On Sun, May 19, 2002 at 07:59:19PM -0700, trebor iksrazal wrote:
> I'm trying to capture all the plain text over the wire
> of a telnet session. I'm running rh linux 6.2 -
> successfully compiled without ethereal(not running X).
> I get entries written to the screen, but it is SYN/ACK
> type of date, not raw text. This is my command(ip
> changed of course):
>
> tethereal -f "tcp port 23 and
> host x.x.x.x"
>
> I get data like the following which isn't what I'm
> after:
>
> TCP
> 4503 > telnet [ACK] Seq=2484472608 Ack=1500569399
> Win=13870 Len=0
Well, yes, with that capture filter you've asked for *all* traffic to or
from TCP port 23 and to or from host x.x.x.x; some of that traffic may
be SYNs, ACKs, and the like.
Unfortunately, there's no simple capture filter expression to say "don't
show me ACK-only packets" - a packet can have an ACK *and* data. About
the best you could do would be to use the "greater" operation to request
packets larger than the minimum TCP packet size (that'd be, on Ethernet,
14 for the Ethernet header plus 20 for the IP header plus 20 for the TCP
header, or 54 bytes; determining the size for other network types is
left as an exercise for the reader), but that may give false positives
if
1) you're on a network with variable-length link-layer headers,
and the link-layer header is larger than the minimum;
2) the IP header includes options;
3) the TCP header includes options.
You could also try using a capture filter *and* a read filter:
tethereal -f "tcp port 23 and host x.x.x.x" -R telnet
so that the capture filter reasonably efficiently filters out most of
the uninteresting traffic, and the display filter removes what's left.