Linux – using tcpdump to display XML API requests without headers or ack packets

centos5linuxtcpdump

I need assistance, I am trying to use tcpdump in order to capture API requests and responses between two servers, so far I have the following command:

tcpdump -iany -tpnAXs0 host xxx.xxx.xxx.xxx and port 6666

My problem is, that the output is still hard to read, because it sends the Headers, and the ack packets.

I would like to remove those and only see the XML bodies.

I tried to use grep -v, but apparently this is all one request, so it filters the entire thing…

Thanks!

Best Answer

How about this:

$ while read stream; do \
tshark -qz follow,tcp,ascii,$stream -r soap.pcap; done \
< <(tshark -R "xml" -T fields -e tcp.stream -r soap.pcap | sort | uniq)

Source: http://ask.wireshark.org/questions/18046/extracting-segmented-soap-xml-payload

Related Solutions

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Linux – Sniff packets using tcpdump

There are several possibilities.

1- You are listening on the wrong the interface eth0, eth1, etc.

2- You did not wait enough for the packets to show up. Packets are not shown immediately unless you specify -n to disable name resolution.

3- You are filtering based on the wrong IP address as suggested by "Nathan Adams".

Best Answer

Related Solutions

tcpdump – How to Capture ACK or SYN Packets

Linux – Sniff packets using tcpdump

Related Topic