I'm using tcpdump
to debug an SSDP service.
$ sudo tcpdump -Aq udp port 1900
When printing the UDP packets, I'm getting a lot of gibberish before the HTTP headers I presume to be the IP and UDP headers. How do I suppress printing these, and just print the application level data in the packet (which includes the HTTP headers)?
Here's an example, the stuff I don't want is prior to NOTIFY
on the second line:
14:41:56.738130 IP www.routerlogin.com.2239 > 239.255.255.250.1900: UDP, length 326
[email protected] * HTTP/1.1
HOST: 239.255.255.250:1900
Sadly there are no tcpdump
or even tshark
shortcuts to do what you want... the best we can do is run STDOUT through a text filter...
Some perl
or sed
guy will probably come behind me and shorten this, but it gets the job done...
[mpenning@Bucksnort ~]$ sudo tcpdump -Aq udp port 1900 | perl -e 'while ($line=<STDIN>) { if ($line!~/239.255.255.250.+?UDP/) { if ($line=~/(NOTIFY.+)$/) {print "$1\n";} else {print $line;}}}'
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
[mpenning@Bucksnort ~]$
If you add line-breaks, the perl STDIN
filter listed above is...
while ($line=<STDIN>) {
if ($line!~/239.255.255.250.+?UDP/) {
if ($line=~/(NOTIFY.+)$/) {
print "$1\n";
} else {
print $line;
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With