How to Extract Only Packet Contents in tcpdump Output: Filtering Hex Dumps and IP Headers


31 views

When analyzing network traffic with tcpdump, the default output combines multiple data representations that may not always be needed:

10:39:12.356410 IP 192.168.103.2.3101 > 192.168.102.2.80: tcp 0
    0x0000:  4500 0028 0557 4000 7f06 a823 c0a8 6702  E..(.W@....#..g.
    0x0010:  c0a8 6602 0c1d 0050 2463 0fbe 8854 e419  ..f....P$c...T..
    0x0020:  5010 4296 71ec 0000                      P.B.q...

The dots in tcpdump output represent non-printable ASCII characters. When tcpdump displays the ASCII representation alongside the hex dump, it substitutes unprintable characters with dots for better readability.

To extract only the packet contents without hex dumps and IP headers, use these approaches:

Method 1: Using -A flag

tcpdump -A -qns 0 -r ulogd.eth0.pcap

This shows ASCII content without hex dumps, but still includes packet headers.

Method 2: Advanced Filtering with awk

tcpdump -qns 0 -X -r ulogd.eth0.pcap | awk '/^[[:space:]]+0x[0-9a-f]+:[[:space:]]+/{for(i=2;i

Method 3: Extracting HTTP Payload Only

tcpdump -A -qns 0 -r ulogd.eth0.pcap | grep -Pazo '(GET|POST|HEAD).*?\\r\\n\\r\\n'

To specifically extract HTTP request payloads from the DEFCON packet capture:

tcpdump -A -qns 0 -r ulogd.eth0.pcap | \
grep --line-buffered -B 1 -A 1000 -E 'GET|POST|PUT|DELETE|HEAD' | \
grep -vE '^(--)|IP |tcpdump'

For binary protocols where you need raw output without formatting:

tcpdump -qns 0 -x -r ulogd.eth0.pcap | \
awk '{for(i=2;i<=NF;i++) printf "%s", $i} END {print ""}' | \
xxd -r -p

For large pcap files, consider these optimizations:

tcpdump -qns 0 -l -X -r largefile.pcap | \
grep -vE '^[0-9]{2}:[0-9]{2}:[0-9]{2}|^[[:space:]]+0x'

When analyzing network traffic with tcpdump, the default output includes hex dumps, timestamps, and IP addresses. For example:

tcpdump -qns 0 -X -r ulogd.eth0.pcap

Produces cluttered output like this:

10:39:12.356410 IP 192.168.103.2.3101 > 192.168.102.2.80: tcp 0
    0x0000:  4500 0028 0557 4000 7f06 a823 c0a8 6702  E..(.W@....#..g.
    0x0010:  c0a8 6602 0c1d 0050 2463 0fbe 8854 e419  ..f....P$c...T..
    0x0020:  5010 4296 71ec 0000                      P.B.q...

The dots in the output represent non-printable ASCII characters. To extract just the packet content:

tcpdump -qns 0 -A -r ulogd.eth0.pcap | grep -vE '^[0-9]{2}:[0-9]{2}|^[[:space:]]*0x'

This command:

  • Uses -A for ASCII output instead of -X hex
  • Filters out timestamps and hex addresses with grep

For more precise control, Wireshark's tshark works better:

tshark -r ulogd.eth0.pcap -T fields -e data.data | xxd -r -p

This extracts just the raw payload data from packets.

For HTTP analysis, combine with ngrep:

tcpdump -s 0 -A -l -nn -r ulogd.eth0.pcap | ngrep -q -I -W byline 'GET|POST|HTTP'
  • Use -s 0 for full packet capture (no truncation)
  • Add -l for line buffering when piping output
  • Consider tcpflow for reconstructing TCP streams