What are the analogues of tcpdump with support for trapping packets by data pattern?

K

kodwi2014-08-14 18:10:33

kodwi, 2014-08-14 18:10:33

I need to filter packets according to a certain pattern (for example, with certain initial two bytes of data). Googling, I did not find anything about filtering traffic by data patterns in tcpdump. If there is no such possibility in tcpdump, please tell me alternative sniffers, preferably not heavy and without gui (for use on a server with CentOS).

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

T

throughtheether, 2014-08-14
@kodwi

I need to filter packets according to a certain pattern (for example, with certain initial two bytes of data). Googling, I did not find anything about filtering traffic by data patterns in tcpdump.

Look here , page 11. Briefly, the relevant Berkeley packet filter syntax is this: protocol[start:count]=0xHEXTEMPLATE
an example for "GET " at the beginning of an HTTP message (more precisely, at the beginning of a TCP data field):

If there is no such possibility in tcpdump, please tell me alternative sniffers, preferably not heavy and without gui (for use on a server with CentOS).

tcpdump has such an option (if I understood your problem correctly), but I recommend paying attention to tshark, the console version of wireshark. To capture traffic, they use bpf filters; filters for displaying traffic can be configured more flexibly, in my opinion.
Another solution to your problem is to capture all traffic (or with coarse filtering) if possible (i.e. low traffic volume) with tcpdump and filter with display filters in wireshark/tshark.

E

Evgeny Lazarenko, 2014-08-14
@grigoriusa

Try wireshark, it might help