LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-13-2017, 11:17 AM   #1
pingu_penguin
Member
 
Registered: Aug 2004
Distribution: Manjaro Linux
Posts: 295

Rep: Reputation: 57
tee tcpdump


I would like to grep some parts of a live network stream to observe some anomalies on my home network.

Anyone know how to tee a tcpdump output and use grep with it ?

Thanks.
 
Old 02-13-2017, 11:23 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,615
Blog Entries: 3

Rep: Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871
Save the stream to a file and then work with the file at your leisure.

Code:
sudo tcpdump -pli eth0 -w dns.log.pcap 'udp and port domain'
Then you can use wireshark or tcpdump to analyze it.

Last edited by Turbocapitalist; 02-13-2017 at 11:25 AM.
 
Old 02-13-2017, 11:26 AM   #3
pingu_penguin
Member
 
Registered: Aug 2004
Distribution: Manjaro Linux
Posts: 295

Original Poster
Rep: Reputation: 57
yes , but you can read from file only after capture session is over right ?

I am talkin about live capture with live grep.
 
Old 02-13-2017, 11:44 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,615
Blog Entries: 3

Rep: Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871
Can you go into a little more detail about what you are trying to get with grep that you can't with tcpdump

There is a utility around called ngrep, which works with packet streams a bit like grep

Otherwise, if you want to save the packets, I guess you could use a named pipe and then work with that while tee redirects stdout to the save file:

Code:
mkfifo -m 600 /tmp/netdata
sudo tcpdump -w - -pli eth0 'udp and port domain' | tee /tmp/netdata > /tmp/dns.log.pcap
If you don't want to save the packets, then you can do a fair amount with tcpdump
 
2 members found this post helpful.
Old 02-13-2017, 11:46 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,818

Rep: Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978Reputation: 6978
Quote:
Originally Posted by pingu_penguin View Post
yes , but you can read from file only after capture session is over right ?

I am talkin about live capture with live grep.
Tried the tail command? "tail -f"?
 
Old 02-13-2017, 11:54 AM   #6
pingu_penguin
Member
 
Registered: Aug 2004
Distribution: Manjaro Linux
Posts: 295

Original Poster
Rep: Reputation: 57
So far I have tried tee and grep piped directly with tshark/tcpdump , but it doesnt work.

I have not tried the tail -f <outputfile> yet , but I have found a better way I believe.

# mkfifo -m 755 mypipe

one terminal :

# tcpdump -n -i eth0 > mypipe

other terminal :

# cat mypipe | tee file.txt

you can combine tee with grep too

# cat mypipe | tee file.txt | grep -i dns

etc to tee and grep a live network stream. you can then see all dns queries or http , whatever makes you happy.


Thanks for your time.
 
1 members found this post helpful.
Old 02-13-2017, 12:04 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,615
Blog Entries: 3

Rep: Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871
Quote:
Originally Posted by pingu_penguin View Post
So far I have tried tee and grep piped directly with tshark/tcpdump , but it doesnt work.
It's not supposed to, see the earlier post about how to use tee to save and show at the same time. A named pipe is necessary then.

As mentioned, there is a tool ngrep. But if you are just wanting to select packets from the network stream based on their protocol and port, then tcpdump does that for you and grep is not needed.

Code:
sudo tcpdump -pli eth0 'udp and port 53'
sudo tcpdump -pli eth0 'tcp and port 80'
 
Old 02-13-2017, 12:08 PM   #8
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656
Are you aware of 'ngrep'? If not, it is a wonderful tool for live-grepping network traffic.

https://linux.die.net/man/8/ngrep
http://ngrep.sourceforge.net/
 
Old 02-13-2017, 12:09 PM   #9
pingu_penguin
Member
 
Registered: Aug 2004
Distribution: Manjaro Linux
Posts: 295

Original Poster
Rep: Reputation: 57
Ah , silly me. you are correct. thanks.
 
Old 02-13-2017, 12:10 PM   #10
pingu_penguin
Member
 
Registered: Aug 2004
Distribution: Manjaro Linux
Posts: 295

Original Poster
Rep: Reputation: 57
I am aware of ngrep szboardstretcher, Turbocapitalist's idea doesnt require additional tools though.
 
Old 02-13-2017, 12:16 PM   #11
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656
Fair enough. But as simplicity goes...

Tcpdump:
1 mkfifo
2 tcpdump
3 cat mypipe
4 tee
5 grep -i dns

OR

Ngrep:
Code:
ngrep dns
 
Old 02-13-2017, 03:13 PM   #12
teckk
Senior Member
 
Registered: Oct 2004
Distribution: FreeBSD Arch
Posts: 3,520

Rep: Reputation: 1095Reputation: 1095Reputation: 1095Reputation: 1095Reputation: 1095Reputation: 1095Reputation: 1095Reputation: 1095
Look at man tcpdump
Examples:
Code:
sudo tcpdump -lnA | grep 'ARP'

sudo tcpdump -lnx | grep '0x0000'

sudo tcpdump -lnA | grep 'ARP'

sudo tcpdump -ln -w dumpfile.pcap

sudo tcpdump -r dumpfile.pcap | grep 'ARP'
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using tee and concatenate NotionCommotion Linux - Newbie 9 10-19-2016 11:33 AM
I've found tcpdump tagged as 'Installed' in PPM, why I can't find a tcpdump command ? illidan.modeler Puppy 1 09-07-2013 07:50 AM
tee alternative nenpa8lo Programming 12 01-26-2012 11:01 AM
tee for two JohnnyBoy123 Linux - Newbie 3 04-22-2009 07:48 PM
tee vs > or >> DotHQ Linux - General 3 08-23-2006 01:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration