[SATLUG] help with tcpdump (grab a beer its a long post)

Channing Channing.ML at ChanningC.com
Fri Feb 19 22:31:55 CST 2010

redpill wrote:
> Update: Before I sent the out the last post, I forgot to check the test
> file, which was empty.
> I have changed the script as such:
> sudo tcpdump -nXSe -C 256 -G 30 -i wlan0 -W 120 'tcp[13]==18 ||
> tcp[13]==16 || tcp[13]=4 || tcp[13]==2 || tcp[13]=1'| tee
> tcpdump/text/tcpdump.021910.
> problem is that the text files are still not written sequentially and
> packets are all in one text file.  Is it possible to output directly to
> awk is some way?  
> Thanks
> Todd
Hi Todd,

First off - Drop the use of tee(1), I think you are confusing what you 
feel like you need to /see/ versus what you need to feed to your packet 
interrogator. (ie - tcpdump {switches} {either pipe to packet 
interrogator, or look below for another option}

The file size issue is only an issue if you write to files that grow.  
Write a script that does the following:
   1) create a named pipe
   2) start your dump redirecting the output to the named pipe and run 
it in the background
   3) start reading from the named pipe with your packet interrogator
       Here is a hint ... interrogator < {named pipe}  (if you use 
cat(1) here, the "gray beards" will come and knee-cap you for UUOC ;) )
   4) send the annonomolies from your packet interrogator to standard 
out (in other words, don't redirect it)
   5) when you run this new program, you can then take the output and 
let it continue to go to the screen (STDOUT), or redirect it to 
somewhere else
   *) extra credit - use trap(1) to remove the named pipe upon program 

Sequencing and parsing of the packets is another venture.  My preference 
would be PERL, but everyone has their favorite X for doing Y. :)



More information about the SATLUG mailing list