How to Filter TCP Headers in tcpdump for Clean ASCII Output


1 views

When using tcpdump for network analysis, the default output includes TCP headers which can clutter the display when you only need the ASCII payload. This is particularly common when monitoring IRC traffic (port 6667) or analyzing application-layer protocols.

Here's the initial command you might be using:

tcpdump -s 1500 -A -l -i eth0 '(port 6667) and (length > 74)'

This captures packets on eth0, shows ASCII output (-A), and filters for port 6667 with minimum length.

To get cleaner output without TCP headers, combine these options:

tcpdump -s 0 -A -q -l -i eth0 'port 6667 and length > 74' | grep -v '^[0-9]'

Key improvements:
1. -q for "quiet" mode (less protocol info)
2. grep -v '^[0-9]' removes timestamp lines
3. -s 0 captures full packets

For more precise control over output formatting:

tcpdump -s 0 -A -l -i eth0 'port 6667' | awk '/^[^0-9]/ {print}'

Wireshark's command-line tool offers cleaner output:

tshark -i eth0 -Y 'tcp.port == 6667' -T fields -e data.data

Monitoring HTTP traffic without headers:

tcpdump -s 0 -A -q -l -i eth0 'port 80' | 
  awk '!/^[0-9]{2}:/ && !/IP / && !/length / {print}'

When using tcpdump for protocol analysis, the default output includes full packet headers which can obscure the actual application-layer data. Many developers specifically need to inspect just the ASCII payload content, particularly when debugging text-based protocols like IRC (port 6667 in the example).

The key is combining tcpdump's filtering capabilities with proper output formatting. Here's the improved command:

tcpdump -s 0 -A -q -l -i eth0 'port 6667 and length > 74' | grep -oP '(?<=\\n).*$'

-s 0: Captures entire packets (remove size limitation)
-A: Prints packets in ASCII
-q: Quick output (reduces protocol details)
-l: Line buffered output
The grep command extracts only lines following the header.

For more complex extraction, consider these approaches:

# Method 1: Using awk to skip header lines
tcpdump -s 0 -A -l -i eth0 'port 6667' | awk '/^[^ ]/ {next} {print}'

# Method 2: Perl one-liner for precise control
tcpdump -s 0 -A -l -i eth0 'port 6667' | perl -ne 'print if /^\s/'

Here's how to monitor HTTP traffic while showing only request/response bodies:

tcpdump -s 0 -A -q -l -i eth0 'tcp port 80' | \
awk '/HTTP/ {header=1} /^\r?$/ {header=0} !header'

For high-traffic interfaces, add -c [count] to limit packets or -w file.pcap to capture first and process later. When dealing with binary protocols that might contain ASCII portions, combine with strings:

tcpdump -s 0 -w - -i eth0 'port 6667' | strings