Find the answer to your Linux question:
Results 1 to 6 of 6
hello, I'm using tcpdump to view a tracefile and i'm trying to check the how much data was exchanged on some tcp connections based on port 80 and also some ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    3

    tcpdump/tcpflow usage


    hello,

    I'm using tcpdump to view a tracefile and i'm trying to check the how much data was exchanged on some tcp connections based on port 80 and also some stream checking. I was wondering if anyone was fluent in these applications to provide me some support

    a. check how much data was transfered in bytes in tcp connection on port 80

    I've outputed the trace file from tcpdump with -w flag

    I've read the file into tcpflow with -r flag and -c flag which prints to console:

    tcpflow -r dump_file -c

    I'm not sure how to exactly check the bytes transfered for each flow and sum it up. I know there is a -b which specifies the max byte transfer per flow but i'm not sure it's giving me the right answer and was wondering if anyone knew how to do this

    b. check for two specific words that appear in all the tcp flows

    I've outputed the trace file from tcpdump with -w flag

    I've read the file into tcpflow -r flag and -c with prints to console and I thought about grepping the first word through a pipe and then grepping for the second word from that output but I was told that was not the correct way of accomplishing the task.

    Thank you for your help.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Not sure I understand all your questions, but here goes:

    Example for using tcpdump to capture all outbound packets to remote port 80:
    Code:
    # tcpdump -s 0 dst port 80 -w outfile
    The -s 0 switch tells tcpdump to snarf the full packet. It's not clear to me from the manpage whether 'dst port' refers to both inbound traffic to (local) port 80, and outbound traffic to (remote) port 80. But I can tell you my test picked up outbound traffic to the remote port.

    As for reviewing tcpdump output, I usually either use wireshark or I use a quick and dirty search method:
    Code:
    # strings outfile | grep 'Some Pattern'
    I haven't used tcpflow. Hope this helps.

  3. #3
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    P.S. As for determining the number of bytes from a tcpdump capture, can't you just check the output file?

    Code:
    [root@troy ~]# du -b outfile 
    2862    outfile

  4. #4
    Just Joined!
    Join Date
    Jan 2007
    Posts
    3
    Quote Originally Posted by anomie
    Not sure I understand all your questions, but here goes:

    Example for using tcpdump to capture all outbound packets to remote port 80:
    Code:
    # tcpdump -s 0 dst port 80 -w outfile
    The -s 0 switch tells tcpdump to snarf the full packet. It's not clear to me from the manpage whether 'dst port' refers to both inbound traffic to (local) port 80, and outbound traffic to (remote) port 80. But I can tell you my test picked up outbound traffic to the remote port.

    As for reviewing tcpdump output, I usually either use wireshark or I use a quick and dirty search method:
    Code:
    # strings outfile | grep 'Some Pattern'
    I haven't used tcpflow. Hope this helps.
    Hi, actually I have the information from a tcpdump trace file. From the man pages for tcpflow, it requires you to dump to another trace file using the -w flag from tcpdump so that tcpflow can read the file. So basically I applied a filter to the trace file from tcpdump:

    tcpdump -r trace_file tcp port 80 -w trace_output

    This would filter the trace file for all tcp connections with port 80 traffic.

    From this trace_output file I would then read it into tcpflow to figure out the bytes transfered. I was thinking of using bu -b output, but I wasn't sure if this was a correct way of doing it.

    This is similiar with the second problem except I'm only filtering out TCP connections and searching for a specific pattern. From what I know of tcpflow, you can view each flow which has an IP DST:PORT-IP SRC:PORT and I'm trying to find two words that appear together in all the flows but I haven't been able to do so.

    Hope this clarifies my question

  5. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    cpp, I think I follow what you're asking, but I'm afraid I can not help.

    It sounds like you:
    • Created a secondary file, based on a tcpdump output file, where you filtered on only tcp port 80-related packets.
    • Need to find a way to match lines in the output based on two specific words.


    Sound right? Maybe someone else has some clues.

  6. #6
    Just Joined!
    Join Date
    Jan 2007
    Posts
    3
    Quote Originally Posted by anomie
    cpp, I think I follow what you're asking, but I'm afraid I can not help.

    It sounds like you:
    • Created a secondary file, based on a tcpdump output file, where you filtered on only tcp port 80-related packets.
    • Need to find a way to match lines in the output based on two specific words.


    Sound right? Maybe someone else has some clues.
    Yes this is correct. I thought with my method of reading in the file and greping for keyword "a" and then piping that output to another grep for keyword "b" would return the correct flows that had both words, but it doesn't work. Thanks for your help anyways.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •