Viewing the packet-size of an incoming IP

Question

I have been looking for a sulution to this for a few hours. after no avail im asking for help here.

I need to watch my incoming packets by Size. in a format similar to:

IP SIZE

I have tried TCPDUMP but it does not give me the size of the actual packet. which sucks. I know this is possible but i don't know how.

When doing tcpdump commands i get this:

root@lax:~# tcpdump -n -i eth1 -A -x dst port 443 and greater 10 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
01:11:22.474691 IP 187.187.66.133.161 > *.*.*.*.443:  GetResponse(464)  .1.3.6.1.2.1.1.1.0="Ubee PacketCable 1.5 W-EMTA <<HW_REV: 2.65.1; VENDOR: Ubee; BOOTR: 9.1.1b; SW_REV: 6.32.1007; MODEL: DVW222B.D>>" .1.3.6.1.2.1.1.2.0=.1.3.6.1.4.1.4413.2.1.6 .1.3.6.1.2.1.1.3.0=11673700 .1.3.6.1.2.1.1.4.0="(unknown)" .1.3.6.1.2.1.1.5.0="CableHome" .1.3.6.1.2.1.1.6.0="(unknown)" .1.3.6.1.2.1.1.7.0=3 .1.3.6.1.2.1.1.8.0=0 .1.3.6.1.2.1.1.9.1.2.1=.1.3.6.1.4.1.4413.2.3.2.4 .1.3.6.1.2.1.1.9.1.3.1="An agent which supports all MIBs required by the DOCSIS 2.0 OSS specification as well as those specified by the 2.0+IPv6 technical report."
    0x0000:  4500 01ff 0358 0000 3311 a2e7 bbbb 4285
    0x0010:  602c 8142 00a1 01bb 01eb 8562 3082 01df
    0x0020:  0201 0104 0670 7562 6c69 63a2 8201 d002
    0x0030:  024e 4702 0100 0201 0030 8201 c230 7c06
    0x0040:  082b 0601 0201 0101 0004 7055 6265 6520
    0x0050:  5061 636b 6574 4361 626c 6520 312e 3520
[...]
    0x01f0:  6368 6e69 6361 6c20 7265 706f 7274 2e

As you can see this is not what im looking for whatsoever.

Answer 1

You are over-complicating matters with your invocation of tcpdump; that is, you're putting effort in to printing too much information which you don't want. Left to its own devices, tcpdump prints length information at the end of most lines; see eg:

[root@risby ~]# tcpdump -n -n -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:44:10.134745 IP6 2a01:2c0:e:300:7271:bcff:feac:445a.50367 > 2a01:8000:0:4::1:1.993: Flags [P.], seq 2525222567:2525222611, ack 1131700467, win 1432, options [nop,nop,TS val 676470793 ecr 1793162882], length 44
09:44:10.163565 IP6 2a01:8000:0:4::1:1.993 > 2a01:2c0:e:300:7271:bcff:feac:445a.50367: Flags [P.], seq 1:59, ack 44, win 1174, options [nop,nop,TS val 1793315067 ecr 676470793], length 58
[...]

With a bit of grep to select lines with length information (which is nearly all of them) and a bit of perl to strip out most of the line prior to that, you can get a quick and dirty implementation of what you want:

[root@risby ~]# tcpdump -n -n -i eth1 | grep --line-buffered 'length' | perl -n -e 's/.*length/length/; print $_'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
length 32
length 24
length 160
length 0
length 192
length 0
length 240
[...]