5

I need to view how an application is sending and is receiving traffic through a http protocol that it comunicates on localhost (it has an embeded port coded with .gz) I'm sure it's some XML that it sends and receives but i want to sniff it , and then analize it

Is this possible somehow with Tcpdump? there i can see only that it connects but not the actual send receive

PartySoft
  • 217
  • 1
  • 7
  • 11

3 Answers3

5

If you wanted to use tcpdump a command like this tcpdump -s 0 -A -qn filters should give you what you want. The -s 0 sets the packet size and -A dumps ascii. Instead of -A you might also like -X which will provide you the output in a hexdump style format.

You could also use wireshark, and once you are done capturing just right-click on one of the packets and select the 'Follow TCP Stream'.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • yes but i don't have a X11 interface, tcpdump is fine :) thank you – PartySoft Jul 15 '10 at 22:43
  • 1
    You could always use a forwarded X11 through SSH to your workstation. You could `tcpdump -s 0 -w filename.dmp` to save a capture which you can open from wireshark somewhere else. – Zoredache Jul 15 '10 at 23:40
5

ngrep is very useful for this. Something as simple as

ngrep -W byline port 80

would work, but you can filter on the content of the requests too (hence the grep part of the name), and it prints out the packet payload:

ngrep -W byline some_string port 80
Mark
  • 2,846
  • 19
  • 13
4

I've done quite a lot of this with wireshark. Sniff the traffic I want with tcpdump, ship it to somewhere I can launch Wireshark, and then view the trace with Wireshark. Tracing the TCP session gives me the request and answer in a nice ASCII form. Works great.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296