TCPDump – Run 2 Concurrent TCPDump with Different Options

linuxMySQLpacket-capturetcptcpdump

I need to run 2 concurrent tcpdump commands with different arguments/options. Why ? Because we wrote some long long scripts compatible with following options :

tcpdump -ixenbr0 -s 400 -n -A 'port sip || (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) || (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:1] = 0x20) || (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x2f312e31 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x20323030 && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:2] = 0x204f && tcp[((tcp[12:1] & 0xf0) >> 2) + 14:1] = 0x4b)' > tcpdump.txt

These options and formatting are needed for our script (those strange rules are needed to filter GET, POST and SIP protocol packets only). In the other I need to capture MySQL packets and analyze them. As its not a trivial task to find request/responses and analyze the mean time of execution of the queries, so I planned to use pt-query-digest package to analyze SQL queries using tcpdump, but it requires to execute the tcpdump with the following option and it won't work in other formats:

tcpdump  -ixenbr0 -s 65535 -n -x -q -tttt port 3306 > tcpdump.txt

Is it possible to run two concurrent tcpdumps OR any way to have tcpdump output in both formats mentioned OR is there anyway to merge these two commands?

Best Answer

Yes, its possible. It won't cause conflicts at all.

Related Solutions

Human readable format for http headers with tcpdump

Here's a one-liner I came up with for displaying request and response HTTP headers using tcpdump (which should work for your case too):

sudo tcpdump -A -s 10240 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'

It limits cuts the packet off at 10Kb and only knows GET, POST and HEAD commands, but that should be enough in the majority of cases.

EDIT: modified it to get rid of the buffers at every step to make it more responsive. Needs Perl and stdbuf now though, so use the original version if you don't have those: EDIT: Changed script port targets from 80 to 4080, to actually listen for traffic that went through apache already, instead of direct outside traffic arriving to port 80:

sudo stdbuf -oL -eL /usr/sbin/tcpdump -A -s 10240 "tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" | egrep -a --line-buffered ".+(GET |HTTP\/|POST )|^[A-Za-z0-9-]+: " | perl -nle 'BEGIN{$|=1} { s/.*?(GET |HTTP\/[0-9.]* |POST )/\n$1/g; print }'

Some explanations:

sudo stdbuf -oL -eL makes tcpdump run line-buffered
the tcpdump magic filter is explained in detail here: https://stackoverflow.com/questions/11757477/understanding-tcpdump-filter-bit-masking
grep is looking for any lines with GET, HTTP/ or POST; or any lines that look like a header (letters and numbers followed by colon)
BEGIN{$|=1} causes perl to run line-buffered
s/.*?(GET |HTTP/[0-9.]* |POST )/\n$1/g adds a newline before the beginning of every new request or response

Iptables – Using tcpdump with iptables

http://en.wikipedia.org/wiki/Promiscuous_mode

In computer networking, promiscuous mode or promisc mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.

This does not bypass any kind of firewall.

Related Topic