RE: Re: [ tcpdump-Patches-723026 ] Add -A (print ASCII) flag to tcpdump

["Carroll, Shawn" <SCarroll () chittenden com>]

> The current CVS tcpdump already has a "-A" flag; the man page says:
>
>        -A     Print  each packet (minus its link level header) in
>               ASCII.  Handy for capturing web pages.

> "Print each packet (minus its link level header)" means "print
> everything except for the link-layer header", which means it prints IP
> and TCP headers in ASCII, as well as the payload.

> Your patch appears to print only the TCP payload in ASCII.

> It seems to me that the latter, i.e. printing only the TCP payload,
> makes more sense - the IP and TCP headers aren't ASCII text, but at
> least some of an HTTP request or reply is (not all of it necessarily is,
> you could be downloading Pamela Anderson's Greatest T^HHits, for
> example).

> Does anybody else have any comments?

Printing the _whole_ packet in ASCII provides an analyst another way to see patterns in the packets.  For example, if 
you look at enough of them, you notice that every standard IP packet begins with "E".  Why?  IP version 4, first 4 bits 
= "4".  Header length 20 bytes = 5 words; second 4 bits = "5".  Hex 0x45 = "E" in ASCII.

Now, I'm not arguing that it's as useful as the Hex output, and I acknowledge that ASCII translation of the headers 
isn't "meaningful" as such, or even printable for a lot of values.  But it _is_ another small contribution to an 
analyst's pattern-matching toolset, and this is reason to not remove it.  

Thanks-
Shawn
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe