6

I expect something like this:

$ nc example.com 80
GET / HTTP/1.0

HTTP/1.0 500 K.O.
Content-Type: application/null
Content-Length: -1
$ 

Meanwhile: 
# tcpdump -i eth0 --actually-dump-all-tcp
217.21.51.1:56812->192.0.43.10:80 GET / HTTP/1.0
217.21.51.1:56812->192.0.43.10:80 
217.21.51.1:56812<-192.0.43.10:80 HTTP/1.0 500 K.O.
217.21.51.1:56812<-192.0.43.10:80 Content-Type: application/null
217.21.51.1:56812<-192.0.43.10:80 Content-Length: -1

Now I use Wireshark, but while it is loading the connection cat get finished several times.

Vi.
  • 16,755
  • 32
  • 111
  • 189

2 Answers2

10

Try

tcpflow -v -i iface

This will create a lot of files having filenames like "IP_A.port.-IP_B.port".

Vi.
  • 16,755
  • 32
  • 111
  • 189
TrueY
  • 101
  • 1
  • 2
4

tcpdump normally displays packet information, as opposed to actual data.

Use the -A flag to dump ASCII contents. It will still dump a lot of other data (like ARP and DNS packets, for example), but you should be able to get what you want through filters.

new123456
  • 4,485
  • 1
  • 18
  • 19
  • Dirty oneliner to print in form that is closer to mine: `tcpdump -n -A -i eth0 | perl -ne 'if(/\d\d:\d\d:\d\d\.\d{6} IP (\d+\.\d+\.\d+\.\d+)\.(\d+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:.*length (\d+)/) { $preamble="$1:$2->$3:$4 "; } else { print "$preamble$_"; }'` – Vi. Jul 08 '11 at 20:38
  • @Vi If my brain weren't fortified from working with `setjmp`/`longjmp` hackery, that Perl would have fried my brain. I'm sure [Douglas](http://en.wikipedia.org/wiki/Pipe_(computing)#History) would have a fit if he saw that ;) – new123456 Jul 08 '11 at 20:54