Skip the IP headers with tcpdump
Asked Answered
K

1

6

I'm using tcpdump to debug an SSDP service.

$ sudo tcpdump -Aq udp port 1900

When printing the UDP packets, I'm getting a lot of gibberish before the HTTP headers I presume to be the IP and UDP headers. How do I suppress printing these, and just print the application level data in the packet (which includes the HTTP headers)?

Here's an example, the stuff I don't want is prior to NOTIFY on the second line:

14:41:56.738130 IP www.routerlogin.com.2239 > 239.255.255.250.1900: UDP, length 326
[email protected] * HTTP/1.1
HOST: 239.255.255.250:1900
Kayceekaye answered 3/6, 2012 at 6:48 Comment(0)
A
2

Sadly there are no tcpdump or even tshark shortcuts to do what you want... the best we can do is run STDOUT through a text filter...

Some perl or sed guy will probably come behind me and shorten this, but it gets the job done...

[mpenning@Bucksnort ~]$ sudo tcpdump -Aq udp port 1900 | perl -e 'while ($line=<STDIN>) { if ($line!~/239.255.255.250.+?UDP/) { if ($line=~/(NOTIFY.+)$/) {print "$1\n";} else {print $line;}}}'
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900

[mpenning@Bucksnort ~]$

If you add line-breaks, the perl STDIN filter listed above is...

while ($line=<STDIN>) {
    if ($line!~/239.255.255.250.+?UDP/) {
        if ($line=~/(NOTIFY.+)$/) {
            print "$1\n";
        } else {
            print $line;
        }
    }
}
Ac answered 3/6, 2012 at 12:10 Comment(3)
The guy never came :(Deductible
Is there any other tool that does this? I need something a little more general than that perl scriptPiled
@NathanChristie: tcpdump -Aql udp port 1900 | perl -lne '!/239.255.255.250.+UDP/ and (/(NOTIFY.+)$/ and print $1 or print)'Arboreal

© 2022 - 2024 — McMap. All rights reserved.