I am using the below code to get tcpdump output of a URL in iOS, but it is printing in console, how can i get the response to NSString object?
system("tcpdump -i en1 -A -vvv host www.facebook.com");
I think tcpdump have output file param, or you can use output redirect, and then read all from saved file
tcpdump -l -i en0 -A -vvv host www.facebook.com > /tmp/facebook_packets.txt
tmp path just for example, use any you like
edit:
and alternative way, redirect output to NSPipe, see answer here How to get the log from system();?
Related
I'm trying to create a .txt file from a redirect from the mosquitto_sub command. I want the file to be overwritten each time it receives new data from MQTT.
This doesn't work:
mosquitto_sub -h 192.168.1.10 -t "application/7/device/a8404117b18312e9/rx" > newtest.txt
This appends output at each new data received. I only need the latest in the file.
I'm not a programmer so there may be something simple I'm missing.
Thanks in advance
BG
The best you a probably do here is to add the -C flag set to 1 which will have the client exit after the first message and place the command in a loop in a shell script.
This does have the possibility to miss messages if the rate of publication is high enough.
You will also need to use a temporary file for the redirect as it will zero out the target of the redirect as soon as it starts.
e.g.
#!/bin/bash
while true; do
mosquitto_sub -C 1 -h 192.168.1.10 -t "application/7/device/a8404117b18312e9/rx" > temp.txt
mv temp.txt newtest.txt
done
I have a fwcapture.cap file, which is used by Wireshark.
in it, there have many IP addresses source IPs and destination IPs.
How can I extract the unique IP addresses(no mater source or destination) as a list?
You can use tshark, which already in Wireshark installation.
tshark -T json -e 'ip.src' -e 'ip.dst' -r filename.pcap | grep '\.[0-9]' | sort -u
After googling for hours and trying not to get lost in the different tshark versions I still can't figure out what command line options to tshark I should use to get the full (reassembled) JSON requests and responses (the JSON data structrues).
tshark 2.2.2 used on a live eth0 interface, not to parse pcap.files.
The requests and responses are gziped and need to be decoded.
All the related wireshark issues that seemed related are marked as "fixed" so I think in the 2.2.2 it should be possible.
I found a working solution. It doesn't work on a live interface and requires to first save a pcap file but it is the best I managed to do with tshark.
Step1 (capture network trafic):
tshark -i eth0 -f "port 9088" -w capture.pcap
Step2 (list captured tcp streams):
tshark -r capture.pcap -T fields -e tcp.stream | sort -u
Step3 (dump the content of one particular tcp stream):
tshark -nr capture.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number
Noice the "-d tcp.port==9088,http" option to force http decoding on this port as in my case it is a socks5 proxy running on that port.
Most importantly "-z follow,http,ascii,_your_stream_number" where the "follow,http" feature decodes gziped http body content and is undocumented and only available from version 2.2.0 of wireshark/tshark.
I am trying to do this: set Wireshark filter to "http contains site.do" in tshark. I'm not sure how to do this using just the command line version. How do I do that?
Try
tshark -Y "http contains site.do"
This is because the display filters are different of capture filters. For example you can do it to save http traffic of one host.
tshark -f "host www.site.do and (port 80 or port 443)" -w example.pcap
You can get more info about the capture filters here
I have installed wireshark on Ubuntu, When I run it:
/usr/bin/wireshark
I get an error:
(wireshark:27945): Gtk-WARNING **: cannot open display:
I want to run wireshark on the command prompt.
I don't want to use the UI. I'm not sure why it is complaining about a display, I want to run it on a port.
You can try tshark - which is a "console based wireshark" which is part of wireshark project.
You should read Read man tshark.
For example to capture http packet on 80 port run:
tshark -f 'tcp port 80 and http'
P.S. Example was fixed to use capture filter instead of display filter.
On Ubuntu, running wireshark complains about display:
el#apollo:~$ wireshark
(wireshark:20619): Gtk-WARNING **: cannot open display:
Set the DISPLAY environment variable:
export DISPLAY=:0.0
/usr/bin/wireshark
Then it works:
el#apollo:~$ wireshark -Y
wireshark: option requires an argument -- 'Y'
Usage: wireshark [options] ... [ <infile> ]
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
wireshark is an X application, so it needs to know where to send the X11 display output.