Linux – run tcpdump not to interpert packet contents

linuxnetworkingtcpdumptraffic

What options should I run tcpdump with to have it just do a hex dump of packets without trying to interpret its contents? Running it astcpdump -e -v -x or similar attempts to interpret layers, however I don't want it.

I want what tshark does:

% sudo tshark -xxx -i eth0
...

Best Answer

The closest two solutions I can find for this are these

Postprocess to remove the decoding.

tcpdump -nXX -i eth0 | sed $'s/^[^ \t].*//'

This isn't perfect as the formats are a little different.

tshark
0000  52 54 00 12 35 02 08 00 27 0f db b3 08 00 45 00   RT..5...'.....E.
0010  00 54 2a 4d 40 00 40 01 e9 43 0a 00 02 0f 0a 0f   .T*M@.@..C......
0020  10 fb 08 00 ab 06 1e b5 00 01 00 3f ab 57 00 00   ...........?.W..

tcpdump
0x0000:  0008 9bbd ab8a 001d aadd cb68 0800 4500  ...........h..E.
0x0010:  0028 3ec8 4000 7e06 a075 0a0a 0510 0a0f  .(>.@.~..u......
0x0020:  046a cb6a 0016 7049 a307 5eaf 8afb 5010  .j.j..pI..^...P.

Write to a data file and use tshark to interpret it (possibly on another machine).
```
tcpdump -w /tmp/capture.dat -i eth0
tshark -r /tmp/capture.dat -xxx
```
Here, since we're using tshark to process the capture file, the output will be exactly as you want. You can do "nasty" things like running tshark remotely if necessary:
```
ssh -zq remote_host tshark -r - -xxx < /tmp/capture.dat
```

Related Solutions

Using tcpdump to extract NFS RPC contents

Ok, So I think I managed to find a "workaround". You won't be able to get the filename using NFSv3 but you will be able to ge the inode.

Using Wireshark,

Go to Edit -> Preferences -> Protocols -> NFS -> check all boxes and set "Decode nfs handles as: KNFSD_LE.

Save it. Now capture and filter by NFS protocol.

Search the packet GETATTR Reply (Call in #) Regular file mode: ???.

Open this packed and expand the following:

Network File System -> obj_attributes

check value fileid, this will be the inode number of the file.

on the server go to the nfs share and

find . -inum inode

With NFSv4 you see a call with the filename directly.

Shell – Running tcpdump, tee and scp

The tee command writes data to the output file as it receives it, but scp copies the file immediately and only copies it once. Since every command in the pipeline runs simultaneously (or nearly so), you only get a few (or no) packets output to the capture.txt file before the file gets copied by scp.

There are a couple ways to do what you seem to want to do.

If you want to copy a few packets from tcpdump, and then transfer the file to the remote host after it finishes, you can use the -c option to terminate tcpdump after it captures that number of packets. Separate your scp command from the pipeline using a semi colon so it gets executed after the tcpdump and tee commands complete:

tcpdump -l -c 10  | tee  /tmp/capture.txt; scp /tmp/capture.txt root@remotehost:/tmp

Or, if you want to see packets in real-time and also copy them in realtime, you could use tee to output the packets to /dev/tty so you can see them, and them pipe them into an ssh command that writes them to a file on the remote host:

tcpdump -l   | tee /dev/tty | ssh root@remotehost "cat > /tmp/capture.txt"

Note that without the -c option here, tcpdump will run until you kill it.

If you wanted the packets stored in a local capture.txt file as well as the remote, you could use multiple tee commands:

tcpdump -l   | tee /tmp/capture.txt | tee /dev/tty | ssh root@remotehost "cat > /tmp/capture.txt"

Best Answer

Related Solutions

Using tcpdump to extract NFS RPC contents

Shell – Running tcpdump, tee and scp

Related Question