Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Skip the IP headers with tcpdump

I'm using tcpdump to debug an SSDP service.

$ sudo tcpdump -Aq udp port 1900

When printing the UDP packets, I'm getting a lot of gibberish before the HTTP headers I presume to be the IP and UDP headers. How do I suppress printing these, and just print the application level data in the packet (which includes the HTTP headers)?

Here's an example, the stuff I don't want is prior to NOTIFY on the second line:

14:41:56.738130 IP www.routerlogin.com.2239 > 239.255.255.250.1900: UDP, length 326
[email protected] * HTTP/1.1
HOST: 239.255.255.250:1900
like image 557
Matt Joiner Avatar asked Jun 03 '12 06:06

Matt Joiner


1 Answers

Sadly there are no tcpdump or even tshark shortcuts to do what you want... the best we can do is run STDOUT through a text filter...

Some perl or sed guy will probably come behind me and shorten this, but it gets the job done...

[mpenning@Bucksnort ~]$ sudo tcpdump -Aq udp port 1900 | perl -e 'while ($line=<STDIN>) { if ($line!~/239.255.255.250.+?UDP/) { if ($line=~/(NOTIFY.+)$/) {print "$1\n";} else {print $line;}}}'
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900

[mpenning@Bucksnort ~]$

If you add line-breaks, the perl STDIN filter listed above is...

while ($line=<STDIN>) {
    if ($line!~/239.255.255.250.+?UDP/) {
        if ($line=~/(NOTIFY.+)$/) {
            print "$1\n";
        } else {
            print $line;
        }
    }
}
like image 136
Mike Pennington Avatar answered Nov 07 '22 02:11

Mike Pennington