0

I would like to see the protocol used by client-server application in real-time. I'm not interested in any statistics. All I want to see is the message sent by server and the client. This is FreeBSD specific if that helps.After some googling I found tcpdump as the right choice. So I tried to run it on my server but couldn't narrow down the packet contents specific to my application. Its a bunch of text scrolling live. The real communication of my application is not that heavy enough to lose track when it gets displayed on terminal.

I guess I may be not providing enough information. If something is needed please add a comment. I'll respond quickly.

Any help or pointers is highly appreciated.

Srikanth
  • 101
  • 2

3 Answers3

4

You can easily filter what packets tcpdump catches. I assume you know what port your application is communicating on? Let's say, for instance, that you want to capture all traffic on port 12345. Then you'd run:

$ tcpdump port 12345

Alternatively, you can capture to a file and then open later using the GUI tool Wireshark:

$ tcpdump -s0 -w packets.log port 12345
EEAA
  • 109,363
  • 18
  • 175
  • 245
  • +1 beat me to it. I'd also recommend filtering based on hostnames. – Christopher Karel Dec 01 '10 at 22:12
  • I feel embarrassed that I don't know where my application is listening on. I know process name.does that help in identifying the port it is listening on? I tried netstat "netstat -ntlp" (which I found googling) but it didn't report PID. any idea? – Srikanth Dec 01 '10 at 22:27
  • If you know the IP address of the other host, you can do a: `tcpdump host 1.2.3.4` to only capture traffic from that host. From that capture, you should be able to determine what port the communication is happening on and then further refine the filter: `tcpdump host 1.2.3.4 and port 12345` – EEAA Dec 01 '10 at 22:50
  • Okay. I figured port number after digging through the code and config files. I tried the above command and it produced some information on terminal. Unfortunately it doesn't display the ascii text sent through the socket. It displayed info like timestamp, source, destination addresses, packet type, window size etc., but not the payload text sent by the application layer. – Srikanth Dec 01 '10 at 23:02
  • If you capture to a file as shown above and open with wireshark, you'll be able to see the entire contents of the package. Alternatively, I believe James' ngrep example will work as well. – EEAA Dec 02 '10 at 02:32
  • You can usually figure out the port number pretty quick with `sockstat` which lists the sockets applications have open or are listening to. – Chris S Dec 02 '10 at 04:03
1

You will need to do some filtering to limit tcpdump to just the data you want. An example would be to look only for traffic involving both host a and host b would be

tcpdump $options host a and host b

I typically use the -n, -X, -vv, and -s0 options with tcpdump. You can also filter based on ports and many other things. To look at an smtp conversation between host a and host b you could run tcpdump more like:

tcpdump -n -X -vv -s0  host a and host b and port smtp

Which will limit the displayed data to that involving the ldap port, host a, and host b. If any of the 3 are missing it wont be displayed. The man page will have a lot more information about filtering.

Hopefully this helps, Rik

Rik Schneider
  • 2,479
  • 14
  • 19
1

If the protocol is text-based (e.g. HTTP, SMTP, etc.), I like ngrep. It uses libpcap like tcpdump does, so the filtering syntax is the same. The difference is that its output is geared towards displaying the packet payload, and it will let you restrict output to packets matching a regular expression.

For instance, to see mail delivery attempts, you might do:

ngrep -d eth0 -qlM -s 0 -W byline '^MAIL FROM:|^RCPT TO:' 'tcp port 25'
James Sneeringer
  • 6,835
  • 24
  • 27
  • I think this sounds close to what I'm looking. going to install from source and try right away. – Srikanth Dec 01 '10 at 23:18
  • I failed to install it today. libpcap wasn't installed with flex/bison. I tried to install flex, bison and then reinstall libpcap from source. But I'm unlucky. I'll fight with it tomorrow. – Srikanth Dec 02 '10 at 06:04