Problem parsing tcpdump tcp[13] output

[Romain]

Hi,

I wrote a little script to log the network traffic on a firewall and I
used the tcpdump command.
The script works very well when the command is a classic tcpdump one
like "tcpdump -vvni eth0 host 192.168.0.10 and port 21" but as soon as
I use this command "tcpdump -vvni eth0 tcp[13] == 18" to log only SYN
ACK packets it doesn't work.

Here is the beginning of my script:

#!/usr/bin/perl

$command = 'tcpdump -vvni eth0 tcp[13] == 18'
($pid = open(PIPE,"$command |")) or die "Error: $!\n";
(kill 0, $pid) or die "tcpdump failed\n";
while (defined($line = <PIPE>))
{
print $line;
}

It doesn't print anything although tcpdump catured packets.
if I set the $command to 'tcpdump -vvni eth0', it works fine.
I supposed that the problem comes from the [] that I use in the
command.

Could anyone help me about that?

Thanks.

 

[Tad McClellan]

Here is the beginning of my script:

#!/usr/bin/perl

use warnings;
use strict;

Ask for all the help you can get!

Doubly so when attempting debugging!

$command = 'tcpdump -vvni eth0 tcp[13] == 18'
($pid = open(PIPE,"$command |")) or die "Error: $!\n";

syntax error at ./temp line 4, near "("

It doesn't print anything

'course not, it doesn't even compile...

although tcpdump catured packets.

That's a real trick.

An unbelievable trick actually, how can tcpdump captur packets when
the program that launches it doesn't even compile?

Could anyone help me about that?

Show us your real code.

Have you seen the Posting Guidelines that are posted here frequently?

 

[Michael Fuhr]

$command = 'tcpdump -vvni eth0 tcp[13] == 18'

There are a couple of things wrong here (aside from the fact that
the code you posted doesn't run, as Tad already pointed out). You
can discover one problem by executing "touch tcp1" and then running
the script without changing directories. That you haven't already
hit this bug is luck.

You can find the second problem by running the tcpdump command from
the shell prompt and make a connection that tcpdump should show,
then run the same test again but pipe tcpdump's output into cat.
If you see a difference in behavior then read the tcpdump manual
page and look for a solution.

 

[Romain]

Here's my real script but I still have the same problem

#!/usr/bin/perl
$commande = "tcpdump -vvni eth1 tcp[13] == 18";
print "$commande\n";
($pid = open(PIPE,"$commande |")) or die "Error: $!\n";
while (defined($line = <PIPE>))
{
print $line;
}

When I redirect the tcpdump command in a file and I do a cat file.log |
../test.pl, it works fine.

Thanks in advance pour your help.

Here is the beginning of my script:

#!/usr/bin/perl

use warnings;
use strict;

Ask for all the help you can get!

Doubly so when attempting debugging!

$command = 'tcpdump -vvni eth0 tcp[13] == 18'
($pid = open(PIPE,"$command |")) or die "Error: $!\n";

syntax error at ./temp line 4, near "("

It doesn't print anything

'course not, it doesn't even compile...

although tcpdump catured packets.

That's a real trick.

An unbelievable trick actually, how can tcpdump captur packets when
the program that launches it doesn't even compile?

Could anyone help me about that?

Show us your real code.

Have you seen the Posting Guidelines that are posted here frequently?

 

[Tad McClellan]

Here's my real script but I still have the same problem
[snip]

Tad McClellan wrote:

[snip]


Please do not top-post.

Please do not send "stealth CCs".

They are seen as being rude.

 

[Michael Fuhr]

Here's my real script but I still have the same problem

#!/usr/bin/perl
$commande = "tcpdump -vvni eth1 tcp[13] == 18";
print "$commande\n";
($pid = open(PIPE,"$commande |")) or die "Error: $!\n";
while (defined($line = <PIPE>))
{
print $line;
}

When I redirect the tcpdump command in a file and I do a cat file.log |
./test.pl, it works fine.

Here's an example that should point you toward what's wrong:

#!/usr/bin/perl

use strict;
use warnings;

foreach my $i (1..5) {
print "$i\n";
sleep 1;
}

Run this script from the shell prompt, then run it again and pipe
the output into cat. Notice a difference in behavior? Think about
why that is. Find out how to make this script behave the way you
want when its output is piped, then read the tcpdump manual page
and check if tcpdump has a way to do the same thing.