> by using the command "tcpdump -x" you can get the raw information
> about the packets in hexadecimal format . can anybody tell me
> how to interpret it from that format. the information regarding
> the packets is given by tcpdump , but i would like to know how it
> is interpreted from the raw data.
>
> Gaurav.Rajput
> <[EMAIL PROTECTED]>
If I understand your question, you're seeing this from tcpdump:
0001 0001 0001 0001 0331 3432 0131 0131
0231 3007 696e 2d61 6464 7204 6172 7061
and you'd like to see this:
0001 0001 0001 0001 0331 3432 0131 0131 .........142.1.1
0231 3007 696e 2d61 6464 7204 6172 7061 .10.in-addr.arpa
I sent a tcpdump modification to the tcpdump maintainers to create
such an output with the -x switch, but they replied that they have no
intention of allowing tcpdump to have output like this to make it
harder for hackers to decypher tcpdump output. How silly! This would
slow down any true hacker for a few minutes and it makes it harder
on those of us who use tcpdump every day.
I wrote some C code to read tcpdump -x output and supply the missing
ASCII output. I'm including the code below. I apologize in advance
if the extra 2KB is a burden on anyone's bandwidth.
Dan
-------
/*
tcpdump does not provide ASCII output in a hex dump. This code fixes it.
Sample input:
11:17:40.228427 eth0 < viper.promus.com.domain > pwade2.promus.com.1024:
59912* 1/1/1 PTR viper.promus.com. (116)
4500 0090 62bb 0000 4011 fad7 0a01 018e
0a01 073b 0035 0400 007c 1577 ea08 8580
0001 0001 0001 0001 0331 3432 0131 0131
0231 3007 696e 2d61 6464 7204 6172 7061
0000 0c00 01c0 0c00 0c00 0100 0151 8000
1205 7669 7065 7206 7072 6f6d 7573 0363
6f6d 0002 3130 0749 4e2d 4144 4452 0441
5250 4100 0002 0001 0001 5180 0002 c035
c035 0001 0001 0001 5180 0004 0a01 018e
Sample output:
11:17:40.228427 eth0 < viper.promus.com.domain > pwade2.promus.com.1024:
59912* 1/1/1 PTR viper.promus.com. (116)
4500 0090 62bb 0000 4011 fad7 0a01 018e E...b...@.......
0a01 073b 0035 0400 007c 1577 ea08 8580 ...;.5...|.w....
0001 0001 0001 0001 0331 3432 0131 0131 .........142.1.1
0231 3007 696e 2d61 6464 7204 6172 7061 .10.in-addr.arpa
0000 0c00 01c0 0c00 0c00 0100 0151 8000 .............Q..
1205 7669 7065 7206 7072 6f6d 7573 0363 ..viper.promus.c
6f6d 0002 3130 0749 4e2d 4144 4452 0441 om..10.IN-ADDR.A
5250 4100 0002 0001 0001 5180 0002 c035 RPA.......Q....5
c035 0001 0001 0001 5180 0004 0a01 018e .5......Q.......
To use:
tcpdumpfix <input >output
*/
#include <stdio.h>
int main (void);
int main (void)
{
char ch;
char lc;
char linein[1024];
char lineout[100];
char *h;
char *p;
char *t;
int n;
while (1) {
if ((p = fgets (linein, sizeof linein - 1, stdin)) == NULL) break;
if (*linein > ' ') {
puts (linein);
continue;
}
memset (lineout, ' ', sizeof lineout);
lc = 0;
h = lineout;
t = lineout + 45;
*h++ = '\t';
while (ch = *p++) {
if (ch < ' ') continue;
*h++ = ch;
if (ch == ' ') continue;
if (lc) {
n = (isdigit (lc) ? lc - '0' : lc - 'a' + 10) * 16;
n += isdigit (ch) ? ch - '0' : ch - 'a' + 10;
*t++ = isprint (n) ? (char) n : '.';
lc = 0;
}
else lc = ch;
}
*t = 0;
printf ("%s\n", lineout);
}
}
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
