linux editor similar to notepad++ for packet captures

Question

I am looking for a very specific functionality which Notepad++ has in a linux text editor:

So you have a spiffy packet from tcpdump. Notepad++ allows you to easily strip away the left hex via alt+select and then delete. Some short replace spaces and line returns and you can end up with... (see below the capture)

    21:43:31.790123 IP ben-desktop.local.52727 > lga15s16-in-f104.1e100.net.www: Flags [P.], seq 1:402, ack 1, win 46, options [nop,nop,TS val 7485255 ecr 1035960117], length 401
 0x0000:  0024 b295 af65 0021 705d 1394 0800 4500  .$...e.!p]....E.
 0x0010:  01c5 c2b4 4000 4006 dfa9 c0a8 0502 adc2  ....@.@.........
 0x0020:  2368 cdf7 0050 434c f5f8 c5a6 6c30 8018  #h...PCL....l0..
 0x0030:  002e 1274 0000 0101 080a 0072 3747 3dbf  ...t.......r7G=.
 0x0040:  7f35 4745 5420 2f20 4854 5450 2f31 2e31  .5GET./.HTTP/1.1
 0x0050:  0d0a 486f 7374 3a20 676f 6f67 6c65 2e63  ..Host:.google.c
 0x0060:  6f6d 0d0a 436f 6e6e 6563 7469 6f6e 3a20  om..Connection:.
 0x0070:  6b65 6570 2d61 6c69 7665 0d0a 4163 6365  keep-alive..Acce
 0x0080:  7074 3a20 6170 706c 6963 6174 696f 6e2f  pt:.application/
 0x0090:  786d 6c2c 6170 706c 6963 6174 696f 6e2f  xml,application/
 0x00a0:  7868 746d 6c2b 786d 6c2c 7465 7874 2f68  xhtml+xml,text/h
 0x00b0:  746d 6c3b 713d 302e 392c 7465 7874 2f70  tml;q=0.9,text/p
 0x00c0:  6c61 696e 3b71 3d30 2e38 2c69 6d61 6765  lain;q=0.8,image
 0x00d0:  2f70 6e67 2c2a 2f2a 3b71 3d30 2e35 0d0a  /png,*/*;q=0.5..
 0x00e0:  5573 6572 2d41 6765 6e74 3a20 4d6f 7a69  User-Agent:.Mozi
 0x00f0:  6c6c 612f 352e 3020 2858 3131 3b20 553b  lla/5.0.(X11;.U;
 0x0100:  204c 696e 7578 2078 3836 5f36 343b 2065  .Linux.x86_64;.e
 0x0110:  6e2d 5553 2920 4170 706c 6557 6562 4b69  n-US).AppleWebKi
 0x0120:  742f 3533 342e 3320 284b 4854 4d4c 2c20  t/534.3.(KHTML,.
 0x0130:  6c69 6b65 2047 6563 6b6f 2920 4368 726f  like.Gecko).Chro
 0x0140:  6d65 2f36 2e30 2e34 3732 2e36 3220 5361  me/6.0.472.62.Sa
 0x0150:  6661 7269 2f35 3334 2e33 0d0a 4163 6365  fari/534.3..Acce
 0x0160:  7074 2d45 6e63 6f64 696e 673a 2067 7a69  pt-Encoding:.gzi
 0x0170:  702c 6465 666c 6174 652c 7364 6368 0d0a  p,deflate,sdch..
 0x0180:  4163 6365 7074 2d4c 616e 6775 6167 653a  Accept-Language:
 0x0190:  2065 6e2d 5553 2c65 6e3b 713d 302e 380d  .en-US,en;q=0.8.
 0x01a0:  0a41 6363 6570 742d 4368 6172 7365 743a  .Accept-Charset:
 0x01b0:  2049 534f 2d38 3835 392d 312c 7574 662d  .ISO-8859-1,utf-
 0x01c0:  383b 713d 302e 372c 2a3b 713d 302e 330d  8;q=0.7,*;q=0.3.
 0x01d0:  0a0d 0a                                

...

You end up with a much more readable:

.$...e.!p]....E.....@.@.........#h...PCL....l0.....t.......r7G=..5GET./.HTTP/1.1..Host:.google.com..Connection:.keep-alive. .Accept:.application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5..User-Agent:.Mozilla/5.0.(X11;.U;.Linux.x86_64;.en-US).AppleWebKit/534.3.(KHTML,.like.Gecko).Chrome/6.0.472.62.Safari/534.3..Accept-Encoding:.gzip,deflate,sdch..Accept-Language:.en-US,en;q=0.8..Accept-Charset:.ISO-8859-1,utf-8;q=0.7,*;q=0.3....

So... anyone know a editor which can easily cut through this type of data?

Thanks!

Answer 1

Gvim has a menu item tools->convert to hex that can be used with blockwise select (CTRL-Q) and your other substitutions. However, I highly recommend either processing with Wireshark or using Wireshark's export function to get nicely formatted packets in a text file.

Answer 2

I wouldn't use a text editor for this. The GUI version of Wireshark (as opposed to tshark, the tcpdump-like version) has an awesome feature called Follow TCP Stream. It's on the Analyze menu.

This feature not only presents you with the plain text representation of the captured stream, it can interleave both halves of the conversation in different colors so you can see each sent message in context with the reply. (You can also make it show you just the sending half or just the receiving half.) It even does some rudimentary formatting, like interpreting newlines, very helpful with protocols like HTTP.

You don't have to run the GUI on the capture machine. Use the -w flag with tcpdump or tshark to save the capture to a file, then send that capture file to the machine you want to use to analyze the protocol capture and load it up into Wireshark. This is very helpful when trying to debug problems with Unixy machines you only have ssh or modem access to.