From ConShell

Packet Tracing with tcpdump and ethereal

Here is an example showing how to do a HTTP packet capture with tcpdump and view it with ethereal.

 tcpdump -n -s0 -w /tmp/dump02 port 80
 tethereal -r /tmp/dump02

or, using the GUI...

 ethereal /tmp/dump02

Let's say you want to view the HTTP headers in the capture from above? Amazingly easy to do once you know how. In ethereal, you can click one of the packets you know is part of the transaction, then right-click and choose Follow TCP Stream

This has to be done in the ethereal GUI, I'm not sure if it can be done in tethereal -mf1

Tracing with SSLdump

ssldump is like tcpdump except you can decode SSL/TLS traffic... provide that you have access to the private key.

Here is a usage example...

/usr/local/sbin/ssldump -d -k /etc/ssl/private/ssl.key host 192.168.0.16

See the output from this example.

I had trouble getting it to compile on my CentOS 4.4 server, as I was getting this error from make:

gcc -g -O2  -DHAVE_LIBM=1 -DHAVE_SYS_TIME_H=1 -DSTDC_HEADERS=1 -DTIME_WITH_SYS_TIME=1
 -DSIZEOF_UNSIGNED_SHORT=2  -DSIZEOF_UNSIGNED_INT=4 -DSIZEOF_UNSIGNED_LONG=4 -DSIZEOF_UNSIGNED_LONG_LONG=8
-DRETSIGTYPE=void -DHAVE_VPRINTF=1  -DHAVE_STRDUP=1   -c -o pcap-snoop.o ./base/pcap-snoop.c
-DOPENSSL  -D_BSD_SOURCE=1 -DLINUX   -I./base/    -I./null/   -I./ssl/   -Icommon/include/ -I./null/
-I./ssl/ -I/usr/include  
./base/pcap-snoop.c:52:21: net/bpf.h: No such file or directory
./base/pcap-snoop.c: In function `main':
./base/pcap-snoop.c:207: warning: passing arg 2 of `signal' from incompatible pointer type
./base/pcap-snoop.c:329: warning: passing arg 3 of `pcap_loop' from incompatible pointer type
make: *** [pcap-snoop.o] Error 1

The solution was to link the bpf.h file as shown.

ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h

See Also

• Designing Capture Filters for Ethereal/Wireshark
• Network Monitoring with Ethereal - Linux Journal article