0

I'm trying to analyze JSON-RPC traffic from an application to understand an undocumented protocol. So far, I've been using Wireshark's "follow TCP stream" feature, but there's a lot of clicking involved.

Could I use tcpdump or tshark to accomplish something similar?

I simply need all of the the TCP stream data going from/to a specific host dumped to stdout.

Andrey Fedorov
  • 9,148
  • 20
  • 67
  • 99
  • 1
    It's 4 clicks for what you want to do. I don't think you'll find anything more easy and advanced as wireshark. – cen Jun 03 '12 at 04:16
  • I'm not sure if it's JSON-RPC or the particular service I'm looking at, but there seems to be an empty HTTP call every 10 seconds or so, which actually turns into a lot of clicking when I'm waiting on a particular RPC call to come through. – Andrey Fedorov Jun 03 '12 at 04:30
  • I am not exactly sure how do you do it but why don't you capture the whole traffic and filter it after? – cen Jun 03 '12 at 04:33

2 Answers2

1

What you are looking for is Bro's contents script to record the payload of a TCP stream. Just invoke Bro as follows:

bro -r trace.pcap contents

which will create files in the form of

contents.<sourceIP>.<sourcePORT>-<destinationIP>.<destinationPORT>

per flow. What you get with Bro is a thoroughly tested TCP reassembler, which makes it the ideal tool for payload inspection and higher-level protocol analysis.

Community
  • 1
  • 1
mavam
  • 12,242
  • 10
  • 53
  • 87
0

The tool that let me do what I was looking for was "ngrep", I did:

sudo ngrep -Wbyline '' dst host <ip-address> or src host <ip-address>
Andrey Fedorov
  • 9,148
  • 20
  • 67
  • 99