pre-pend tcpdump header - TCP-IP

This is a discussion on pre-pend tcpdump header - TCP-IP ; hello: Can anyone help me with the following 1) When I use tcpdump, can I prepend output with a known string. If so what is the option? 2) When I use tcpdump on my machine, I get the following error ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: pre-pend tcpdump header

  1. pre-pend tcpdump header

    hello:

    Can anyone help me with the following

    1) When I use tcpdump, can I prepend output with a known string. If so
    what is the option?

    2) When I use tcpdump on my machine, I get the following error
    tcpdump: no suitable device found

    What am I doing wrong

    I am doing on prompt >tcpdump eth0


    Thanks

    Asif


  2. Re: pre-pend tcpdump header

    asifnzaidi@gmail.com wrote:
    > Can anyone help me with the following


    > 1) When I use tcpdump, can I prepend output with a known string. If
    > so what is the option?


    Prepend at the beginning of the output before any traced packets, or
    are you looking to prepend something on every line?

    > 2) When I use tcpdump on my machine, I get the following error
    > tcpdump: no suitable device found


    > What am I doing wrong


    > I am doing on prompt >tcpdump eth0


    IIRC specifying the interface name is done with the -i option?

    BTW, there is a tcpdump site - http://www.tcpdump.org/

    rick jones
    --
    Process shall set you free from the need for rational thought.
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  3. Re: pre-pend tcpdump header

    In article <1148594503.573703.276590@i39g2000cwa.googlegroups. com>,
    asifnzaidi@gmail.com wrote:

    > hello:
    >
    > Can anyone help me with the following
    >
    > 1) When I use tcpdump, can I prepend output with a known string. If so
    > what is the option?


    tcpdump | sed 's/^/known string/'

    >
    > 2) When I use tcpdump on my machine, I get the following error
    > tcpdump: no suitable device found
    >
    > What am I doing wrong
    >
    > I am doing on prompt >tcpdump eth0


    The correct syntax to specify an interface is:

    tcpdump -i eth0

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  4. Re: pre-pend tcpdump header


    >> Prepend at the beginning of the output before any traced packets, or
    >> are you looking to prepend something on every line?


    1) Pre-pend before any traced packet.

    2) I found out the answer to the second question I had.
    3) I will look at the link


    Thanks

    Asif


  5. Re: pre-pend tcpdump header

    When I do this

    tcpdump | sed 's/^/known string/'

    my output gets hungup.

    When I remove the sed+, I get the following

    17:45:02.455166 IP 10.19.173.29.32775 > dns1.corp.mot.com.domain:
    44409+ PTR? 29.173.19.10.in-addr.arpa. (43)
    17:45:02.456167 IP dns1.corp.mot.com.domain > 10.19.173.29.32775:
    44409 NXDomain 0/1/0 (106)

    What am I doing wrong.

    Thanks

    Asif


  6. Re: pre-pend tcpdump header

    In article <1148597143.467831.75110@u72g2000cwu.googlegroups.c om>,
    asifnzaidi@gmail.com wrote:

    > When I do this
    >
    > tcpdump | sed 's/^/known string/'
    >
    > my output gets hungup.
    >
    > When I remove the sed+, I get the following
    >
    > 17:45:02.455166 IP 10.19.173.29.32775 > dns1.corp.mot.com.domain:
    > 44409+ PTR? 29.173.19.10.in-addr.arpa. (43)
    > 17:45:02.456167 IP dns1.corp.mot.com.domain > 10.19.173.29.32775:
    > 44409 NXDomain 0/1/0 (106)
    >
    > What am I doing wrong.


    Not waiting long enough. tcpdump's output is buffered when it's not
    writing to a terminal, so sed won't see anything until about 4KB gets
    output.

    You could install Expect and use its unbuffer utility:

    unbuffer tcpdump | sed ...

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  7. Re: pre-pend tcpdump header

    What is the purpose of this known string? Is it to identify the
    circumstances of the tcpdump trace? That would seem to imply that the
    output of tcpdump is going to end-up in some sort of a file yes? If
    so, why not:

    1) Have tcpdump write the trace to a binary file with the -w option.
    You can name that file with useful identifying information.
    An added benefit is the tracing overhead will likely be lower.

    2) When/if you do go to post process into ASCII you could do:

    echo "your string of interest" >>
    tcpdump -r >>

    Or, if this is just to tag something into a terminal log, you could
    "wrap" tcpdump with a script. Make the first argument to the script
    your text of interest and the rest the options to the real tcpdump.

    mytcpdump "this is my string"

    I don't know all the right shell stuff for the options processing but
    you would have something like:

    echo $1
    tcpdump

    as the main part of such a script.

    rick jones
    --
    oxymoron n, commuter in a gas-guzzling luxury SUV with an American flag
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  8. Re: pre-pend tcpdump header

    1) My goal is to log the tcpdump output to a syslog server. Writing to
    a file is not practical because of file-size limitations. I had thought
    of writing to a file but because of size, I did not proceed with it.

    2) Can tcpdump output be redirected to syslog.

    Thanks

    Asif


  9. Re: pre-pend tcpdump header

    "Barry Margolin" wrote:

    > Not waiting long enough. tcpdump's output is buffered when it's not
    > writing to a terminal, so sed won't see anything until about 4KB gets
    > output.
    >
    > You could install Expect and use its unbuffer utility:
    >
    > unbuffer tcpdump | sed ...


    Or use the linebuffering option; "tcpdump -i eth0 -l"

    --gv


  10. Re: pre-pend tcpdump header


    wrote in message
    news:1148610972.235244.3200@38g2000cwa.googlegroup s.com...
    > 1) My goal is to log the tcpdump output to a syslog server. Writing to
    > a file is not practical because of file-size limitations. I had thought
    > of writing to a file but because of size, I did not proceed with it.
    >
    > 2) Can tcpdump output be redirected to syslog.
    >
    > Thanks
    >
    > Asif
    >


    Rapidly approaching off-topicness. This is more suited for some of the
    specific unix newsgroups.
    For the sake of your follow-up questions though,

    1. if you want to log tcpdump output, but fear filesize, consider
    compressing the output.
    The output of tcpdump is fairly compressible because of its repetition. Use
    a typical
    compression utility, or create a pipe or socket device that compresses for
    you

    2. yes, but then why would you do that? If you cant output to a file, then
    what good is
    redirecting to syslog?



    jcj





  11. Re: pre-pend tcpdump header

    In article ,
    "Jay C. James" wrote:

    > wrote in message
    > news:1148610972.235244.3200@38g2000cwa.googlegroup s.com...
    > > 1) My goal is to log the tcpdump output to a syslog server. Writing to
    > > a file is not practical because of file-size limitations. I had thought
    > > of writing to a file but because of size, I did not proceed with it.


    What does prepending a string have to do with that?

    > >
    > > 2) Can tcpdump output be redirected to syslog.


    Pipe the output to a script that logs it:

    tcpdump ... | while read line
    do
    logger "$line"
    done

    This will also run into the output buffering problem, see other
    responses for the solution to that.

    > >
    > > Thanks
    > >
    > > Asif
    > >

    >
    > Rapidly approaching off-topicness. This is more suited for some of the
    > specific unix newsgroups.
    > For the sake of your follow-up questions though,
    >
    > 1. if you want to log tcpdump output, but fear filesize, consider
    > compressing the output.
    > The output of tcpdump is fairly compressible because of its repetition. Use
    > a typical
    > compression utility, or create a pipe or socket device that compresses for
    > you


    Syslog requires plain text log messages, so you can't compress before
    logging. I guess you mean "if you want to save tcpdump output".

    >
    > 2. yes, but then why would you do that? If you cant output to a file, then
    > what good is
    > redirecting to syslog?


    The log server probably has much more disk space than the machine he's
    running tcpdump on, because it's collecting logs for many machines.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  12. Re: pre-pend tcpdump header

    Thanks to all who replied.
    The suggestions helped a lot.

    Asif


  13. Re: pre-pend tcpdump header


    "Barry Margolin" wrote in message
    news:barmar-B08123.19214226052006@comcast.dca.giganews.com...
    > In article ,
    > "Jay C. James" wrote:
    >
    > > wrote in message
    > > news:1148610972.235244.3200@38g2000cwa.googlegroup s.com...
    > > > 1) My goal is to log the tcpdump output to a syslog server. Writing to
    > > > a file is not practical because of file-size limitations. I had

    thought
    > > > of writing to a file but because of size, I did not proceed with it.

    >
    > What does prepending a string have to do with that?
    >
    > > >
    > > > 2) Can tcpdump output be redirected to syslog.

    >
    > Pipe the output to a script that logs it:
    >
    > tcpdump ... | while read line
    > do
    > logger "$line"
    > done
    >
    > This will also run into the output buffering problem, see other
    > responses for the solution to that.
    >
    > > >
    > > > Thanks
    > > >
    > > > Asif
    > > >

    > >
    > > Rapidly approaching off-topicness. This is more suited for some of the
    > > specific unix newsgroups.
    > > For the sake of your follow-up questions though,
    > >
    > > 1. if you want to log tcpdump output, but fear filesize, consider
    > > compressing the output.
    > > The output of tcpdump is fairly compressible because of its repetition.

    Use
    > > a typical
    > > compression utility, or create a pipe or socket device that compresses

    for
    > > you

    >
    > Syslog requires plain text log messages, so you can't compress before
    > logging. I guess you mean "if you want to save tcpdump output".
    >


    Yes, for a moment I went off-thread myself, forgetting about syslog for a
    moment
    going straight into the Drooling Nerd What-If mode. Thanks for correcting
    me.

    > >
    > > 2. yes, but then why would you do that? If you cant output to a file,

    then
    > > what good is
    > > redirecting to syslog?

    >
    > The log server probably has much more disk space than the machine he's
    > running tcpdump on, because it's collecting logs for many machines.
    >


    Yes I had considered that being one obvious method of cat skinning, thinking
    of
    other methods entirely with just sockets or NFS but not syslog, which is
    mostly
    for system logging and kernel message trapping. It may be a stretch for the
    OP
    to consider tcpdump output qualifyingly loggable via syslog as per its
    definition
    and intention but hey, its his box. Hack away. Its do-able.

    Barry, you wouldnt recommend anything else besides syslog for something like
    this?


    > --
    > Barry Margolin, barmar@alum.mit.edu
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    > *** PLEASE don't copy me on replies, I'll read them in the group ***



    jcj




+ Reply to Thread