33

I tried this:

tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)'

I need only the ascii part of it. How do I remove the rest?

coder
  • 343
  • 1
  • 3
  • 5

6 Answers6

18

As Josh suggests, tcpflow can print just the TCP packet data to a file or STDOUT. You can pipe tcpdump to tcpflow like this:

tcpdump -i lo -l -w - port 23 | tcpflow -C -r -

To only view one side of the conversation, you can use filters for tcpdump, e.g. dst port 23.

Keiji
  • 103
  • 2
jwmullally
  • 281
  • 2
  • 2
11

I feel the most elegant solution is just to ditch tcpdump. No pipes of any kind: 

tcpflow -c port 6667

And that's it.

BarsMonster
  • 644
  • 3
  • 11
  • 24
5

I'm not sure about the exact syntax for tcpdump... in fact, I have marked this question as a favorite because I would like to know! But as an alternative solution, you could try using tcpflow instead. It works essentially the same way, but it prints ASCII output much better; it excluded the headers and prints packets sequentially as a flow, so it's easier to read and follow at times than tcpdump.

Josh
  • 9,001
  • 27
  • 78
  • 124
4

A quick and dirty way to do this is to filter the output through strings:

tcpdump -nli eth0 '(port 6667) and (length > 74)' -s 0 -w - | strings

Sometimes you don't have other tools and for a quick peek into the payload this is enough. It's no good if you need the exact payload for injection or an exact analysis, of course.

Eduardo Ivanec
  • 14,531
  • 1
  • 35
  • 42
1

If you need only the ASCII part you can use: tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)'|sed 's/\.//g' or with ngrep: ngrep -d eth0 -lq . '(port 6667) and (length > 74)' |sed -rn '/^ /s/\.//gp'

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
1

I had the same problem last week - I used the wireshark gui instead and did a "copy readable ascii" for the interesting packets.

I was (successfully) trying to pin down a problem with a http request to a web-service and its XML-answer.

Nils
  • 7,657
  • 3
  • 31
  • 71