[tcpdump-workers] Re: Re: About tcpdump for HTTP/SIP

Wed, 02 May 2001 10:21:12 -0700 


>The standard behavior should perhaps just print the first line (e.g.,
>the request or reply line in HTTP), and with some other option it'd
>print the full data.  (For example, the SMB dissector used to print
>a detailed multiple-line dissection; it now does so only if "-vv" was
>specified, i.e. if the "vflag" variable is 2 or greater; the HTTP and
>SIP dissectors should perhaps do the same.)

I did a proof of concept of this (ignoring the "IP prints stuff after"
problem):

% tcpdump tcp port 80
tcpdump: listening on de0
09:55:12.354861 fenestro.attlabs.att.com.2674 > wilson.attlabs.att.com.http: S 1
456943031:1456943031(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 26684
2351 0> (DF)
09:55:12.359985 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2674: S 3
555175956:3555175956(0) ack 1456943032 win 17520 <mss 1460> (DF)
09:55:12.360124 fenestro.attlabs.att.com.2674 > wilson.attlabs.att.com.http: . a
ck 1 win 17520 (DF)
09:55:12.372189 fenestro.attlabs.att.com.2674 > wilson.attlabs.att.com.http: P 1
:356(355) ack 1 win 17520 GET / HTTP/1.0 (DF)
09:55:12.386720 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2674: P 1
:275(274) ack 356 win 17520 HTTP/1.1 304 Not Modified (DF)
09:55:12.477902 fenestro.attlabs.att.com.2674 > wilson.attlabs.att.com.http: . a
ck 275 win 17520 (DF)
09:55:28.610197 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2674: F 
275:275(0) ack 356 win 17520 (DF)
09:55:28.610363 fenestro.attlabs.att.com.2674 > wilson.attlabs.att.com.http: . ack 276 
win 17520 (DF)

and

10:04:23.431032 fenestro.attlabs.att.com.2681 > wilson.attlabs.att.com.http: S [tcp 
sum ok] 1599679420:1599679420(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 
266897467 0> (DF) (ttl 64, id 22898, len 60)
10:04:23.435741 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2681: S [tcp 
sum ok] 3659938866:3659938866(0) ack 1599679421 win 17520 <mss 1460> (DF) (ttl 60, id 
29302, len 44)
10:04:23.435866 fenestro.attlabs.att.com.2681 > wilson.attlabs.att.com.http: . [tcp 
sum ok] 1:1(0) ack 1 win 17520 (DF) (ttl 64, id 22899, len 40)
10:04:23.448452 fenestro.attlabs.att.com.2681 > wilson.attlabs.att.com.http: P 
1:293(292) ack 1 win 17520 GET / HTTP/1.0\015
        Connection: Keep-Alive\015
        Us[|http] (DF) (ttl 64, id 22900, len 332)
10:04:23.470131 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2681: . 
1:1461(1460) ack 293 win 17520 HTTP/1.1 200 OK\015
        Date: Wed, 02 May 2001 17[|http] (DF) (ttl 60, id 29303, len 1500)
10:04:23.471340 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2681: P 
1461:1811(350) ack 293 win 17520 not help resolve configuration issues.

        <P[|http] (DF) (ttl 60, id 29304, len 390)
10:04:23.471447 fenestro.attlabs.att.com.2681 > wilson.attlabs.att.com.http: . [tcp 
sum ok] 293:293(0) ack 1811 win 15970 (DF) (ttl 64, id 22901, len 40)
10:04:23.643121 fenestro.attlabs.att.com.2680 > wilson.attlabs.att.com.http: P 
326:651(325) ack 2615 win 17520 GET /apache_pb.gif HTTP/1.0\015
        Referer: http[|http] (DF) (ttl 64, id 22902, len 365)
10:04:23.643950 fenestro.attlabs.att.com.2680 > wilson.attlabs.att.com.http: F [tcp 
sum ok] 651:651(0) ack 2615 win 17520 (DF) (ttl 64, id 22903, len 40)

oops, forgot to up the snaplen...

10:05:34.573997 fenestro.attlabs.att.com.2685 > wilson.attlabs.att.com.http: P [tcp 
sum ok] 1:326(325) ack 1 win 17520 GET /apache_pb.gif HTTP/1.0\015
        Referer: http://wilson/\015
        Connection: Keep-Alive\015
        User-Agent: Mozilla/4.72 [en] (X11; U; FreeBSD 4.3-RC i386)\015
        Pragma: no-cache\015
        Host: wilson\015
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png\015
        Accept-Encoding: gzip\015
        Accept-Language: en\015
        Accept-Charset: iso-8859-1,*,utf-8\015
        \015 (DF) (ttl 64, id 23144, len 365)
10:05:34.589242 wilson.attlabs.att.com.http > fenestro.attlabs.att.com.2685: . 
1:1461(1460) ack 326 win 17520 HTTP/1.1 200 OK\015
        Date: Wed, 02 May 2001 17:05:34 GMT\015
        Server: Apache/1.3.14 (Unix)\015
        Last-Modified: Wed, 03 Jul 1996 06:18:15 GMT\015
        ETag: "1706d7-916-31da10a7"\015
        Accept-Ranges: bytes\015
        Content-Length: 2326\015
        Keep-Alive: timeout=15, max=100\015
        Connection: Keep-Alive\015
        Content-Type: image/gif\015
        \015
        GIF89a\003\001 
\000\367\000\000\377\377\377\316\316\316\245\245\245\204\204\204ssskkkZZZ!\030\030\377B\030\3771\000\275R\020\336\255\204\357\234B\377\204\000\377\316\030\377\316\000\316\316\306\275\275\3061\000\377c\000\377\234\000\377\357\000\377\347J\357\336{\336\326\245\316\377\000\234\357J\214\377\000c\347\204\234\357Rc\377\000\030\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0!
!
00\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\!
!
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000!
!
\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000!\371\004\001\000\000\001\000,\000\000\000\000\003\001
 
\000G\010\377\000\003\010\034H\260\240\301\203\010\023*\\310\260\241\303\207\020#J\234H\261\242E\206\021\016\034\0300\260\300\200\001\002\002l0\260!\303\006\017(Q&X\331\300A\204\201\007\376\3753\020\363_\004\231\007h\376;\020
 
\246\001\0032\011\370\024\2603\302\200\231=e\006%03\002P\002\001p\352\374W\020\350L\253\004\254\336\264y\261\253\327\257`\303\026|Iv\203\331
        
\033*P\2400a\302?\011J\343\276\225@w\002\333\265\0252P\3100!\203I\277\005P\376;\231\022\001\002\001._\212]\314\270\261\343\307b#Dh0\000A\203\225\011R
        
N\371\317\203\001\017f\375\206\366+\332d^\275\245\323f\030\360\240u\353\006\017\032\314\374'\200\243\300\013u'Hh\333\226\356\356\335\272%\0xa\355\332\341\022/\220^\316\274y\006\015\0065{X\330A3\206\202\0300\257d\270@{\202\203\014\032\210\377o\000\371\253\200\363\347\313/\214\220\236
 
\373\220\352\343\313\237\357\360\345y\271o\347\266]\233!o\337\275\031L\225\222\001\010(PSQ\002\035\305ST\264\011$\300\201P\305\264\240@L)\025\222SrU\025\327F\016\312\244\030}
 \2068_\004\010\030\260Rg\240\225d\332r\024T`\327ZnY\205\237\p\375\366\033[|http] (DF) 
(ttl 60, id 30271, len 1500)

I'd like to add a command-line flag to ask print-tcp and print-udp to
do this to their payloads (similar to -X).  This could probably handle
80% of the requirements for printing out text-based protocol exchanges.

Any thoughts on what command-line flag?  I guess maybe "-A", for "ASCII-only
printing"...

Smarter printers could do smarter stuff (like not printing the payload of
an HTTP request unless -vvv, or unless the content-type is text/*, or
something).

Also, does anyone have any thoughts on safeputchar() vs. fn_print()'s output
format?  Neither one is currently reversible (safeputchar() doesn't encode
backslashes, so the sequence '\' '0' '0' '0' in a string is indistinguishable
from '\000', similarly fn_print() doesn't escape '^' or 'M' '-'...)
4.4BSD introduces a reversible encoding with the vis() library call;
perhaps tcpdump should adopt something like that?

  Bill
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to