I am trying to troubleshoot an issue where I only have tcpdump available on an appliance.
I want to use tcpdump to filter web traffic, and only display traffic containing certain strings.
I do the following:
tcpdump -nei eth0 -X | grep "something interesting"
The output is a hexview with 16 bytes pr line. I cannot grep this data, as the data is presented on multiple lines.
Is there a way for tcpdump to present the captured data on a single line? This would make it possible to use grep to find interesting packets.
Best Answer
For those like you who cannot use
ngrep
, here's how to useawk
to make thetcpdump
output of packet contents grepable.First some sample output as provided by
tcpdump -x
, in order to present the task ahead:And this is the copy-and-pastable
awk
script you can pipe the output toin order to get the following, grepable output
Below is a commented version of above script: