On 30/03/11 19:07, mick wrote:
Or of you don't want the overhead of using wireshark (or don't have a GUI) look at tcpdump and then use wireshark to analyse the capture file afterwards.
I do need to play more with tcpdump but I really don't find Wireshark to be a convenient tool for analysis (I'm sure it's something I'm doing wrong!).
All I actually want to see is something like:
[2011-03-31 10:05:01.0001] >> 48 65 6c 6c 6f 0a |Hello.| [2011-03-31 10:05:01.0021] << 57 6f 72 6c 64 0a |World.|
.. to show one end "saying" Hello and the other end "replying" World.
Are there tools that would give me that from a pcap log, or ways to do it in Wireshark?
It would help if I knew how to describe what I'm looking for without mocking up an example - Google's not much help when you don't know what to call what you're looking for!
Or you could probably use ngrep to capture those specific bits of the conversation you are interested in.
ngrep looks like fun, although when I tried it and generated some comms all I got was:
$ sudo ngrep -x any port 50000 interface: eth0 (10.0.0.0/255.255.255.0) filter: (ip or ip6) and ( port 50000 ) match: any ##exit 6 received, 0 dropped
I can play with examples of usage for HTTP etc, and they all work as expected, but all I get from my application is "##" or maybe "####". The data is binary and in small messages and I guess ngrep is waiting for enough data to show me, although if that's the case I can't see how to control it?