.

# tcpdump -i eth0 -s0 -n -w /tmp/capture port 8007 &
# tcpdump -r /tmp/capture -A | grep '10.2.1.50'

I expected to see packet data in ASCII but that does not happen. What I get instead is something like:

23:03:16.819935 IP 10.2.1.50.8007 > 10.2.1.120.57469: . ack 1369 win 272 <nop,nop,timestamp 188139705 215355175>
23:03:16.819943 IP 10.2.1.120.57469 > 10.2.1.50.8007: P 1369:1592(223) ack 1 win 12 <nop,nop,timestamp 215355175 188139703>
23:03:16.819947 IP 10.2.1.50.8007 > 10.2.1.120.57469: . ack 1592 win 272 <nop,nop,timestamp 188139705 215355175>
23:03:17.029587 IP 10.2.1.50.8007 > 10.2.1.120.57469: P 1:780(779) ack 1592 win 272 <nop,nop,timestamp 188139758 215355175>
23:03:17.029736 IP 10.2.1.50.8007 > 10.2.1.153.49989: F 822:822(0) ack 3494 win 272 <nop,nop,timestamp 188139758 1641992210>
23:03:17.040759 IP 10.2.1.120.57469 > 10.2.1.50.8007: . ack 780 win 15 <nop,nop,timestamp 215355396 188139758>
23:03:17.079305 IP 10.2.1.153.49989 > 10.2.1.50.8007: . ack 823 win 15 <nop,nop,timestamp 1642053303 188139758>

How do I fix the write or read to see the actual content? I have tried other options such as -v but that's not for content. I am using SLES 11 SP2. Is tcpdump the right tool for this?

Thanks a lot.

--EDIT

# tcpdump --version
tcpdump version 3.9.8
libpcap version 0.9-PRE-CVS

I also tried with -X option but still do not see the payload data.

R Schultz
  • 462
Dinesh
  • 1,291

6 Answers6

37

You are able to just see the header and not packet contents because you piped the output to grep. So it is just getting the lines in which the IP address is present.

-A option to tcpdump gives the packet contents as well.

  • 2
    from the question: # tcpdump -r /tmp/capture -A | grep '10.2.1.50' – Jeff Schaller Apr 07 '18 at 12:29
  • 3
    I am saying if you remove the | grep '10.2.1.50' part of your command, you will be able to see all the packet contents as well. If you want to search for the contents of the packets with that IP, then ask grep to print out the subsequent lines of the lines in which the IP is present. – Kalyan Kumar Apr 08 '18 at 07:51
18

Use tcpdump -X

For example (works on the Fedora/Centos that I use):

sudo tcpdump -nvvvXi br0
13:29:20.311228 00:1c:73:86:12:f9 &gt; 01:00:5e:00:01:81, ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 5, id 0, offset 0, flags [none], proto UDP (17), length 72)
    10.134.245.1.ptp-general &gt; 224.0.1.129.ptp-general: Ptp MessageType: Follow_Up, SequenceId: 8208

        0x0000:  4500 0048 0000 0000 0511 d49c 0a86 f501  E..H............
        0x0010:  e000 0181 0140 0140 0034 0cd0 0802 002c  .....@.@.4.....,
        0x0020:  0100 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  444c a8ff ffc7 1f6b 0236 2010 0200 0000  DL.....k.6......
        0x0040:  5f2a b430 0d5e b480                      _*.0.^..

AdminBee
  • 22,803
4

That is the contents. You have probably used some command to filter out content.

DisplayName
  • 11,688
0

you can use Wireshark tool for best results.

GauravG
  • 11
0

I guess the OP wanted to see the packets content from IP 10.2.1.50.
I just stumbled on this post so thought to update.
Use the switch- host in tcpdump
I never used a saved pcap file with switches but hope it can work. How you use in live tcpdump
Example-
See traffic 'to and from' 10.2.1.50 tcpdump -nnA host 10.2.1.50
or to see results from a network tcpdump -nnA net 10.2.1.0/24
or to see traffic originating from 10.2.1.50 tcpdump -nnA src 10.2.1.50
Hope it helps
EDIT Also, if you want to grep properly, use -A switch
tcpdump -r /tmp/capture -A | grep -A5 '10.2.1.50'
The -A5 switch will show you next 5 lines also after the line that matches with 10.2.1.50

nav33n
  • 1
0

A buffering issue but something like this? (Note: bashims!)

t14s:~ # tcpdump -c 4 -i wlan0 -w - 'host 199.185.178.80' | \
    tee >/dev/null >(tcpdump -w /tmp/out.pcap) >(tcpdump -r - )
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
4 packets captured
4 packets received by filter
0 packets dropped by kernel
reading from file -, link-type EN10MB (Ethernet), snapshot length 262144
t14s:~ # 15:58:03.021381 IP t14s.home.arpa.40002 > 199.185.178.80.https: Flags [S], seq 3384958855, win 64240, options [mss 1460,sackOK,TS val 1611908519 ecr 0,nop,wscale 7], length 0
15:58:03.159178 IP 199.185.178.80.https > t14s.home.arpa.40002: Flags [S.], seq 1330189822, ack 3384958856, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 4017714601 ecr 1611908519], length 0
15:58:03.159253 IP t14s.home.arpa.40002 > 199.185.178.80.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 1611908657 ecr 4017714601], length 0
15:58:03.161365 IP t14s.home.arpa.40002 > 199.185.178.80.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1611908659 ecr 4017714601], length 517
^C
Jiri B
  • 541
  • 1
  • 7
  • 16