when sending a request over netcat to a program and listen for the response to that request, netcat only receives the first 8192 bytes and than terminates.
Here are the details:
if something is send using netcat and a pipe
echo "something" | netcat -q 10 -i 3 -w 10 localhost myport
My software generates a response which is definitly larger than 8192 bytes and sends it back to netcat. I verifiyed that all bytes are actually send from my programm back to netcat, so there is no problem.
If the command line version is used:
netcat -q 10 -i 3 -w 10 localhost myport
something
all bytes send from the application are received. I tried various combinations for the -q -i and -w flags to change the amount of received bytes but in the pipe command version it is always 8192.
How can that be fixed?
This is happening because netcat is receiving end-of-file from its standard input. That is, the command echo "something" causes the string something\n to be sent to the pipe connected to netcat's standard input; then the pipe is closed (because the echo command terminated). So, on the first read of the pipe, netcat will receive that string, but on its next read, it will receive EOF. This causes it to break its connection to the peer even though the peer may not be finished sending.
Essentially, after being started as above, netcat will keep sending its standard input to the socket, and the socket to its standard output until one of them is closed. Then it exits.
So you simply need to do something to ensure that netcat doesn't receive EOF on its standard input before it gets EOF on the socket. Something like this will likely do it:
(echo "something" ; sleep 1) | netcat localhost $myport
Now the output of echo "something" is sent to the pipe connected to netcat's input, but the pipe won't actually be closed until the sleep 1 also completes since both commands are started in a sub-shell which is connected to the write end of the pipe. (You might need to tinker with the number of seconds slept if the amount to be sent by the peer is large.)
Related
I would like to know that is there any option in Wireshark to capture packets in the streaming network dynamically. Since I need to capture packets with out doing the export each time and packets capture automatically in a CSV file without exporting it periodically. Thanks.
You should be able to use tshark to achieve this. For example, suppose you want to capture the frame number and source and destination IP addresses of each packet (to keep the example simple), you could use:
tshark -i foo -T fields -E separator=, -E quote=d -E header=y -Y ip -e frame.number -e ip.src -i ip.dst > output.csv
You can specify as many fields as you want using the -e option
I want filter first 100 packets inside a pcap file and show the result on stdout. for filtering first 100 packet I used below command:
editcap -r test.pcap output.pcap 1-100
for showing result and filtering packet for the further purpose I want to used tcpdump.
tcpdump -tttt tcp and host ip 192.168.1.1 -r inputfile.pcap
i want to redirect output of editcap to tcpdump, like this:
editcap -r test.pcap - | tcpdump -tttt tcp and host ip 192.168.1.1 -r -
but in this command I couldnt filter first 100 packets. Is it possible to do so??
If not is it possible to rediredt output of editcap to RAM and then the tcpdump read from RAM ??
thanks in advanced.
P.S by the way, I don't want to use the below command, because this command read the all Packet inside the file. I need the command read some packets inside he pcap file and shows then was finished the job.
tshark -r ~/test1.pcap -R "frame.number<20 and frame.number>10"
but in this command I couldnt filter first 100 packets
I.e., you don't see any packets?
Try doing
editcap -F pcap -r test.pcap - 1-100 | tcpdump -tttt tcp and host ip 192.168.1.1 -r -
as editcap might be writing out a pcap-ng file and there is a bug in some versions of libpcap when reading pcap-ng files that causes filtering in tcpdump not to work.
I want to capture messages of Diameter protocol (over SCTP) by tshark on the screen, expanded.
First, I couldn't find what to write after switch '-f' to filter only diameter messages, but then I found the switch '-R' which accepted 'diameter'.
So, currently my command seems like:
tshark -i el0 -R diameter -V
This is all fine, at least, until the packets are small enough..
However, for bigger packets, I get the error [Unreassembled Packet: DIAMETER]
[Expert Info (Warn/Reassemble): Unreassembled Packet (Exception occurred)]
[Message: Unreassembled Packet (Exception occurred)],
and the packets are indeed not reassembled in the output.
I was googling for solution, and found that the below modification might do the defragmentation:
tshark -i el0 -R diameter -V -o ip.defragment:TRUE
But it just doesn't help.
Any simple solution for this problem? (It is also ok to process the defragmentation afterwards somehow..)
Finally I have found it!
In wireshark there is a checkbox for several protocol related options, in particular, for diameter defragmentation you need to mark the checkbox
Reassemble fragmented SCTP user messages
to get the long diameter messages properly displayed.
Each of these protocol options has its own tshark correspondent parameter, here you have to use -o sctp.reassembly:TRUE.
(For general, look for the file preferences belonging to wireshark.)
So, what method finally worked is
First capture all (sctp) messages regularly:
tshark -i EL0 -f sctp -w raw_capture.pcap
Then, if it is done, process the file by a further tshark command:
tshark -r raw_capture.pcap -R diameter -o sctp.reassembly:TRUE -V
In my office firewall I use a command like this:
$ sudo tcpdump -v -s 1500 -i eth0 port 25 | grep 'smtp: S'
to monitor LAN clients sending mail (I need to early detect any possible spammer bot from some client, we have very looooose security policies, here... :-().
So far, so good: I have a continuous output as soon any client sends an email.
But, if I add some filter to get a cleaner output, something like this:
$ sudo tcpdump -v -s 1500 -i eth0 port 25 | grep 'smtp: S' | perl -pe 's/(.*?\)) (.*?)\.\d+ \>(.*)/$2/'
(here I intend to get only source ip/name), I do not get any output until tcpdump output is more than (bash?) buffer size... (or at least I suppose so...).
Nothing changes using 'sed' instead of 'perl'...
Any hint to get a continuous output of filtered data?
Put stdbuf before the first command:
sudo stdbuf -o0 tcpdump ...
But, if I add some filter to get a cleaner output, something like
this:
Use the --line-buffered option for grep:
--line-buffered
Use line buffering on output. This can cause a performance
penalty.
try maybe a sed --unbuffered (or -u sometimes like on AIX) to have a stram version (not waiting the EOF)
I'm analyzing VoIP calls on my network
For now i'm using a generated .pcap file, but later i'll be listening for this at real time.
I'm using tshark, and i can filter some important data pretty easily from the .pcap (like "source ip address and port", "destination ip addr and Port", payload pckt lost, Max Delta(ms),Max Jitter(ms),Mean Jitter(ms)) with
tshark -r myfile -q -z rtp,streams
What i want to know is: how can i get the sip addrs of a call? (client and server)
I can retrieve some sip addrs (only client) by filtering all sip INVITE like this:
tshark -r myFile -R "sip.Request-Line contains INVITE"
But i can't get the address of the server.
To clarify a bit, my idea was to get this "statistic" in tshark, like wireshark gives me when i access "Telephony>VoIP Calls" (the same way that tshark -r myfile -q -z rtp,streamsreturns me statistics just like wireshark's Telephony>RTP>Show All Streams), is there a way to do this? If not with "statistics" (-z) how can i create a filter (-R) to do something similar of the "VoIPCall" function of wireshark
I'm using tshark as i want to work with this data, and not just analyze it on my screen
Thanks
try:
tshark -r myFile -R "sip.CSeq.method eq INVITE"
That will filter for the request sent from the client and the corresponding reply from the server.
I was in a similar situation and ended up going through tshark man pages.
Command: tshark -r input_file.pcap -q -z sip,stat
Explanation:
-r <infile> : Read packet data from infile
-q : When reading a capture file, don't print packet information; this is useful if you're using a -z option to calculate statistics and don't want the packet information printed, just the statistics.
-z <statistics> : Get TShark to collect various types of statistics and display the result after finishing reading the capture file.
You can additionally add filters to the filtering as well, so for example you want to summarize all packets which had only SIP 480 Status Code, you can do so by:
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480
-z sip,stat[,filter] : This option will activate a counter for SIP messages. You will get the number of occurrences of each SIP Method and of each SIP Status-Code
In case you want multiple filters, you can add them one by one
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480 -z sip,stat,sip.Status-Code==500
If you want to summarize by sip address, you can filter by that:
tshark -r input_file.pcap -q -z sip,stat,sip.to.host==sip-to-host.com
Refer:
TShark Man Page: https://www.wireshark.org/docs/man-pages/tshark.html
SIP Filters: https://www.wireshark.org/docs/dfref/s/sip.html