in reply to Re: converting tcpdump output
in thread converting tcpdump output

My pleasure:

19:57:52.537475 IP 192.168.0.249.1505 > 143.48.220.86.80: P 0:625(625) + ack 1 win 65535 0x0000: 4500 0299 4188 4000 8006 89ae c0a8 00f9 E...A.@..... +.... 0x0010: 8f30 dc56 05e1 0050 5f7c 01ef 931d b19f .0.V...P_|.. +.... 0x0020: 5018 ffff 5545 0000 4745 5420 2f7e 6c73 P...UE..GET. +/~ls 0x0030: 7465 696e 2f74 616c 6b73 2f57 5757 362f tein/talks/W +WW6/ 0x0040: 736e 6966 6665 722f 2048 5454 502f 312e sniffer/.HTT +P/1. 0x0050: 310d 0a48 6f73 743a 2073 7465 696e 2e63 1..Host:.ste +in.c 0x0060: 7368 6c2e 6f72 670d 0a55 7365 722d 4167 shl.org..Use +r-Ag 0x0070: 656e 743a 204d 6f7a 696c 6c61 2f35 2e30 ent:.Mozilla +/5.0 0x0080: 2028 5769 6e64 6f77 733b 2055 3b20 5769 .(Windows;.U +;.Wi 0x0090: 6e64 6f77 7320 4e54 2035 2e31 3b20 656e ndows.NT.5.1 +;.en 0x00a0: 2d55 533b 2072 763a 312e 372e 3629 2047 -US;.rv:1.7. +6).G 0x00b0: 6563 6b6f 2f32 3030 3530 3331 3720 4669 ecko/2005031 +7.Fi 0x00c0: 7265 666f 782f 312e 302e 320d 0a41 6363 refox/1.0.2. +.Acc 0x00d0: 6570 743a 2074 6578 742f 786d 6c2c 6170 ept:.text/xm +l,ap 0x00e0: 706c 6963 6174 696f 6e2f 786d 6c2c 6170 plication/xm +l,ap 0x00f0: 706c 6963 6174 696f 6e2f 7868 746d 6c2b plication/xh +tml+ 0x0100: 786d 6c2c 7465 7874 2f68 746d 6c3b 713d xml,text/htm +l;q= 0x0110: 302e 392c 7465 7874 2f70 6c61 696e 3b71 0.9,text/pla +in;q 0x0120: 3d30 2e38 2c69 6d61 6765 2f70 6e67 2c2a =0.8,image/p +ng,* 0x0130: 2f2a 3b71 3d30 2e35 0d0a 4163 6365 7074 /*;q=0.5..Ac +cept 0x0140: 2d4c 616e 6775 6167 653a 2065 6e2d 7573 -Language:.e +n-us 0x0150: 2c65 6e3b 713d 302e 350d 0a41 6363 6570 ,en;q=0.5..A +ccep 0x0160: 742d 456e 636f 6469 6e67 3a20 677a 6970 t-Encoding:. +gzip 0x0170: 2c64 6566 6c61 7465 0d0a 4163 6365 7074 ,deflate..Ac +cept 0x0180: 2d43 6861 7273 6574 3a20 4953 4f2d 3838 -Charset:.IS +O-88 0x0190: 3539 2d31 2c75 7466 2d38 3b71 3d30 2e37 59-1,utf-8;q +=0.7 0x01a0: 2c2a 3b71 3d30 2e37 0d0a 4b65 6570 2d41 ,*;q=0.7..Ke +ep-A 0x01b0: 6c69 7665 3a20 3330 300d 0a43 6f6e 6e65 live:.300..C +onne 0x01c0: 6374 696f 6e3a 206b 6565 702d 616c 6976 ction:.keep- +aliv 0x01d0: 650d 0a52 6566 6572 6572 3a20 6874 7470 e..Referer:. +http 0x01e0: 3a2f 2f77 7777 2e67 6f6f 676c 652e 636f ://www.googl +e.co 0x01f0: 6d2e 6175 2f73 6561 7263 683f 686c 3d65 m.au/search? +hl=e 0x0200: 6e26 713d 7463 7064 756d 702b 7065 726c n&q=tcpdump+ +perl 0x0210: 2662 746e 473d 5365 6172 6368 266d 6574 &btnG=Search +&met 0x0220: 613d 0d0a 4966 2d4d 6f64 6966 6965 642d a=..If-Modif +ied- 0x0230: 5369 6e63 653a 204d 6f6e 2c20 3134 2053 Since:.Mon,. +14.S 0x0240: 6570 2031 3939 3820 3230 3a32 313a 3030 ep.1998.20:2 +1:00 0x0250: 2047 4d54 0d0a 4966 2d4e 6f6e 652d 4d61 .GMT..If-Non +e-Ma 0x0260: 7463 683a 2022 3261 3662 3030 2d31 3234 tch:."2a6b00 +-124 0x0270: 322d 3335 6664 3761 6163 220d 0a43 6163 2-35fd7aac". +.Cac 0x0280: 6865 2d43 6f6e 7472 6f6c 3a20 6d61 782d he-Control:. +max- 0x0290: 6167 653d 300d 0a0d 0a age=0....


Now if you can let me know your output, I would appreciate a lot =) If that's the problem, I'll try recompiling it from the source. I'm using the slackware 10.0 package for tcpdump right now.

Replies are listed 'Best First'.
Re^3: converting tcpdump output
by polettix (Vicar) on May 16, 2005 at 10:58 UTC
    Now I see and yes, it's a tcpdump-related issue. I run an older tcpdump (package for Slack 9.0), and it basically misses all beautifying around the raw data: the address-indicator at the beginning and the plain dump at the end of each line.

    A quick hack could be the following. Please note that I'm currently not in the condition of testing it (momentarily in a Win32 environment):

    #!/usr/bin/perl $LIMIT = shift || 5000; $|=1; open (STDIN,"/usr/sbin/tcpdump -lnx -s 1024 dst port 80 |"); while (<>) { if (/^\S/) { last unless $LIMIT--; while ($packet=~/(GET|POST|WWW-Authenticate|Authorization).+/g) { print "$client -> $host\t$&\n"; } undef $client; undef $host; undef $packet; ($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/ if /P \d+:\d+\((\d+)\)/ && $1 > 0; } next unless $client && $host; s/^\s+\S+\s+//; # remove initial address ind. s/\s{2}.*//; # remove trailing dump s/\s+//; s/([0-9a-f]{2})\s?/chr(hex($1))/eg; tr/\x1F-\x7E\r\n//cd; $packet .= $_; }

    Flavio (perl -e 'print(scalar(reverse("\nti.xittelop\@oivalf")))')

    Don't fool yourself.
      Yeah, worked great. Thanks a lot =)