tcpdump

What's a tcpdump one-liner to dump a TCP stream that matches a given substring?

Is there a quick tcpdump one-liner to print out a TCP stream that matches a particular substring -- or, if that's not easy, how about printing out just the single TCP packet that matches the substring? ...

How to concatenate two tcpdump files (pcap files)

How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times. ...

How to read multiple pcap files >2GB?

I am trying to parse large pcap files with libpcap but there is a file limitation so my files are separated at 2gb. I have 10 files of 2gb and I want to parse them at one shot. Is there a possibility to feed this data on an interface sequentially (each file separately) so that libpcap can parse them on the same run? ...

Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?

I'm trying to debug an application and it isn't a place that's convenient to run WireShark. I've been using "tcpdump -nn -x -X port 25" but the output isn't really in the most convenient format. Thoughts? ...

Setting TCP receive window in C and working with tcpdump in Linux

I am running a Linux box running 2.6.9-55.ELsmp, x86_64. I am trying to set the TCP receive window by using the setsockopt() function using C. I try the following: rwnd = 1024; setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *)&rwnd, sizeof(rwnd)); The code segment above is in a client program that receives data from a server. When I k...

Is there anyway to put Android WIFI (droid handset) into permiscuous monitoring mode?

For a Computer Science Information Warfare class a few years ago I wrote a python script that ran on libpcap promiscuous packet capture files to parse out facebook chat traffic (earlang tuples passed in clear text), and thought an interesting project would be to port the program to Android. I would like to rewrite it in Java but can't...

Need some help interpreting tcpdump output...

I've checked the tcpdump man page and thought I understood the example provided there. But the one that I am getting is something I'm not able to understand completely. ORIGINAL: Simulator Output LINE 1: 20:01:13.442111 IP 10.0.0.1.12345 > 10.0.0.2.54321: S 1234:1234(0) win 65535 LINE 2: 20:01:13.471705 IP 10.0.0.2.54321 > 10.0.0.1.123...

tcpdump on dd-wrt router

I'm trying to capture packets from two devices on my network. I have tcpdump installed on my dd-wrt router and working correctly. However, the only packets I capture are broadcast packets when using a tcpdump statement that states only those two devices ./tcpdump -w /tmp/capture.pcap dst 192.168.3.105 or src 192.168.3.105 or dst 192....

sniffing http headers on an embedded device

Is there any light weight tools which can filter and output http headers/responses in human readable form? Something like wireshark. I have tried tcpdump; but it is hard to read. ...

Where can I find a file/struct layout for a tcpdump() file?

We are capturing packets to a file using tcpdump(). I need to write a program to parse it, does anyone know where I could find a file layout for a dump file created by this tool? ...

How restore data from pcap file?

Hi ppl =) I have following file: test_network.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535) I know that in this file are few video streams and i need to extract them. How can i do this? The biggest problem is that size of file ~180 GB )) ...

Can libpcap be compiled for iPhone/armv6?

Hey, Trying to compile a basic program which uses pcap.h. I've set up the environment on my Mac OSX box which uses the iPhone 3.1.3 SDK for an iPhone 3GS. I've also installed libpcap to ~/libpcap so I can tell gcc where to look for the headers using the -I flag. However, it fails with an ld warning saying the file is not of the required...

tcpdump: localhost to localhost

Hi, I write a program that send TCP packets from localhost to localhost. And I want to use tcpdump to capture the packets. But nothing is captured. My command in Ubuntu: sudo tcpdump What argument shall I add? Thanks! ...

What's the redundant data in TCP packet?

I am reading "Unix Network Programming" and tcpdump the packet generate by the example. The example is just send out a packet contain string "liha". I read the TCP/IP RFC and found normal IP header is 20B. and normal TCP header except data is 24B. So, there are 8B before string "liha" in the captured packet. Are "0121 3d2a 0120 b43e" ...

wireshark and tcpdump -r: strange tcp window sizes

I'm capturing http traffic with tcpdump and am interested in TCP slow start and how window sizes increase: $ sudo tcpdump -i eth1 -w wget++.tcpdump tcp and port 80 When I view the dump file with Wireshark the progression of window sizes looks normal, i.e. 5840, 5888, 5888, 8576, 11264, etc... But when I view the dump file via $ tcpd...

Increasing number of BPF devices on AIX

Hi, Anyone know how to increase the number of BPF devices in AIX 5.2/5.3 above the supposed system default of four? i.e. running more than four tcpdump processes concurrently? ...

Capture server-client communication with tcpdump

I wrote a simple server and client apps, where I can switch between TCP, DCCP and UDP protocols. The goal was to transfer a file from the one to the other and measure the traffic for each protocol, so I can compare them for different network setups (I know roughly what the result should be, but I need exact numbers/graphs). Anyway after ...

Sniffing and displaying TCP packets in UTF-8

Hi everyone, I am trying to use tcpdump to display the content of tcp packets flowing on my network. I have something like: tcpdump -i wlan0 -l -A The -A option displays the content as ASCII text, but my text seems to be UTF-8. Is there a way to display UTF-8 properly using tcpdump? Do you know any other tools which could help? Many...

dynamically modify HTTP POST data

I set up a squid proxy server, and I would like to monitor and modify certain HTTP POST requests before it goes out of squid. What are my options? ...

In tools like tcpdump, when exactly are the network packets captured?

One of the tools I am using uses encryption/decryption to send out data over the network. I am modifying the tool and I need to be sure that the data is actually being sent in an encrypted form. Are Wireshark and tcpdump the right tools for the purpose? At which point during the transfer do they capture the network packets? ...