in reply to Re: converting tcpdump output
in thread converting tcpdump output

Another thing that I missed when running the code you mentioned is that POST payloads are getting stripped as well.

I managed to see the contents by commenting this line:
s/^\s+\S+\s+//; # remove initial address ind. #s/\s{2}.*//; # remove trailing dump <-- commented s/\s+//;
And redirecting the output to a file, then grepping it later. Is there a way of printing it along with the target?

EDIT: So far, I managed to get the values by modifying the regex line:
if (/^\S/) { while ($packet=~/(GET|POST|WWW-Authenticate|Authorization|[a-z]+=[a- +z]+).+/g) { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=localti +me(time);
Basically, I extended the regex to capture a string followed by "=" and then string again.

But as you can see, it's not a concise solution, since it gets a lot of rubbish as well.

Replies are listed 'Best First'.
Re^3: converting tcpdump output
by RnC (Sexton) on May 18, 2005 at 11:29 UTC
    Ok, I figured it out myself. Here's the complete code.
    #!/usr/bin/perl $|=1; open (STDIN,"sudo /usr/sbin/tcpdump -lnx -s 1024 dst port 80 |"); while (<>) { if (/^\S/) { while ($packet=~/(GET|POST|WWW-Authenticate|Authorizat +ion|Content-Length: \w+\s*).+/g) { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)= +localtime(time); printf "%4d/%02d/%02d %02d:%02d:%02d",$year+1900,$mon+ +1,$mday,$hour,$min,$sec; print " - $client -> $host\t$&\n"; } undef $client; undef $host; undef $packet; ($client,$host) = /(\d+\.\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d ++\.\d+\.\d+)/ if /P \d+:\d+\((\d+)\)/ && $1 > 0; } next unless $client && $host; s/^\s+\S+\s+//; # remove initial address ind. s/\s{2}.*//; # remove trailing dump s/\s+//; s/([0-9a-f]{2})\s?/chr(hex($1))/eg; tr/\x1F-\x7E\r\n//cd; $packet .= $_; }
    Still not suitable, since it creates a line to just contain POST data, when it would be better if it appended the content to the end of a POST line, or something like that.