I've got a problem with tcpdump, HELP
 

Hi, all

*** I've encountered a problem in using tcpdump.

*** I tried to capture http traffic by using the following command:

**

*** # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and
(((ip[2:2] - ((ip[0]&0xf)<<2)) -
((tcp[12]&0xf0)>>2)) != 0)'

** (notes: the web application serves at 9003 port, not the conventional
80 instead)

**

** but different results was given by two hosts:



* skyshouter:~# tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003
and (((ip[2:2] - ((ip[0]&0xf)<<2)) -
((tcp[12]&0xf0)>>2)) != 0)'

tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode

listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

20:26:01.166216 IP 10.16.2.60.53837 > 10.20.156.9.9003: Flags [P.],
seq 1867639697:1867639908, ack 2460048481, win 92, options [nop,nop,TS
val 9412788 ecr 2507947432], length 211

E...K%@.@.<c

..<

..*** .M#+oQ....a....b.....

.....|=.GET
/misc/ccs/deleteClubThread.html?id=20162669&type=MAINTYPE&op erator=H&md5Code=072fa43b87b31865e60aa6f1111ceb24
HTTP/1.1

User-Agent: Jakarta Commons-HttpClient/2.0.2

Host: club-dev.myhost.com:9003





20:26:01.179225 IP 10.20.156.9.9003 > 10.16.2.60.53837: Flags [P.],
seq 1:363, ack 211, win 54, options [nop,nop,TS val 2507947436 ecr
9412788], length 362

E...a.@.<.)(

..***

..<#+.M..aoQ.d...6%......

.|=.....HTTP/1.1 200 OK

Date: Thu, 31 Mar 2011 12:16:04 GMT

Expires: Thu, 01-Jan-1970 00:00:00 GMT

Content-Language: cn,zh-cn

Content-Type: text/html; charset=GBK

Set-Cookie: JSESSIONID=1v9ac7714fmdc1447aj3eyhqxu;Path=/

Set-Cookie:
ali_apache_tracktmp="c_c_signed=N";Version=1;Path=/;Domain=.myhost.com;Discard

Vary: Accept-Encoding

Content-Length: 7



SUCCESS

^C

2 packets captured

3 packets received by filter

0 packets dropped by kernel



the info in this result is in detail, and it's what I want.

the tcpdump version is:



# tcpdump -h

tcpdump version 4.1.1

libpcap version 1.1.1



then I ran the same command on another host, the different result was
given



[Intranet root@ccbuqa141064 /root]

#tcpdump -Ani eth0 'host 10.20.141.138* and tcp port 6100 and (((ip[2:2]
- ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

20:14:55.063351 IP 10.20.141.64.35246 > 10.20.141.138.synchronet-db: P
3812316275:3812316488(213) ack 3651694786 win 46 <nop,nop,timestamp
1778729508 1105987604>

E..**** .X@.@...

..@

........;Ts..p......J.....

j.B$A...GET /misc/ccs/deleteClubThread

20:14:55.127121 IP 10.20.141.138.synchronet-db > 10.20.141.64.35246: P
1:363(362) ack 213 win 54 <nop,nop,timestamp 1105987621
1778729508>

E...x.@.@...

...

..@......p..;UH...6.k.....

A..%j.B$HTTP/1.1 200 OK

Date: Thu, 31



2 packets captured

2 packets received by filter

0 packets dropped by kernel



you see? the info in this one is quite little!! without request
parameter, without http headers, and even without the essential data
return by the server!!



the tcpdump version on this host is:



[Intranet root@ccbuqa141064 /root]

#tcpdump -h

tcpdump version 3.9.4

libpcap version 0.9.4

Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]

*************** [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M
secret ]

*************** [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]

*************** [ -W filecount ] [ -y datalinktype ] [ -Z user ]

*************** [ _expression_ ]





can anyone give me some clue?? thanks!

I've got a problem with tcpdump, HELP
 

On Thu, 31 Mar 2011 20:49:03 +0800, Benimaur Gao wrote:

> I've encountered a problem in using tcpdump. I tried to capture http
> traffic by using the following command:
>
> # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and
> (((ip[2:2] -
> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> (notes: the web application serves at 9003 port, not the conventional
> 80
> instead)
>
> but different results was given by two hosts:

(...)

> Date: Thu, 31 Mar 2011 12:16:04 GMT
> Expires: Thu, 01-Jan-1970 00:00:00 GMT Content-Language: cn,zh-cn
> Content-Type: text/html; charset=GBK

> then I ran the same command on another host, the different result was
> given

(...)

> Date: Thu, 31
^^^^^^^ ??

Indeed, the latter output seems to be broken as if had been unexpectedly
interrupted. How did you manage to stop the capture in both cases? Ctrl
+C? :-?

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.03.31.15.54.47@gmail.com">http://lists.debian.org/pan.2011.03.31.15.54.47@gmail.com

I've got a problem with tcpdump, HELP
 

Yes, I stop the capture by Ctrl C, but actually, there is no more output..

>........;Ts..p......J.....

>j.B$A...GET /misc/ccs/deleteClubThread
**
~~~~~~~~~~~~~~~~~~~~~~
With this request packet, It's also supposed to have more info, such as Content-Type, Date, Set-Cookie, etc. just as the first case. Why were they discarded here?

I suspect that it is caused by different version of tcpdump? The dilemma is I've no permission to upgrade the software :(


>20:14:55.127121 IP 10.20.141.138.synchronet-db > 10.20.141.64.35246: P
1:363(362) >ack 213 win 54 <nop,nop,timestamp 1105987621
1778729508>



On Thu, Mar 31, 2011 at 11:54 PM, Camaleón <noelamac@gmail.com> wrote:

On Thu, 31 Mar 2011 20:49:03 +0800, Benimaur Gao wrote:



> * * I've encountered a problem in using tcpdump. I tried to capture http

> * * traffic by using the following command:

>

> * * # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and

> * * (((ip[2:2] -

> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

> * *(notes: the web application serves at 9003 port, not the conventional

> * *80

> instead)

>

> * *but different results was given by two hosts:



(...)



> Date: Thu, 31 Mar 2011 12:16:04 GMT

> Expires: Thu, 01-Jan-1970 00:00:00 GMT Content-Language: cn,zh-cn

> Content-Type: text/html; charset=GBK



> then I ran the same command on another host, the different result was

> given



(...)



> Date: Thu, 31

* * * *^^^^^^^ ??



Indeed, the latter output seems to be broken as if had been unexpectedly

interrupted. How did you manage to stop the capture in both cases? Ctrl

+C? :-?



Greetings,



--

Camaleón





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/pan.2011.03.31.15.54.47@gmail.com

I've got a problem with tcpdump, HELP
 

On Fri, 01 Apr 2011 00:31:20 +0800, Benimaur Gao wrote:

(please, avoid using html messages, they're very hard to read)

> On Thu, Mar 31, 2011 at 11:54 PM, Camaleón wrote:

>> Indeed, the latter output seems to be broken as if had been
>> unexpectedly interrupted. How did you manage to stop the capture in
>> both cases? Ctrl +C? :-?

> Yes, I stop the capture by Ctrl C, but actually, there is no more
> output..
>
>>........;Ts..p......J.....
>>j.B$A...GET /misc/ccs/deleteClubThread
> ~~~~~~~~~~~~~~~~~~~~~~
> With this request packet, It's also supposed to have more info, such as
> Content-Type, Date, Set-Cookie, etc. just as the first case. Why were
> they discarded here?

Sure... I also noted the URI was recorded differently.

First one is:

GET /misc/ccs/deleteClubThread.html?id=20162669&type=MAINTYPE&op erator=H&md5Code=072fa43b87b31865e60aa6f1111ceb24

And the second one has been shorted somehow:

GET /misc/ccs/deleteClubThread

Maybe a different client request or you visited the same page? :-?

> I suspect that it is caused by different version of tcpdump? The dilemma
> is I've
> no permission to upgrade the software :(

I also think so... but even if different releases produce different
output (it could be "understandable"), the date format coming from the
older one looks to be really broken, date is completely cutted and so
useless :-/

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.03.31.16.49.16@gmail.com">http://lists.debian.org/pan.2011.03.31.16.49.16@gmail.com

I've got a problem with tcpdump, HELP
 

El 2011-04-01 a las 01:02 +0800, Benimaur Gao escribió:

(resending to the list)

> On Fri, Apr 1, 2011 at 12:49 AM, Camaleón wrote:

(...)

> > Sure... I also noted the URI was recorded differently.
> >
> > First one is:
> >
> > GET /misc/ccs/deleteClubThread.html?id=20162669&type=MAINTYPE&op erator=H&md5Code=072fa43b87b31865e60aa6f1111ceb24
> >
> > And the second one has been shorted somehow:
> >
> > GET /misc/ccs/deleteClubThread
> >
> > Maybe a different client request or you visited the same page? :-?
> >
> > > I suspect that it is caused by different version of tcpdump? The dilemma
> > > is I've
> > > no permission to upgrade the software :(
> >
> > I also think so... but even if different releases produce different
> > output (it could be "understandable"), the date format coming from the
> > older one looks to be really broken, date is completely cutted and so
> > useless :-/

> I guarantee that the two request URI should be the same..
> Thanks for you suggestion!

Okay, I just was poiting out the differences between two outputs O:-)

> I think I should also post in the mailing list from tcpdump proj. :)

That's a very good idea. Devels will provide accurate information on this
issue. Should you finally find the culprit, post it back, it's quite
interesting.

Greetings

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110331183540.GA8293@stt008.linux.site">http://lists.debian.org/20110331183540.GA8293@stt008.linux.site

I've got a problem with tcpdump, HELP
 

Answer from tcpdump devels:

On 1 apr 2011, at 03:49, Benimaur Gao wrote:

> The info in this one is quite little!! without request parameter,
> without http headers, and even without the essential data return by
> the server!!
[...]
> can anyone give me some clue?
> I suspect it is cause by different version of tcpdump? if so, can I
> get the same detailed info by the older one?

Different systems use different snaplengths by default. If you want
the output the be the same, you have to set the snaplength yourself.
As you seem to want to view the whole packets, you can use '-s0' on
both systems.

Cheers,


Sake

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

======
// I should have checked the man page more carefully, thank you all!


On Fri, Apr 1, 2011 at 2:35 AM, Camaleón <noelamac@gmail.com> wrote:
> El 2011-04-01 a las 01:02 +0800, Benimaur Gao escribió:
>
> (resending to the list)
>
>> On Fri, Apr 1, 2011 at 12:49 AM, Camaleón wrote:
>
> (...)
>
>> > Sure... I also noted the URI was recorded differently.
>> >
>> > First one is:
>> >
>> > GET /misc/ccs/deleteClubThread.html?id=20162669&type=MAINTYPE&op erator=H&md5Code=072fa43b87b31865e60aa6f1111ceb24
>> >
>> > And the second one has been shorted somehow:
>> >
>> > GET /misc/ccs/deleteClubThread
>> >
>> > Maybe a different client request or you visited the same page? :-?
>> >
>> > > I suspect that it is caused by different version of tcpdump? The dilemma
>> > > is I've
>> > > no permission to upgrade the software :(
>> >
>> > I also think so... but even if different releases produce different
>> > output (it could be "understandable"), the date format coming from the
>> > older one looks to be really broken, date is completely cutted and so
>> > useless :-/
>
>> I guarantee that the two request URI should be the same..
>> Thanks for you suggestion!
>
> Okay, I just was poiting out the differences between two outputs O:-)
>
>> I think I should also post in the mailing list from tcpdump proj. :)
>
> That's a very good idea. Devels will provide accurate information on this
> issue. Should you finally find the culprit, post it back, it's quite
> interesting.
>
> Greetings
>
> --
> Camaleón
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20110331183540.GA8293@stt008.linux.site
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinV-0C+sZ_7Gmf8oW1pKKJ=KW74dYM2xS5=XDFH@mail.gmail.com ">http://lists.debian.org/AANLkTinV-0C+sZ_7Gmf8oW1pKKJ=KW74dYM2xS5=XDFH@mail.gmail.com