tcpdump mailing list archives

RE: [ tcpdump-Patches-723026 ] Add -A (print ASCII) flag to tcpdump

From: "Carroll, Shawn" <SCarroll () chittenden com>
Date: Fri, 2 May 2003 09:47:32 -0400

My idea with the -A option was solely to focus on the payload in a
human readable form and not having two types of data mixed.


Okay, understood.

It is to be used when the data you want to analyze is the payload,
not the protocol information.
I have made good use of the option to capture http packets.


For me, it's easy enough to start looking halfway through the third line.  It's almost always 40 bytes, which is 2 1/2 
16-byte lines:

09:36:17.558765 10.0.2.46.2274 > 192.139.46.44.80: P 1:335(334) ack 1 win 17520
(DF)
0x0000   4500 0176 a9d2 4000 8006 54ca 0a00 022e        E..v..@...T.....
0x0010   c08b 2e2c 08e2 0050 2d57 abec 7a81 a702        ...,...P-W..z...
0x0020   5018 4470 0cb6 0000 4745 5420 2f69 6d61        P.Dp....GET./ima
0x0030   6765 732f 6376 732e 6a70 6720 4854 5450        ges/cvs.jpg.HTTP
0x0040   2f31 2e31 0d0a 4163 6365 7074 3a20 2a2f        /1.1..Accept:.*/
0x0050   2a0d                                           *.

Other options should add the protocol information, if that is
necessary.


I just hope we don't end up with other options to help us ignore ipx headers, and appletalk headers... or options to 
not decode ip protocol 88 as ascii, because there's nothing meaningful in the data portion as ascii... The analyst 
should decide what's meaningful, I think, and the code should be simple.  The man page is long enough. :)  Okay, I've 
spent my $.02

The current CVS tcpdump already has a "-A" flag; the man page says:

       -A     Print  each packet (minus its link level header) in
              ASCII.  Handy for capturing web pages.

"Print each packet (minus its link level header)" means "print
everything except for the link-layer header", which means

it prints IP

and TCP headers in ASCII, as well as the payload.

Your patch appears to print only the TCP payload in ASCII.

It seems to me that the latter, i.e. printing only the TCP payload,
makes more sense - the IP and TCP headers aren't ASCII text, but at
least some of an HTTP request or reply is (not all of it

necessarily is,

you could be downloading Pamela Anderson's Greatest T^HHits, for
example).

Does anybody else have any comments?


Printing the _whole_ packet in ASCII provides an analyst

another way to see patterns in the packets.  For example, if 
you look at enough of them, you notice that every standard IP 
packet begins with "E".  Why?  IP version 4, first 4 bits = 
"4".  Header length 20 bytes = 5 words; second 4 bits = "5".  
Hex 0x45 = "E" in ASCII.


Now, I'm not arguing that it's as useful as the Hex output,

and I acknowledge that ASCII translation of the headers isn't 
"meaningful" as such, or even printable for a lot of values.  
But it _is_ another small contribution to an analyst's 
pattern-matching toolset, and this is reason to not remove it.


Thanks-
Shawn

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Re: [ tcpdump-Patches-723026 ] Add -A (print ASCII) flag to tcpdump Guy Harris (May 02)
- <Possible follow-ups>
- RE: Re: [ tcpdump-Patches-723026 ] Add -A (print ASCII) flag to tcpdump Carroll, Shawn (May 02)
  - Message not available
    - Re: [ tcpdump-Patches-723026 ] Add -A (print ASCII) flag to tcpdump Guy Harris (Jun 10)
- RE: [ tcpdump-Patches-723026 ] Add -A (print ASCII) flag to tcpdump Carroll, Shawn (May 02)