Tool for converting TcpDump text output to pcap or extract data from it.

Question

I would like to analyse network traffic of a system, which I don't have write access on it, so I couldn't save the tcpdump as pcap file using -w options. So, I came up with saving the command line result in text file by following command:

tcpdump -nnvvvSettXXU -s 0 -i eth1 > traffic.txt

How can I analyses the output.

Following is the sample of output:

1505232640.039941 MAC > MAC, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.3.2 tell 10.0.3.15, length 28
    0x0000:  5254 0012 3502 0800 2767 89f1 0806 0001  RT..5...'g......
    0x0010:  0800 0604 0001 0800 2767 89f1 0a00 030f  ........'g......
    0x0020:  0000 0000 0000 0a00 0302                 ..........
1505232640.040137 MAC > MAC, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.0.3.2 is-at 52:54:00:12:35:02, length 28
    0x0000:  0800 2767 89f1 5254 0012 3502 0806 0001  ..'g..RT..5.....
    0x0010:  0800 0604 0002 5254 0012 3502 0a00 0302  ......RT..5.....
    0x0020:  0800 2767 89f1 0a00 030f                 ..'g......
1505232650.113663 MAC > MAC, ethertype IPv4 (0x0800), length 155: (tos 0x0, ttl 64, id 2428, offset 0, flags [none], proto TCP (6), length 141)
    37.48.64.202.7095 > 10.0.3.15.37022: Flags [P.], cksum 0x09ee (correct), seq 2844491:2844592, ack 905630997, win 65535, length 101
    0x0000:  0800 2767 89f1 5254 0012 3502 0800 4500  ..'g..RT..5...E.
    0x0010:  008d 097c 0000 4006 fde6 2530 40ca 0a00  ...|[email protected]%[email protected]
    0x0020:  030f 1bb7 909e 002b 674b 35fa d515 5018  .......+gK5...P.
    0x0030:  ffff 09ee 0000 1703 0300 6098 68bf 586b  ..........`.h.Xk
    0x0040:  09e6 6472 fc92 b4c0 4d4e a3d4 4c4c f8df  ..dr....MN..LL..
    0x0050:  4760 64d0 fd12 ec6c 058e 8f7f ecf4 e5e0  G`d....l........
    0x0060:  1e3a 32c4 1b33 459d a3e8 b5d0 3481 7901  .:2..3E.....4.y.
    0x0070:  36f6 712a f14f 5bc5 076c 941d 8a24 a541  6.q*.O[..l...$.A
    0x0080:  7d88 5a6b 5dff 19c5 80db 4f8c d7a4 b490  }.Zk].....O.....
    0x0090:  6869 b1b1 c344 5894 d2c4 56              hi...DX...V

Edit:

I find text2pacp but my text file format isn't acceptable by it. So I write the following python script to convert the format to suitable form:

import re
regexp_time =re.compile("\d\d\d\d\d\d\d\d\d\d.\d\d\d\d\d\d+")
regexp_hex = re.compile("(\t0x\d+:\s+)([0-9a-f ]+)+  ")
with open ('../Traffic/traffic1.txt') as input,open ('../Traffic/txt2.txt','w') as output:
for line in input:
if regexp_time.match(line):
output.write ("%s\n" % (line.split()[0]))
elif regexp_hex.match(line):
words = line.split("  ")
bytes=""
for byte in words[1].split():
if len(byte) == 4:
bytes += "%s%s %s%s "%(byte[0],byte[1],byte[2],byte[3])
elif len(byte) == 2:
bytes += "%s%s "%(byte[0],byte[1])
output.write ("%s  %s %s \n" % (words[0].replace("0x","00"),"{:<47}".format (bytes),words[2].replace("\n","")))
input.close()
output.close()

As I’m new to python could someone help me to speed up the code?! You can find more efficient code here:

Edit:

Here is the story why I should capture in this way.

I have multiple Genymotion devices on host, which is assigned static IP, So I couldn’t set network mode of the devices to bridge. Therefor all of them set to NAT mode and then get same IP but different MAC addresses. So I came up with capturing each devices traffic by running tcpdump on each devices. but As I have other running processes in each device and also limited space on each of them and also no write permission. I couldn’t use -w which lead to save file on emulators. But when I use > it will write on host machine which I don’t have any limitation.

PS: Genymotion run on top of Virtualbox.

Accepted Answer

1

I guess I still don't quite understand, but it seems that writing to stdout writes to your host and not to the emulator, so maybe you could just have tcpdump write to stdout and then redirect the output to a file? For example:

tcpdump -nnvvvSettXXU -s 0 -i eth1 -w - > traffic.pcap

Or maybe you could use sshdump?

answered 14 Sep '17, 12:47

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%

Thanks, I will try it out. Unfortunately, because of some network issue my connection to host is lost.

(14 Sep '17, 14:26) Zahra

I get following error when I capture using the command you suggest. The capture file appears to be damaged or corrupt. (pcap: File has 1936288800-byte packet, bigger than maximum of 262144)

(16 Sep '17, 00:09) Zahra

Did you capture any packets though? Did you try to open the resulting capture file? It might just be the last packet that is affected, and so it probably doesn't matter.

(19 Sep '17, 07:08) cmaynard ♦♦

I capture packet, but when I try to open the file I get that error. How can I solve it?

(19 Sep '17, 08:56) Zahra

If it bothers you, you can probably just use editcap to remove the last packet from the capture file. Or you can use Wireshark itself: File -> Export Specified Packets... -> Range: 1-N ... where N is 1 less than the number of packets you captured. This assumes the last packet is the mal-formed one.

(19 Sep '17, 09:12) cmaynard ♦♦

Why It happens? How can I Prevent it?

(19 Sep '17, 09:48) Zahra

Maybe try experimenting with stdbuf? For example:

stdbuf -o 0 tcpdump -nnvvvSettXXU -s 0 -i eth1 -w - > traffic.pcap

(I see now that you were already using -U, so obviously that wasn't helping.)

(19 Sep '17, 09:57) cmaynard ♦♦

I didn't get what you mean by "that wasn't helping".

(19 Sep '17, 10:24) Zahra

I meant that the -U option wasn't helping to prevent the corrupted packet from being written to the pcap file. I was going to suggest using it, but then I noticed that you already were.

(19 Sep '17, 10:30) cmaynard ♦♦

Is it possible that capturing traffic this way result in missing packets?

(08 Dec '17, 22:02) Zahra

showing 5 of 10 show 5 more comments