tcpdump mailing list archives

Re: tcpdump and wireshark

From: Stephen Donnelly <stephen () endace com>
Date: Tue, 23 Sep 2008 09:22:12 +1200

On Mon, 2008-09-22 at 18:18 +0400, Dmitry wrote:

Yeah! You´re right!

Dumping packets via tcpdump to file, I can choose packet and cut out payload
starting from 0x0042
Therefore It could be done via dd utility and some scripting avoiding
libpcap.

Via tcpflow I can dump sessions. That´s more convenient.

Thanks in advance!

It would be better to make tcpdump available dump payloads.


Simply concatenating packet payloads together to recover binary objects
is often insufficient. TCP packets may be lost, duplicated, or received
out of order. The TCP/IP stack can put the object back together, but
looking at the payloads in order will not always work.

If you are on a LAN where there is essentially no packet loss or
reordering you may be lucky, but you are less likely to be lucky on the
public Internet.

tcpflow understands TCP sessions and 'does the right thing' in order to
extract the original binary data. Putting the same functionality into
tcpdump would be duplication, and this is already handled by Wireshark
in any case.

Stephen.

Dmitry


On Mon, Sep 22, 2008 at 2:12 PM, <marco () linuxgoeroe dhs org> wrote:

And now my question is:
can tcpdump extract payloads from packets, or it just extracting headers?


No, tcpdump by itself can't. But that's what tcpflow does.

               Regards,

                      Marco.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump and wireshark Dmitry (Sep 15)
- Re: tcpdump and wireshark Arien Vijn (Sep 15)
  - Re: tcpdump and wireshark Dmitry (Sep 22)
- Re: tcpdump and wireshark Guy Harris (Sep 15)
  - Re: tcpdump and wireshark Dmitry (Sep 22)
    - Re: tcpdump and wireshark marco (Sep 22)
    - Re: tcpdump and wireshark Dmitry (Sep 22)
    - Re: tcpdump and wireshark marco (Sep 22)
    - Re: tcpdump and wireshark Dmitry (Sep 22)
    - Re: tcpdump and wireshark Stephen Donnelly (Sep 22)