LinuxQuestions.org - Tcpdump(ing) MSN in a readable form.

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Tcpdump(ing) MSN in a readable form. (https://www.linuxquestions.org/questions/linux-security-4/tcpdump-ing-msn-in-a-readable-form-326597/)

Palula

05-24-2005 10:03 AM

Tcpdump(ing) MSN in a readable form.

Hi there.

I´ve been searching through the man pages of tcpdump a possible way for me to sniff the packets originated by msn (conversations) and I haven´t been possible to understand a thing that appears as a result of the tcpdump command line used.

My main question is: Is it possible for me to read conversations originated by msn with tcpdump? If yes, then what would be the syntax for me to put in the command line?

The command line I´ve been using, that so far looks the best in the man pages is this:

tcpdump -w dump.txt -x tcp port 1863

Which creates a text file with all the sniffing and I can later read it. But it is full of unreadble and meaningless symbols.

Again: "I´d like to see/read conversations."
Thank you guys.

Mara	05-24-2005 03:41 PM

Open the file in a tool like Ethreal. Search for an option to see 'application data' or similar.

Palula

05-24-2005 04:00 PM

Really Would Like have the Knowledge in tcpdump

Ok, so as I heard (I´m a newbie), Ethereal is one of the best programs for packet sniffing and net analyzing on the web. But the problem is that I would like to stick to the Linux native apps.

Mainly: Is it possible to do this in tcpdump? Because if it isn´t then my question is answered and I will naturally move on to another step and try to initiate myself on installing new software, worrying about dependencies etc...

Thanks.

Mara	05-25-2005 04:53 PM

tcpdump run from command line is used (and designed) to view packet headers, not content. You want content, not headers. I don't see an option in tcpdump to show packets without headers. It means you need to get the traces and then process them using an external tool to get what you want.

bulliver

05-25-2005 05:46 PM

Something along the lines of:

$ strings < package.dump | grep expression

will do it. You just need to have a gander at the package.dump file manually to find a suitable expression to identify the data you want. For example:

$ strings < package.dump | grep -A8 "HTTP/1.1"

will print 8 lines of each http header it finds.

Mara	05-26-2005 04:15 PM

It should usually give good results, but may be not enough when data (one message) is divided by different packets. You can try as bulliver suggests and see if it works in your case.

All times are GMT -5. The time now is 12:30 AM.