2

Once I know the IP address and port number combo, I can run this to see some of the packets:

tcpdump | grep [IPADDRESS]

Anybody know how I can now see the raw packets too?

Thanks!

Tomachi
  • 141
  • 1
  • 1
  • 7
  • 2
    Your first stop for any question about any program on any kind of unix should always be to type `man programname` into your terminal. – Jenny D Jun 08 '15 at 13:30

1 Answers1

7

From tcpdump(1) man page:

   -x     When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet  (minus  its  link level header) in hex.  The
          smaller of the entire packet or snaplen  bytes  will
          be printed.  Note that this is the entire link-layer
          packet, so for link layers that pad (e.g. Ethernet),
          the  padding  bytes  will  also  be printed when the
          higher layer packet is  shorter  than  the  required
          padding.

   -xx    When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet, including its link level header, in hex.

   -X     When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet  (minus  its  link  level  header) in hex and
          ASCII.  This is very handy for analysing new  proto‐
          cols.

   -XX    When  parsing  and printing, in addition to printing
          the headers of each packet, print the data  of  each
          packet,  including its link level header, in hex and
          ASCII.

These options may differ with different versions of tcpdump. See the man page on your system.

Maybe easier to work with is a pcap dump file created by 

   -w     Write the raw packets to file  rather  than  parsing
          and  printing  them  out.  They can later be printed
          with the -r option.  Standard output is used if file
          is ``-''.

          This output will be buffered if written to a file or
          pipe, so a program reading from the file or pipe may
          not  see  packets  for  an  arbitrary amount of time
          after they are received.  Use the -U flag  to  cause
          packets to be written as soon as they are received.

and then opened by WireShark.

By the way, it is not a good practice to grep the output of tcpdump (as with verbose mode the per-packet dumps are multiline). Consider using something like tcpdump host 10.0.0.1 or tcpdump net 10.0.0.0/24 or tcpdump port 80. Complete filtering syntax is in pcap-filter(7).

Fox
  • 3,977
  • 18
  • 23