Is it possible to specify tcpdump that I want it to interpret packet differently before printing it to STDOUT?

Question

I am using iperf to pinpoint packet reordering issue. Unfortunately, tcpdump does not know how to parse iperf's UDP payload that I could use to pinpoint the issue. I know that iperf stores packet sequence ID in the first 32-bits of the UDP payload.

Is there an elegant way to tell tcpdump that I want it to interpret these first 32-bits in iperf's UDP payload as decimal, unsigned 32-bit integer and print this integer it in STDOUT for each packet?

One quick solution seems to be to use tcpdump -X flag to print packet contents in hex dump and then later pipe this STDOUT through my program, but I would have to write this rather quite complex program myself that has to deal with network endian issues and so on.

score 0 · Accepted Answer · answered Mar 23 '16 at 17:03

The only way to change the way tcpdump interprets packet data is to get the source code, modify it to interpret the packet data the way you want, compile the resulting source code, and use the resulting binary.

If you don't want to do that, perhaps you could use tshark instead; if it doesn't understand iperf packets, and if it's built with Lua, you could write a Lua dissector for those packets.

Is it possible to specify tcpdump that I want it to interpret packet differently before printing it to STDOUT?

1 Answers1