Sunday, 13 April 2014

Capture packets in Ascii and grep on traffic

There is so many different features to tcpdump for packet captures which can be used in many situations. Recently I wanted to capture traffic and grep on a certain string in the packet.


  •  On Linux Mint or Ubuntu :
$ sudo apt-get -y install tcpdump


  • To capture all http web traffic (port 80) containing ''

$ sudo tcpdump -i eth0 -A -nn -vvv -s 0 port 80 | grep -e ''

  • Either open a browser or use 'wget'
 $ wget

  •  The capture will show for example
 $ sudo tcpdump -i eth0 -A -nn -vvv -s 0 port 80 | grep -e ''
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
<body id="www-wikipedia-org">
<form class="search-form" action="//">

  • It can be more useful to direct to a file :
  $ sudo tcpdump -i eth0 -A -nn -vvv -s 0 port 80 | grep -e '' > $HOME/tmp/wikipedia.tmp

  •  Note on some Linux systems you may need to direct all ASCII traffic to a file as the redirect after the grep may not work

 $ sudo tcpdump -l -i eth0 -A -nn -vvv -s 0 port 80 > $HOME/tmp/wikipedia.tmp

  •  To sort by uniq values and count the amount of occurrences in columns
$ grep "" wikipedia.tmp | grep href | sort | uniq -c | sort -nr | head -n 2

1 <span lang="no">Norsk (<a href="//" lang="nb">bokm..l</a>&nbsp;... <a href="//" lang="nn">nynorsk</a>)</span>&nbsp;...
1 ..&..O.. href="//" lang="chy">Ts..hesen..stsestotse</a>&nbsp;...

No comments:

Post a Comment