Re: converting tcpdump files


Don't ask to ask, just ask
	PerlMonks

Re: converting tcpdump files

by BrowserUk (Patriarch)

on Apr 30, 2003 at 19:09 UTC ( [id://254433]=note: print w/replies, xml )

Need Help??

in reply to converting tcpdump files

Isn't there a -d option on your version of tcpdump?

From the manpage

-d
Dump the compiled packet-matching code in a human readable form to sta
+ndard output and stop.
[download]

Examine what is said, not who speaks.

1) When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.
2) The only way of discovering the limits of the possible is to venture a little way past them into the impossible
3) Any sufficiently advanced technology is indistinguishable from magic.
Arthur C. Clarke.

Comment on Re: converting tcpdump files Download Code

Replies are listed 'Best First'.

Re: Re: converting tcpdump files
by Util (Priest) on May 01, 2003 at 19:58 UTC

The -d option does something different than what botho is asking; it doesn't display the captured data in a different format, it displays the capture program that it writes.

The 'capture filter' in tcpdump works by parsing the filter string during startup, and then writing an optimized machine-language filter subroutine which is called for each packet. The -d option shows that subroutine, in assembler language, which is 'human' compared to the raw machine language that -dd or -ddd would show.

For example, if I want to capture only TCP packets, ignoring all UDP, ICMP, and non-IP packets, I would use tcpdump tcp . Adding -d and running it, I get: