TCPDump filter

I wrote this filter for a friend that told me that I couldn't do this in AWK. I also learned AWK doing this. This is NOT the proper way to do this, Perl or C is definatly better. But, due to how simple it is, it can quickly be changed to display the data in any way you want and support more prootcols too. Right now it only supports IP, TCP, UDP, and ICMP. Drop me a line if you have any comments or questions.

There is also a few things that can be configured, such as the margins, the byte order of your machine, and also the starting position of the ip header in the output. The last option is due to a bug konwn in tcpdump when dumping on FDDI interfaces. See the script for more information.

Script is at end of examples. Beware, my AWK code looks like C without semicolons.

Usage:

tcpdump -l -s65536 -x -i interface | fil

Example tcpdump output:

02:34:01.220494 flatkitty.ishiboo.com.1049 > blookitty.ishiboo.com.netbios-ssn: P 970660:970782(122) ack 292926018 win 8088 (DF)
                         4500 00a2 f52a 4000 2006 7881 d080 25d6
                         d080 25d3 0419 008b 000e cfa4 1175 b242
                         5018 1f98 635a 0000 0000 0076 ff53 4d42
                         2500 0000 0018 0300 0000 0000 0000 0000
                         0000 0000 1900 feca e803 284f 0e26 0000
                         0006 0000 0400 0000 0088 1300 0000 0026
                         0050 0000 0000 0000 0037 005c 5049 5045
                         5c4c 414e 4d41 4e00 0054 5c4e 4600 7a57
                         724c 6800 7a57 5757 577a 7a7a 7a57 577a
                         7a6c 004c 6173 6572 6b69 7474 7900 0300
                         0004
02:34:01.290175 blookitty.ishiboo.com.netbios-ssn > flatkitty.ishiboo.com.1049: . ack 122 win 17520 (DF)
                         4500 0028 084c 4000 4006 45da d080 25d3
                         d080 25d6 008b 0419 1175 b242 000e d01e
                         5010 4470 e631 0000
02:34:01.303959 blookitty.ishiboo.com.netbios-ssn > flatkitty.ishiboo.com.1049: P 1:101(100) ack 122 win 17520 (DF)
                         4500 008c 084d 4000 4006 4575 d080 25d3
                         d080 25d6 008b 0419 1175 b242 000e d01e
                         5018 4470 3bd4 0000 0000 00c0 ff53 4d42
                         2500 0000 0088 0100 0000 0000 0000 0000
                         0000 0000 1900 feca e803 284f 0a06 0081
                         0000 0006 0037 0000 0081 003f 0000 0000
                         0089 0000 0000 0081 0000 002c 0000 0005
                         0000 0000 0005 0037 0000 0038 0000 003c
                         0000 003d 0000 0000 0000 0049

Example tcpdump filtered output:

----------------------------------------
**IP ver(4), iplen(5) TOS(0x0) totlen(162) ID(62762) Frag(0) Flags( DF )
**TTL(32) (**TCP**) Chk(0x7881) IP(208.128.37.214->208.128.37.211)
*TCP---Ports(**1049->139**) tcplen(20) Flags( ACK PSH )
*TCP---Win(8088) TCP-Chk(0x635a) TCP-URG(0)

   ^@^@^@v^?SMB%^@^@^@^@^X^C^@^@^@^@^@^@^@^@^@^@^@^@^@^Y^@^~^J^h^C(O^N&^@^@
   ^@^F^@^@^D^@^@^@^@^H^S^@^@^@^@&^@P^@^@^@^@^@^@^@7^@\PIPE\LANMAN^@
   ^@T\NF^@zWrLh^@zWWWWzzzzWWzzl^@Laserkitty^@^C^@
   ^@^D
----------------------------------------
**IP ver(4), iplen(5) TOS(0x0) totlen(40) ID(2124) Frag(0) Flags( DF )
**TTL(64) (**TCP**) Chk(0x45da) IP(208.128.37.211->208.128.37.214)
*TCP---Ports(**139->1049**) tcplen(20) Flags( ACK )
*TCP---Win(17520) TCP-Chk(0xe631) TCP-URG(0)

----------------------------------------
**IP ver(4), iplen(5) TOS(0x0) totlen(140) ID(2125) Frag(0) Flags( DF )
**TTL(64) (**TCP**) Chk(0x4575) IP(208.128.37.211->208.128.37.214)
*TCP---Ports(**139->1049**) tcplen(20) Flags( ACK PSH )
*TCP---Win(17520) TCP-Chk(0x3bd4) TCP-URG(0)

   ^@^@^@^@^?SMB%^@^@^@^@^H^A^@^@^@^@^@^@^@^@^@^@^@^@^@^Y^@^~^J^h^C(O
^F^@^A
   ^@^@^@^F^@7^@^@^@^A^@?^@^@^@^@^@^I^@^@^@^@^@^A^@^@^@,^@^@^@^E^@^@^@^@^@^E^@7
   ^@^@^@8^@^@^@<^@^@^@=^@^@^@^@^@^@^@I
----------------------------------------

The script.

Back