Hi, I have developed a Java program, and one of its threads runs a tshark command and listens on its command-line output and performs analysis in real time.
The network topology is that dozens of clients request HTTP content from a server, and I'm running the program on the server:8080.
The tshark command I'm using is:
The requirements that made me chose tshark are:
I just discovered that tshark's memory footprint keeps increasing (which has been extensively discussed on this site), which makes it unsuitable for long-term running (months). For example, if I run tshark for 10 minutes on my server, its RAM usage will reach 4GB (according to "top"). Note that I need to analyse each packet on-the-fly, so ring buffer is not an option either.
I understand that many folks on this site recommends tcpdump as an alternative to tshark. However, for performance requirement, I cannot afford to let tcpdump output every single packet's payload and then look for HTTP GET.
Ideally, I'm looking for a program that can produce output like this to command-line (I'm using tcpdump output as a template):
Is there a one-liner for tcpdump that can do this, or any other advice is highly appreciated.
asked 01 Nov '16, 06:11
You can use tcpdump to do what you want. The filters are pretty powerful and flexible. In your case, you probably want anything headed for a given port (say 80), and with the string 'GET ' as the first 4 packets in the payload. You can use the expression below to create such a filter:
the tcp[20:4] == 0x47455420 tells tcpdump to save anything where the 4 packets starting at byte #20 in the TCP packet equal the bytes 0x47 0x45 0x54 0x20 (which is just hex for 'GET '. The number of packets to match must be an even power of 2, so you need that 4th byte corresponding to the space). This assumes, of course, that you have a 20 byte tcp header with no options.
As far as performance goes (if you are running a modern linux system) tcpdump should be compiling the filter into bytecode and handing it off to the kernel to execute against packets as the come in. If you are interested, you can actually see the little program it creates using the -d option. If you are load/latency tolerant enough that you were considering running tshark on the server anyway, you will probably be OK
answered 03 Nov '16, 14:00