On Fri, Oct 17, 2003 at 05:15:50PM +0800, Ow Mun Heng wrote:
> I have a capture file, I would like to dump the contents of this file into a
> ascii/text file so that I can Grep for a specific string for analysis.
>
> I've tried tcpdump but (maybe my options were wrong) I can only get the
> headers, I would like to dump _everything_
tcpdump -v or -vv or -vvv might help.
Or, alternatively,
tethereal -V -r {capture file}
> PS : I'm getting a lot of ARP and DNS requests.. how can I filter it out??
>
> tcp not port 53 (DNS) and tcp not port ARP(??? port #) not localhost ???
ARP doesn't run atop TCP - it runs directly atop the link layer, just as
IP does.
The capture filter to reject DNS and ARP would be
not port 53 and not arp
("port 53", not "tcp port 53", as DNS usually runs over UDP, although it
can also run over TCP).
> So that I exclude DNS and ARP requests as well as traffic from my own PC?
"localhost" is usually 127.0.0.1, and traffic to and from 127.0.0.1 is
traffic from your own PC to itself. Unless you're capturing on the
loopback interface (in which case you won't see any traffic *other* than
traffic to or from your own machine), or on Linux and capturing on the
"any" device, you won't see that.
To exclude IPv4 traffic from your own machine, as well as DNS and ARP,
it'd be
not port 53 and not arp and not src host XXX
where "XXX" is the name or IP address of your machine on the network
interface on which you're capturing traffic. That'll still capture
traffic *to* your machine, as well as non-IPv4 traffic from your
machine; if you want to eliminate non-IPv4 traffic, and you're on a
network that uses Ethernet-style addresses (Ethernet, FDDI, Token Ring,
802.11, ...) use "not ether src host XXX", where XXX is the MAC address
of the interface on which you're capturing traffic. If you want to
eliminate traffic *to* your machine, remove the "src".