have tcpdump show the 'conversation' as i would get from wireshark?












2















Is it possible to get the same output i would get from:



tcpdump port 80 -w log.pcap
wireshark log.pcap


in wireshark Analyze > Follow TCP Stream and then in the bottom drop down Entire Conversation



but without using wireshark? ideally using tcpdump or other widely available tool (netcat?) in the console.










share|improve this question























  • Are you opposed to using Wireshark from the console by its self? You could eliminate tcpdump.

    – cutrightjm
    Aug 1 '13 at 6:40













  • my bad if i make this seems like a matter of GUI vs console. The only issue with wireshark is that it's not widely available. i'd love for that to not be the case, but often, when i'm debugging something, the machine rarely has (or i can install) wireshark. This question is to try to add another 'tool' to my tool box. right now i do the slow process of using tcpdump to capture, scp somewhere, open with wireshark. it's too slow. ofcourse, if i could have wireshark in the first box, the problem would be solved.

    – gcb
    Aug 1 '13 at 18:01
















2















Is it possible to get the same output i would get from:



tcpdump port 80 -w log.pcap
wireshark log.pcap


in wireshark Analyze > Follow TCP Stream and then in the bottom drop down Entire Conversation



but without using wireshark? ideally using tcpdump or other widely available tool (netcat?) in the console.










share|improve this question























  • Are you opposed to using Wireshark from the console by its self? You could eliminate tcpdump.

    – cutrightjm
    Aug 1 '13 at 6:40













  • my bad if i make this seems like a matter of GUI vs console. The only issue with wireshark is that it's not widely available. i'd love for that to not be the case, but often, when i'm debugging something, the machine rarely has (or i can install) wireshark. This question is to try to add another 'tool' to my tool box. right now i do the slow process of using tcpdump to capture, scp somewhere, open with wireshark. it's too slow. ofcourse, if i could have wireshark in the first box, the problem would be solved.

    – gcb
    Aug 1 '13 at 18:01














2












2








2


1






Is it possible to get the same output i would get from:



tcpdump port 80 -w log.pcap
wireshark log.pcap


in wireshark Analyze > Follow TCP Stream and then in the bottom drop down Entire Conversation



but without using wireshark? ideally using tcpdump or other widely available tool (netcat?) in the console.










share|improve this question














Is it possible to get the same output i would get from:



tcpdump port 80 -w log.pcap
wireshark log.pcap


in wireshark Analyze > Follow TCP Stream and then in the bottom drop down Entire Conversation



but without using wireshark? ideally using tcpdump or other widely available tool (netcat?) in the console.







networking http tcp tcpdump






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 1 '13 at 0:55









gcbgcb

1112




1112













  • Are you opposed to using Wireshark from the console by its self? You could eliminate tcpdump.

    – cutrightjm
    Aug 1 '13 at 6:40













  • my bad if i make this seems like a matter of GUI vs console. The only issue with wireshark is that it's not widely available. i'd love for that to not be the case, but often, when i'm debugging something, the machine rarely has (or i can install) wireshark. This question is to try to add another 'tool' to my tool box. right now i do the slow process of using tcpdump to capture, scp somewhere, open with wireshark. it's too slow. ofcourse, if i could have wireshark in the first box, the problem would be solved.

    – gcb
    Aug 1 '13 at 18:01



















  • Are you opposed to using Wireshark from the console by its self? You could eliminate tcpdump.

    – cutrightjm
    Aug 1 '13 at 6:40













  • my bad if i make this seems like a matter of GUI vs console. The only issue with wireshark is that it's not widely available. i'd love for that to not be the case, but often, when i'm debugging something, the machine rarely has (or i can install) wireshark. This question is to try to add another 'tool' to my tool box. right now i do the slow process of using tcpdump to capture, scp somewhere, open with wireshark. it's too slow. ofcourse, if i could have wireshark in the first box, the problem would be solved.

    – gcb
    Aug 1 '13 at 18:01

















Are you opposed to using Wireshark from the console by its self? You could eliminate tcpdump.

– cutrightjm
Aug 1 '13 at 6:40







Are you opposed to using Wireshark from the console by its self? You could eliminate tcpdump.

– cutrightjm
Aug 1 '13 at 6:40















my bad if i make this seems like a matter of GUI vs console. The only issue with wireshark is that it's not widely available. i'd love for that to not be the case, but often, when i'm debugging something, the machine rarely has (or i can install) wireshark. This question is to try to add another 'tool' to my tool box. right now i do the slow process of using tcpdump to capture, scp somewhere, open with wireshark. it's too slow. ofcourse, if i could have wireshark in the first box, the problem would be solved.

– gcb
Aug 1 '13 at 18:01





my bad if i make this seems like a matter of GUI vs console. The only issue with wireshark is that it's not widely available. i'd love for that to not be the case, but often, when i'm debugging something, the machine rarely has (or i can install) wireshark. This question is to try to add another 'tool' to my tool box. right now i do the slow process of using tcpdump to capture, scp somewhere, open with wireshark. it's too slow. ofcourse, if i could have wireshark in the first box, the problem would be solved.

– gcb
Aug 1 '13 at 18:01










1 Answer
1






active

oldest

votes


















0














Newer versions of TShark should support "-z follow" for this:



   −z follow,prot,mode,filter[,range]
Displays the contents of a TCP or UDP stream between two nodes.
The data sent by the second node is prefixed with a tab to
differentiate it from the data sent by the first node.

prot specifies the transport protocol. It can be one of:
tcp TCP
udp UDP
ssl SSL

mode specifies the output mode. It can be one of:
ascii ASCII output with dots for non‐printable characters
hex Hexadecimal and ASCII data with offsets
raw Hexadecimal data

Since the output in ascii mode may contain newlines, the length
of each section of output plus a newline precedes each section
of output.

filter specifies the stream to be displayed. UDP streams are
selected with IP address plus port pairs. TCP streams are
selected with either the stream index or IP address plus port
pairs. For example:
ip−addr0:port0,ip−addr1:port1
tcp‐stream‐index

range optionally specifies which "chunks" of the stream should
be displayed.

Example: −z "follow,tcp,hex,1" will display the contents of the
first TCP stream in "hex" format.

===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
00000020 1f 00 06 04 00 00 ......
00000000 00 01 00 00 ....
00000026 00 02 00 00

Example: −z
"follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
display the contents of a TCP stream between 200.57.7.197 port
32891 and 200.57.7.98 port 2906.

===================================================================
Follow: tcp,ascii
Filter: (ommitted for readability)
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
38
...".....
................
4
....


So, although tcpdump can't do this for you, newer versions of TShark can do so, and TShark is a tty-mode (what the youngsters call "console-mode" :-)) program.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f626543%2fhave-tcpdump-show-the-conversation-as-i-would-get-from-wireshark%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Newer versions of TShark should support "-z follow" for this:



       −z follow,prot,mode,filter[,range]
    Displays the contents of a TCP or UDP stream between two nodes.
    The data sent by the second node is prefixed with a tab to
    differentiate it from the data sent by the first node.

    prot specifies the transport protocol. It can be one of:
    tcp TCP
    udp UDP
    ssl SSL

    mode specifies the output mode. It can be one of:
    ascii ASCII output with dots for non‐printable characters
    hex Hexadecimal and ASCII data with offsets
    raw Hexadecimal data

    Since the output in ascii mode may contain newlines, the length
    of each section of output plus a newline precedes each section
    of output.

    filter specifies the stream to be displayed. UDP streams are
    selected with IP address plus port pairs. TCP streams are
    selected with either the stream index or IP address plus port
    pairs. For example:
    ip−addr0:port0,ip−addr1:port1
    tcp‐stream‐index

    range optionally specifies which "chunks" of the stream should
    be displayed.

    Example: −z "follow,tcp,hex,1" will display the contents of the
    first TCP stream in "hex" format.

    ===================================================================
    Follow: tcp,hex
    Filter: tcp.stream eq 1
    Node 0: 200.57.7.197:32891
    Node 1: 200.57.7.198:2906
    00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
    00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
    00000020 1f 00 06 04 00 00 ......
    00000000 00 01 00 00 ....
    00000026 00 02 00 00

    Example: −z
    "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
    display the contents of a TCP stream between 200.57.7.197 port
    32891 and 200.57.7.98 port 2906.

    ===================================================================
    Follow: tcp,ascii
    Filter: (ommitted for readability)
    Node 0: 200.57.7.197:32891
    Node 1: 200.57.7.198:2906
    38
    ...".....
    ................
    4
    ....


    So, although tcpdump can't do this for you, newer versions of TShark can do so, and TShark is a tty-mode (what the youngsters call "console-mode" :-)) program.






    share|improve this answer




























      0














      Newer versions of TShark should support "-z follow" for this:



         −z follow,prot,mode,filter[,range]
      Displays the contents of a TCP or UDP stream between two nodes.
      The data sent by the second node is prefixed with a tab to
      differentiate it from the data sent by the first node.

      prot specifies the transport protocol. It can be one of:
      tcp TCP
      udp UDP
      ssl SSL

      mode specifies the output mode. It can be one of:
      ascii ASCII output with dots for non‐printable characters
      hex Hexadecimal and ASCII data with offsets
      raw Hexadecimal data

      Since the output in ascii mode may contain newlines, the length
      of each section of output plus a newline precedes each section
      of output.

      filter specifies the stream to be displayed. UDP streams are
      selected with IP address plus port pairs. TCP streams are
      selected with either the stream index or IP address plus port
      pairs. For example:
      ip−addr0:port0,ip−addr1:port1
      tcp‐stream‐index

      range optionally specifies which "chunks" of the stream should
      be displayed.

      Example: −z "follow,tcp,hex,1" will display the contents of the
      first TCP stream in "hex" format.

      ===================================================================
      Follow: tcp,hex
      Filter: tcp.stream eq 1
      Node 0: 200.57.7.197:32891
      Node 1: 200.57.7.198:2906
      00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
      00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
      00000020 1f 00 06 04 00 00 ......
      00000000 00 01 00 00 ....
      00000026 00 02 00 00

      Example: −z
      "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
      display the contents of a TCP stream between 200.57.7.197 port
      32891 and 200.57.7.98 port 2906.

      ===================================================================
      Follow: tcp,ascii
      Filter: (ommitted for readability)
      Node 0: 200.57.7.197:32891
      Node 1: 200.57.7.198:2906
      38
      ...".....
      ................
      4
      ....


      So, although tcpdump can't do this for you, newer versions of TShark can do so, and TShark is a tty-mode (what the youngsters call "console-mode" :-)) program.






      share|improve this answer


























        0












        0








        0







        Newer versions of TShark should support "-z follow" for this:



           −z follow,prot,mode,filter[,range]
        Displays the contents of a TCP or UDP stream between two nodes.
        The data sent by the second node is prefixed with a tab to
        differentiate it from the data sent by the first node.

        prot specifies the transport protocol. It can be one of:
        tcp TCP
        udp UDP
        ssl SSL

        mode specifies the output mode. It can be one of:
        ascii ASCII output with dots for non‐printable characters
        hex Hexadecimal and ASCII data with offsets
        raw Hexadecimal data

        Since the output in ascii mode may contain newlines, the length
        of each section of output plus a newline precedes each section
        of output.

        filter specifies the stream to be displayed. UDP streams are
        selected with IP address plus port pairs. TCP streams are
        selected with either the stream index or IP address plus port
        pairs. For example:
        ip−addr0:port0,ip−addr1:port1
        tcp‐stream‐index

        range optionally specifies which "chunks" of the stream should
        be displayed.

        Example: −z "follow,tcp,hex,1" will display the contents of the
        first TCP stream in "hex" format.

        ===================================================================
        Follow: tcp,hex
        Filter: tcp.stream eq 1
        Node 0: 200.57.7.197:32891
        Node 1: 200.57.7.198:2906
        00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
        00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
        00000020 1f 00 06 04 00 00 ......
        00000000 00 01 00 00 ....
        00000026 00 02 00 00

        Example: −z
        "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
        display the contents of a TCP stream between 200.57.7.197 port
        32891 and 200.57.7.98 port 2906.

        ===================================================================
        Follow: tcp,ascii
        Filter: (ommitted for readability)
        Node 0: 200.57.7.197:32891
        Node 1: 200.57.7.198:2906
        38
        ...".....
        ................
        4
        ....


        So, although tcpdump can't do this for you, newer versions of TShark can do so, and TShark is a tty-mode (what the youngsters call "console-mode" :-)) program.






        share|improve this answer













        Newer versions of TShark should support "-z follow" for this:



           −z follow,prot,mode,filter[,range]
        Displays the contents of a TCP or UDP stream between two nodes.
        The data sent by the second node is prefixed with a tab to
        differentiate it from the data sent by the first node.

        prot specifies the transport protocol. It can be one of:
        tcp TCP
        udp UDP
        ssl SSL

        mode specifies the output mode. It can be one of:
        ascii ASCII output with dots for non‐printable characters
        hex Hexadecimal and ASCII data with offsets
        raw Hexadecimal data

        Since the output in ascii mode may contain newlines, the length
        of each section of output plus a newline precedes each section
        of output.

        filter specifies the stream to be displayed. UDP streams are
        selected with IP address plus port pairs. TCP streams are
        selected with either the stream index or IP address plus port
        pairs. For example:
        ip−addr0:port0,ip−addr1:port1
        tcp‐stream‐index

        range optionally specifies which "chunks" of the stream should
        be displayed.

        Example: −z "follow,tcp,hex,1" will display the contents of the
        first TCP stream in "hex" format.

        ===================================================================
        Follow: tcp,hex
        Filter: tcp.stream eq 1
        Node 0: 200.57.7.197:32891
        Node 1: 200.57.7.198:2906
        00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
        00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
        00000020 1f 00 06 04 00 00 ......
        00000000 00 01 00 00 ....
        00000026 00 02 00 00

        Example: −z
        "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
        display the contents of a TCP stream between 200.57.7.197 port
        32891 and 200.57.7.98 port 2906.

        ===================================================================
        Follow: tcp,ascii
        Filter: (ommitted for readability)
        Node 0: 200.57.7.197:32891
        Node 1: 200.57.7.198:2906
        38
        ...".....
        ................
        4
        ....


        So, although tcpdump can't do this for you, newer versions of TShark can do so, and TShark is a tty-mode (what the youngsters call "console-mode" :-)) program.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Aug 2 '13 at 6:03







        user164970





































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f626543%2fhave-tcpdump-show-the-conversation-as-i-would-get-from-wireshark%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀