Wednesday, January 30, 2008

awesome tuple ('tcpdump','wireshark')

Sometimes you want to see the HTTP session between browser and HTTP server. You may use firebug for firefox, but in this case you are limited to see firefox session... For example you want to capture all packets at localhost on port 8004. You'd use 'tcpdump -i lo -A -s 0 "port 8004"'

  • `-i lo` means to capture packets on the lo interface
  • `-A` means to show the contents of the packets in ASCII
  • `-s 0` means to show the whole packet - not to divide into the parts
  • `port 8004` is a pcap expression
Now you can watch the packets sent to the server and the server's response. Eventually you'll want to save the log and to watch it later in more comfortable conditions. You'd probably want to use 'tcpdump -i lo -A -s 0 "port 8004" -w /tmp/tcp.dump'. `-w /tmp/tcp.dump` tells tcpdump to save it's work as a specially formed log to /tmp/tcp.dump. Now you can relax and update your distribution with wireshark! It's amazing! You can do whatever you want with the log you have gotten previously. Just run wireshark /tmp/tcp.dump and take a tour to the amazing world of network communication ;). Here is a small screenshot: That's all for today about tcpdump and wireshark. I know that's not enough information about that stuff, but anything else you can find in man tcpdump and man wireshark. They are quite big to discuss in the blogline, just dive into their docs to figure out your options.


Nima said...

nice blog! thanks!

Top Security and Hacking Tools

Ni@m said...


Big thanks for the link also.