LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Adding Line Feed Between tcpdump Packets (https://www.linuxquestions.org/questions/linux-networking-3/adding-line-feed-between-tcpdump-packets-4175595955/)

RPN 12-22-2016 02:44 PM
Adding Line Feed Between tcpdump Packets
 
I am capturing packets to a file with tcpdump and it would really be nice if I could put a line feed or two between each packet for readability. Is there any way you can tell tcpdump to do that? I looked at the man pages and did a Google search but could not find anything. If I missed it in the man pages, my apology.

nini09 12-22-2016 03:21 PM
How do you read these captured packet, Wireshark or something else?

Turbocapitalist 12-22-2016 03:22 PM
I guess you could pipe the output through sed using a variation on a well-known sed one-liner to double-space a file or stream:

Code:
tcpdump -r your-file.pcap | sed 'G' | less
That works if you want all the lines double-spaced regardless of which packet they are in then G alone would do it.
The G alone would append the hold space to the pattern space, double-spacing the stream.

sed is a very simple and dreadfully concise programming language.

So, if you want to group the packets, then you have to identify the start of the packet with a pattern // and then apply G to it only if the pattern is not present:

Code:
tcpdump -r your-file.pcap | sed '/^..:..:..\./!G' | less
However, packets are two lines so we want to skip that and do the append with every other line. If you're using the default time format for tcpdump then you have colons as the 3rd and 6th character with a period as the 9th character in the lines starting each packet to identify those lines and so the append is skipped for those lines.

Edit: maybe a better, more generic way would be to insert a line ahead of each packet:

Code:
tcpdump -r your-file.pcap | sed '/^..:..:..\./{x;p;x}' | less

TB0ne 12-22-2016 03:26 PM
Quote:
Originally Posted by RPN (Post 5645236)
I am capturing packets to a file with tcpdump and it would really be nice if I could put a line feed or two between each packet for readability. Is there any way you can tell tcpdump to do that? I looked at the man pages and did a Google search but could not find anything. If I missed it in the man pages, my apology.
Well, there is a reason for the file format. That .pcap format is pretty much a 'standard' for reading in by other programs. But, if you want something non-standard, you could always run it through sed, and shove one in...I don't think there's a way to get tcpdump to do such things by default. That said, have you looked at wireshark instead? It has more options than tcpdump.

RPN 12-22-2016 06:29 PM
Nini09: I only need to look at some NTP packets between a time server and a gps receiver/time server over a long period of time looking for some anomalies and tcpdump –A –vvv provides all the information I need.


Turbocapitalist: sed is great idea and I did work something out based on my using tcpdump with the –tttt switch

cat capture.file | sed 's/\(2016-\)/\n\n\1/g' > modified.file

It is not very elegant or as nice as having tcpdump do it, but it works.


TBOne: Thanks for the insight on why there are no linefeeds in the tcpdump output, and I will keep Wireshark in mind for the future.



Thanks to all for taking the time to reply, and I hope you have great holiday season.


All times are GMT -5. The time now is 10:53 PM.