asifnzaidi@gmail.com wrote:
> Can anyone help me with the following

> 1) When I use tcpdump, can I prepend output with a known string. If
> so what is the option?

Prepend at the beginning of the output before any traced packets, or
are you looking to prepend something on every line?

> 2) When I use tcpdump on my machine, I get the following error
> tcpdump: no suitable device found

> What am I doing wrong

> I am doing on prompt >tcpdump eth0

IIRC specifying the interface name is done with the -i option?

BTW, there is a tcpdump site - http://www.tcpdump.org/

rick jones
--
Process shall set you free from the need for rational thought.
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

In article <1148594503.573703.276590@i39g2000cwa.googlegroups. com>,
asifnzaidi@gmail.com wrote:

> hello:
>
> Can anyone help me with the following
>
> 1) When I use tcpdump, can I prepend output with a known string. If so
> what is the option?

tcpdump | sed 's/^/known string/'

>
> 2) When I use tcpdump on my machine, I get the following error
> tcpdump: no suitable device found
>
> What am I doing wrong
>
> I am doing on prompt >tcpdump eth0

The correct syntax to specify an interface is:

tcpdump -i eth0

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

>> Prepend at the beginning of the output before any traced packets, or
>> are you looking to prepend something on every line?

1) Pre-pend before any traced packet.

2) I found out the answer to the second question I had.
3) I will look at the link


Thanks

Asif

When I do this

tcpdump | sed 's/^/known string/'

my output gets hungup.

When I remove the sed+, I get the following

17:45:02.455166 IP 10.19.173.29.32775 > dns1.corp.mot.com.domain:
44409+ PTR? 29.173.19.10.in-addr.arpa. (43)
17:45:02.456167 IP dns1.corp.mot.com.domain > 10.19.173.29.32775:
44409 NXDomain 0/1/0 (106)

What am I doing wrong.

Thanks

Asif

In article <1148597143.467831.75110@u72g2000cwu.googlegroups.c om>,
asifnzaidi@gmail.com wrote:

> When I do this
>
> tcpdump | sed 's/^/known string/'
>
> my output gets hungup.
>
> When I remove the sed+, I get the following
>
> 17:45:02.455166 IP 10.19.173.29.32775 > dns1.corp.mot.com.domain:
> 44409+ PTR? 29.173.19.10.in-addr.arpa. (43)
> 17:45:02.456167 IP dns1.corp.mot.com.domain > 10.19.173.29.32775:
> 44409 NXDomain 0/1/0 (106)
>
> What am I doing wrong.

Not waiting long enough. tcpdump's output is buffered when it's not
writing to a terminal, so sed won't see anything until about 4KB gets
output.

You could install Expect and use its unbuffer utility:

unbuffer tcpdump | sed ...

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

What is the purpose of this known string? Is it to identify the
circumstances of the tcpdump trace? That would seem to imply that the
output of tcpdump is going to end-up in some sort of a file yes? If
so, why not:

1) Have tcpdump write the trace to a binary file with the -w option.
You can name that file with useful identifying information.
An added benefit is the tracing overhead will likely be lower.

2) When/if you do go to post process into ASCII you could do:

echo "your string of interest" >>
tcpdump -r >>

Or, if this is just to tag something into a terminal log, you could
"wrap" tcpdump with a script. Make the first argument to the script
your text of interest and the rest the options to the real tcpdump.

mytcpdump "this is my string"

I don't know all the right shell stuff for the options processing but
you would have something like:

echo $1
tcpdump

as the main part of such a script.

rick jones
--
oxymoron n, commuter in a gas-guzzling luxury SUV with an American flag
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

1) My goal is to log the tcpdump output to a syslog server. Writing to
a file is not practical because of file-size limitations. I had thought
of writing to a file but because of size, I did not proceed with it.

2) Can tcpdump output be redirected to syslog.

Thanks

Asif

"Barry Margolin" wrote:

> Not waiting long enough. tcpdump's output is buffered when it's not
> writing to a terminal, so sed won't see anything until about 4KB gets
> output.
>
> You could install Expect and use its unbuffer utility:
>
> unbuffer tcpdump | sed ...

Or use the linebuffering option; "tcpdump -i eth0 -l"

--gv

wrote in message
news:1148610972.235244.3200@38g2000cwa.googlegroup s.com...
> 1) My goal is to log the tcpdump output to a syslog server. Writing to
> a file is not practical because of file-size limitations. I had thought
> of writing to a file but because of size, I did not proceed with it.
>
> 2) Can tcpdump output be redirected to syslog.
>
> Thanks
>
> Asif
>

Rapidly approaching off-topicness. This is more suited for some of the
specific unix newsgroups.
For the sake of your follow-up questions though,

1. if you want to log tcpdump output, but fear filesize, consider
compressing the output.
The output of tcpdump is fairly compressible because of its repetition. Use
a typical
compression utility, or create a pipe or socket device that compresses for
you

2. yes, but then why would you do that? If you cant output to a file, then
what good is
redirecting to syslog?



jcj

In article ,
"Jay C. James" wrote:

> wrote in message
> news:1148610972.235244.3200@38g2000cwa.googlegroup s.com...
> > 1) My goal is to log the tcpdump output to a syslog server. Writing to
> > a file is not practical because of file-size limitations. I had thought
> > of writing to a file but because of size, I did not proceed with it.

What does prepending a string have to do with that?

> >
> > 2) Can tcpdump output be redirected to syslog.

Pipe the output to a script that logs it:

tcpdump ... | while read line
do
logger "$line"
done

This will also run into the output buffering problem, see other
responses for the solution to that.

> >
> > Thanks
> >
> > Asif
> >
>
> Rapidly approaching off-topicness. This is more suited for some of the
> specific unix newsgroups.
> For the sake of your follow-up questions though,
>
> 1. if you want to log tcpdump output, but fear filesize, consider
> compressing the output.
> The output of tcpdump is fairly compressible because of its repetition. Use
> a typical
> compression utility, or create a pipe or socket device that compresses for
> you

Syslog requires plain text log messages, so you can't compress before
logging. I guess you mean "if you want to save tcpdump output".

>
> 2. yes, but then why would you do that? If you cant output to a file, then
> what good is
> redirecting to syslog?

The log server probably has much more disk space than the machine he's
running tcpdump on, because it's collecting logs for many machines.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Thanks to all who replied.
The suggestions helped a lot.

Asif

"Barry Margolin" wrote in message
news:barmar-B08123.19214226052006@comcast.dca.giganews.com...
> In article ,
> "Jay C. James" wrote:
>
> > wrote in message
> > news:1148610972.235244.3200@38g2000cwa.googlegroup s.com...
> > > 1) My goal is to log the tcpdump output to a syslog server. Writing to
> > > a file is not practical because of file-size limitations. I had
thought
> > > of writing to a file but because of size, I did not proceed with it.
>
> What does prepending a string have to do with that?
>
> > >
> > > 2) Can tcpdump output be redirected to syslog.
>
> Pipe the output to a script that logs it:
>
> tcpdump ... | while read line
> do
> logger "$line"
> done
>
> This will also run into the output buffering problem, see other
> responses for the solution to that.
>
> > >
> > > Thanks
> > >
> > > Asif
> > >
> >
> > Rapidly approaching off-topicness. This is more suited for some of the
> > specific unix newsgroups.
> > For the sake of your follow-up questions though,
> >
> > 1. if you want to log tcpdump output, but fear filesize, consider
> > compressing the output.
> > The output of tcpdump is fairly compressible because of its repetition.
Use
> > a typical
> > compression utility, or create a pipe or socket device that compresses
for
> > you
>
> Syslog requires plain text log messages, so you can't compress before
> logging. I guess you mean "if you want to save tcpdump output".
>

Yes, for a moment I went off-thread myself, forgetting about syslog for a
moment
going straight into the Drooling Nerd What-If mode. Thanks for correcting
me.

> >
> > 2. yes, but then why would you do that? If you cant output to a file,
then
> > what good is
> > redirecting to syslog?
>
> The log server probably has much more disk space than the machine he's
> running tcpdump on, because it's collecting logs for many machines.
>

Yes I had considered that being one obvious method of cat skinning, thinking
of
other methods entirely with just sockets or NFS but not syslog, which is
mostly
for system logging and kernel message trapping. It may be a stretch for the
OP
to consider tcpdump output qualifyingly loggable via syslog as per its
definition
and intention but hey, its his box. Hack away. Its do-able.

Barry, you wouldnt recommend anything else besides syslog for something like
this?


> --
> Barry Margolin, barmar@alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***


jcj