Raspberry Pi Forums

A small, affordable computer with free resources to help people learn, make things, and have fun
https://www.raspberrypi.org/forums/

Problem using tcpdump and strings

https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=44142

Page 1 of 1

Problem using tcpdump and strings

Posted: Fri May 17, 2013 11:40 pm
by nincehelser
I'm trying to use tcpdump to monitor network traffic for port 80. I'm passing the output of tcpdump through strings so that I only see the readable text. This all seems to be working fine with this command:

sudo tcpdump -ieth0 -s0 -w - tcp dst port 80 | strings

The problem is I can't seem to capture the output of strings. For example, I can't even direct the output to a file. All I end up with is a file of zero length.

sudo tcpdump -ieth0 -s0 -w - tcp dst port 80 | strings >> output.txt

What I really want to do is grep the output of strings for a particular pattern, such as:

sudo tcpdump -ieth0 -s0 -w - tcp dst port 80 | strings | grep 'xyzzy'

However, I get no output, even when I know the pattern xyzzy is in the stream.

The closest I've been able to come to a solution is to use the tee command, but it seems awkward.

Any ideas? Thanks!

Re: Problem using tcpdump and strings

Posted: Sat May 18, 2013 2:48 am
by sprinkmeier
'tcpdump', 'strings' and 'grep' will all buffer their input/output.
it's possible that there isn't enough output to cause the buffers to be flushed.
If you end the command with CNTRL-C you kill the programs from right-to-left, so buffered content doesn't get flushed.
kill from left-to-right, using "killall tcpdump" and everything should flush.

also, consider adding "-p" and "-n" to the tcpdump command.

without "-p" the interface goes into promiscuous mode. this occasionally changes the behavious you're trying to measure.

without "-n" all IP addresses are resolved which can lead to very long delays for non-resolvable addresses (like 192.168.?.?) (come to think of it this may be the cause of your problems).

Re: Problem using tcpdump and strings

Posted: Sat May 18, 2013 5:57 am
by nincehelser
Thanks for the reply.

I've also come to the conclusion that it's a buffer issue combined with very low traffic.

One possible work-around I've found is if I let tcpdump only a few packets (using -c) , process the output, then loop back and catch a few more. Given the low traffic, I can probably get away with this, but it seems inelegant.

I've tried the -n and -p as you suggested. Neither seem to help. (-n probably isn't an issue as there are only 3 devices on this network)

Right now I'm thinking I either need to somehow force a flush, generate dummy traffic, or use a different approach.

Thanks for your help!

Re: Problem using tcpdump and strings

Posted: Sat May 18, 2013 6:06 am
by nincehelser
Oh, a new observation.

If I wait about 2 minutes, the buffers flush and the output I want comes bursting through.

However, I'd like something more real-time. If I could get the buffers to flush every 18 seconds or so, that would be timely enough.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/