Reading captured packet from command line with tcpdump

Question

I am capturing traffic using:

 tcpdump -i <interface> -nn  -s0 -w ike2.pcap

Then I am reading the captured file using:

tcpdump  -vvv -l -r ike2.pcap

While reading, the first packet is getting displayed as:

07:22:33.320142 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 296) 10.0.0.1.isakmp > 10.0.0.2.isakmp: [udp sum ok] isakmp 2.0 msgid  cookie ->: phase 1 I #34[]:
    (#33)
    (#34)
    (#40)
    (#41)
    (#41)

I need to get the details of this packet. In this ISAKMP IKEv2 packet, I am interested to extract the values of 'Encryption Algorithm' and 'Integrity Algorithm' (i.e 'ENCR_3DES' and 'AUTH_HMAC_MD5_96')

I can view the values if I inspect the packet in wireshark. But, I have to do this from a shell script, so I cannot use wireshark. I need to get these values from tcpdump read command itself.

I am assuming there might be some way to print the encryption and integrity algorithms used from tcpdump read command. Could you please help to figure this out.

Captured packet:

captured packet

score 1 · Answer 1 · answered Nov 08 '17 at 15:27

Could find the way to do it as you are expecting with only tcpdump, but has @user862787 said use tshark like:

# tshark -V -r somecapfile.pcap
Frame 1: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits)
Encapsulation type: Linux cooked-mode capture (25)
Arrival Time: May 10, 2017 02:00:34.811347000 CDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1494399634.811347000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 196 bytes (1568 bits)
Capture Length: 196 bytes (1568 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: sll:ethertype:ip:sctp:m3ua:sccp:tcap:gsm_map]

The -V does what you want!

score 0 · Answer 2 · answered Feb 13 '13 at 19:59

0

I can view the values if I inspect the packet in wireshark. But, I have to do this from a shell script, so I cannot use wireshark.

But you could perhaps use TShark.

answered Feb 13 '13 at 19:59

Валерий Заподовников · Answer 3 · 2020-05-26T22:20:14.873

0

tcpdump -r file with some other flags (-X, for example).

edited May 26 '20 at 22:20

answered May 26 '20 at 22:10

Валерий Заподовников

351
2
13

Reading captured packet from command line with tcpdump

3 Answers3