how to program tcpdump to only capture packets and nothing else

0

I am developing a program where a .pcap file is going to be an input. However, when I run tcpdump -w someFile.pcap ,in Terminal, the .pcap file captures extra data such as timestamp, microseconds, length of frame etc.
This extra data is hindering my program and I wanted to know if there was a way where tcpdump would capture raw packets and nothing else.
So for example, The first Byte of data in the .pcap should be "Destination Address" of the Ethernet header rather than some timestamp.
Thanks!

Sam

Posted 2017-06-14T06:27:56.710

Reputation: 143

-t will remove the timestamps for the capture. – Mark Riddell – 2017-06-14T11:58:57.360

Answers

1

It sounds like you're only interested in the raw bytes that comprise each packet. Assuming so, you might try something like:

tcpdump -r someFile.pcap -xx | grep -P "^\t0x"

As you can see from the tcpdump man page, that will cause tcpdump to read the capture file, and "in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex." Piping the output to grep takes care of removing the summary line. Perhaps there's a way to instruct tcpdump not to print the summary line at all, but if there is, I was unable to find it. In any case, at this point, you just need to process the hex output.

You can also achieve this a bit more easily I think by using tshark instead of tcpdump. For example:

tshark -r icmp.pcap -x

The output formats of tcpdump and tshark do differ in how the hex values are displayed and grouped, and whether the ASCII representation of the hex bytes are present or not following the hex values, so you'll probably have to experiment to see which format you like better or is easier for your program to parse.

Christopher Maynard

Posted 2017-06-14T06:27:56.710

Reputation: 386

Asked: 2017-06-14T06:27:56.710

Viewed: 443 times

Active: 2017-06-14T21:03:31.047