Home / server / Questions / 46532
Accepted
Alnitak
Asked: 2009-07-28 07:14:14 +0800 CST

Change protocol associated with port in tcpdump?

  • 772

Following on from this question, how can I tell tcpdump to use a specific protocol analyzer for a particular port?

I'm doing some DNS development using a test server running on port 5053, but I can't figure out how to tell tcpdump to pretend that this is really DNS traffic.

I can't use wireshark - the packets aren't passing past a machine that's got a GUI.

domain-name-system tcpdump

4 Answers

  1. Best Answer

    tshark, part of the Wireshark package, is text-only.

    So, tshark -d udp.port==5053,dns should work.

    • 6

  2. Interesting question. It seems that it should be accessible with the option:

    -T  Force  packets  selected  by  "expression" to be interpreted the
    specified type.  Currently known  types  are  aodv  (Ad-hoc  On-
    demand Distance Vector protocol), cnfp (Cisco NetFlow protocol),
    rpc (Remote Procedure Call), rtp (Real-Time Applications  proto-
    col), rtcp (Real-Time Applications control protocol), snmp (Sim-
    ple Network Management Protocol), tftp  (Trivial  File  Transfer
    Protocol),  vat  (Visual  Audio Tool), and wb (distributed White
    Board).

    Except that "domain" obviously isn't a valid option. I imagine that it's possible with a small amendment to the tcpdump source code, if you were that way inclined.

    Update

    Like so. Use at your own risk:

    diff -ru tcpdump-3.9.8/interface.h tcpdump-3.9.8_modified/interface.h
--- tcpdump-3.9.8/interface.h   2007-06-14 02:03:20.000000000 +0100
+++ tcpdump-3.9.8_modified/interface.h  2009-07-27 19:40:55.831913794 +0100
@@ -74,6 +74,7 @@
 #define PT_CNFP                7       /* Cisco NetFlow protocol */
 #define PT_TFTP                8       /* trivial file transfer protocol */
 #define PT_AODV                9       /* Ad-hoc On-demand Distance Vector Protocol */
+#define PT_DOMAIN              10      /* Domain Name Service */

 #ifndef min
 #define min(a,b) ((a)>(b)?(b):(a))
diff -ru tcpdump-3.9.8/print-udp.c tcpdump-3.9.8_modified/print-udp.c
--- tcpdump-3.9.8/print-udp.c   2007-06-14 02:03:21.000000000 +0100
+++ tcpdump-3.9.8_modified/print-udp.c  2009-07-27 19:39:13.893442797 +0100
@@ -520,6 +520,11 @@
                        tftp_print(cp, length);
                        break;

+               case PT_DOMAIN:
+                       udpipaddr_print(ip, sport, dport);
+                       ns_print((const u_char *)(up + 1), length, 0);
+                       break;
+
                case PT_AODV:
                        udpipaddr_print(ip, sport, dport);
                        aodv_print((const u_char *)(up + 1), length,
diff -ru tcpdump-3.9.8/tcpdump.c tcpdump-3.9.8_modified/tcpdump.c
--- tcpdump-3.9.8/tcpdump.c     2007-09-26 02:59:54.000000000 +0100
+++ tcpdump-3.9.8_modified/tcpdump.c    2009-07-27 19:27:40.199449150 +0100
@@ -718,6 +718,8 @@
                                packettype = PT_TFTP;
                        else if (strcasecmp(optarg, "aodv") == 0)
                                packettype = PT_AODV;
+                       else if (strcasecmp(optarg, "domain") == 0)
+                               packettype = PT_DOMAIN;
                        else
                                error("unknown packet type `%s'", optarg);
                        break;
    • 5

  3. may not be explicitly helpful in answering your question, but you dont need a GUI to run wireshark.

    X11 tunneled over SSH would allow you to run the full app remotely. It works well with either cygwin-x or openssh, depending on if you use windows or linux on your desktop.

    edited: grawity is right, its not port forwarding.

    • 1

  4. Or you could put a GUI machine in between the two hosts and just do bridging between the two interfaces. I built myself a tiny computer for that very purpose, it's helped with debugging all kinds of installations where wireshark is not an option (ie. routers)

    • 0