tcpdump - realtime dns logger with pipe

Question

I want to get DNS A records in realtime with tcpdump on stdout.

tcpdump -i any dst port 53 | awk '/ A\? / {u = NF - 1; print $u}' | sed 's/.$//g'

There is no output coming from the above line. Tcpdump seems still buffering on pipes or something. I've tested -l --immediate-mode and -U as well.

The line below outputs properly (in realtime) but obviously unfiltered (no grep/awk):

tcpdump -i any dst port 53

If i send its output lines manually to the awk/sed commands above they do work properly.

Everything tested on Arch Linux and Android 8.1 (bash, tcpdump 4.9.2).

Question: How to get tcpdump output in realtime with pipe/awk/sed?

There is an old thread from 2011 that doesn't fix the problem. How to process/pipe TCPDUMPs output in realtime

did you turn off buffering in awk and in sed and in ... https://unix.stackexchange.com/questions/25372/turn-off-buffering-in-pipe — thrig, Jul 17 '18 at 18:33
I've tried sudo unbuffer tcpdump -i any dst port 53 | unbuffer awk '/ A\? / {u = NF - 1; print $u}' | unbuffer sed 's/.$//g' but it doesn't help. — Maniaxx, Jul 17 '18 at 19:29

score 2 · Answer 1 · answered Jul 17 '18 at 20:09

Try this variant:

tcpdump -l -i any dst port 53 | stdbuf -oL awk '/ A\? / {u = NF - 1; print $u}' | sed 's/.$//g'

You have to buffer every line of tcpdump output, option -l is used for that.

From man tcpdump:

-l     Make stdout line buffered.  Useful if you want to see the data while capturing it.

To make awk output line buffering stdbuf is used.

-o, --output=MODE  adjust standard output stream buffering
If MODE is 'L' the corresponding stream will be line buffered.

Works on Arch Linux but not on Android (no stdbuf binary). Any solution for Android? — Maniaxx, Jul 18 '18 at 19:29

tcpdump - realtime dns logger with pipe

1 Answers1