7

I want to capture the packet content description and the packet data to a file with tcpdump for later inspection.

Currently I am using the -w option to save packet data to a file:

tcpdump -c 100 -w /root/tcpdump.txt

This saves the packet data to the file but also includes several lines of binary before each packet. However, I would like to have the packet content description (what's normally shown on STDOUT when running tcpdump) shown before the packet data itself (in the same file) without the binary.

So the file should save the following for each packet:

  1. Packet content description
  2. Packet data

Example of what I want to save to the file:

17:17:42.847059 IP some.server.com.17845 > some.host.net.55618: Flags [P.], seq 137568:137888, ack 1185, win 167, length 320
<-- Followed by the raw packet data here -->

This information is to be used for later analysis of the file so we can review the full packets going to a specific host/address.

Can anyone suggest how to do this?

Chris
  • 491
  • 2
  • 8
  • 15

1 Answers1

13

tcpdump -c 100 -w /root/tcpdump.txt

If you use -w with a name that ends with .txt, you're misunderstanding what -w does.

-w writes out a completely binary file, in pcap format, which is intended to be read by tcpdump or by other programs such as Wireshark, NOT to be directly read by humans!

IF the packets, at some layer, are carrying a text-based protocol, such as the FTP control protocol, SMTP, or HTTP requests/responses and their headers, then SOME of the data in the file will be text, but it will NOT all be text. Do NOT treat that as an indication that it is, or should be, a text file.

However, I would like to have the packet content description (what's normally shown on STDOUT when running tcpdump) shown before the packet data itself (in the same file) without the binary.

The packet data itself is binary!

If you mean you want a text hex dump of the packet data, in a form such as

        0x0000:  0001 0800 0604 0001 0001 0000 0010 0a78
        0x0010:  0452 0000 0000 0000 0a78 0452 0101 0600

after the packet description, so that what you see is like this:

17:49:38.007886 ARP, Request who-has 10.120.4.82 tell 10.120.4.82, length 32
        0x0000:  0001 0800 0604 0001 0001 0000 0010 0a78
        0x0010:  0452 0000 0000 0000 0a78 0452 0101 0600

then you should do

tcpdump -c 100 -x >/root/tcpdump.txt

so that the text output of tcpdump - the output you get when you don't use -w - is redirected to /root/tcpdump.txt rather than being printed on your terminal or terminal emulator, and so that a hex dump is written as well as a packet description (that's what -x tells tcpdump to do).

This will not write out the link-layer header for the packet in the hex dump; if you want the link-layer header for the packet, e.g.

17:49:38.007886 ARP, Request who-has 10.120.4.82 tell 10.120.4.82, length 32
        0x0000:  ffff ffff ffff 0001 0000 0010 0806 0001
        0x0010:  0800 0604 0001 0001 0000 0010 0a78 0452
        0x0020:  0000 0000 0000 0a78 0452 0101 0600

then use -xx rather than -x.

  • What i'm looking to do is capture packet data to a file in the event a user on the server is flooding/attacking a remote target (eg a PHP shell sending a UDP flood). We're looking to save a small amount of data as evidence to analyze after such an event to identify what happened and how to prevent it. What command would you suggest in this respect? – Chris May 20 '15 at 23:08
  • Is the analysis going to be done by a "who" or a "what"? I.e., is the intent to have a human read the output themselves or is the intent to have programs read the data (tcpdump, Wireshark, or other programs)? If it's to have a human read it, use tcpdump without -w and with -x with the output redirected, so you have a text file rather than a binary file. If it's to have a program read it, use -w and write to a binary file that will be read by some other program later. –  May 20 '15 at 23:35
  • It's going to be analyzed by a human after the event. I just tried with the -x option but it saves what appears to be a lot of hex data. Is it possible to have it save the whatever is going down the wire (eg HTML, text, etc) so we can read that instead of the hex? – Chris May 20 '15 at 23:41
  • "I just tried with the -x option but it saves what appears to be a lot of hex data." Yes, that's what I said it would do. –  May 21 '15 at 00:55
  • "Is it possible to have it save the whatever is going down the wire (eg HTML, text, etc) so we can read that instead of the hex?" "Whatever is going down the wire" ***WILL*** include some binary data, so if you want to save whatever is going down the wire, you ***WILL*** be saving not-easily-human-readable binary data - it's impossible to get anything else. The hex data is a dump, in text form, of the contents of the raw binary data, e.g. a big-endian 32-bit value of 33008 will be 0000 80F0. If you try to read a file with that as text, it'll look like garbage. –  May 21 '15 at 00:59
  • So what is it you want to read? The raw data - which means a hex dump? Or an interpreted version of the raw data, such as what tcpdump prints? For the latter, you could try doing `-w` and later reading the file with Wireshark, which could give a more detailed dissection than tcpdump gives. –  May 21 '15 at 01:01
  • I.e., Ethernet/Wi-Fi/PPP, IPv4/IPv6, and UDP/TCP are *not* text protocols and you *can't* read them as text - you have to either read them as a hex dump of binary data or as data interpreted by a network analyzer such as tcpdump or Wireshark. –  May 21 '15 at 01:28
  • If the only protocols for which you want to see the "packet data" are the text-based parts of protocols such as HTTP, then, with newer versions of tcpdump, you can use something such as `tcpdump -c 100 -v >/root/tcpdump.txt`, and it'll show a more verbose dissection of the packet ("dissection" as in "data interpreted by a network analyzer"), which, in newer versions of tcpdump, includes, for HTTP, the HTTP request or response line and headers. –  May 21 '15 at 01:30