The Moose and Squirrel Files

December 23, 2010

Quick and dirty UDP servers with wireshark

Filed under: Network, Wireshark — Tags: , , — networknerd @ 3:16 pm

I’m not suggesting wireshark is the right choice for production but if you need a udp server for a quick debugging session then this trick might just be worth tucking away for later.

If you need to perform a short data collection from  applications like syslog  or netflow that just pump out  udp packets then wireshark/tshark can work for you in a pinch.

Here’s the recipe for syslog.

tshark -i 2 -f "port 514" -T fields -e syslog

Using the -T fields switch allows us to specify which data to output with one or more  -e switches.  Since we have specified a protocol (syslog),  tshark prints multiple fields, in this case its the facility(LOCAL7),severity(NOTICE), and the remainder of the output below is the actual message.

Syslog message: LOCAL7.NOTICE: 27403: Dec 23 14:44:29: %SYS-5-CONFIG_I: Configured from console by root on vty0 (10.0.2.19)

The people that wrote the dissectors in wireshark have done all the hard work of interpreting the binary fields for us.  It’s worth noting that there is no documentation (that I am aware of)  for the field names. I usually just capture a couple of packets and export them in PDML format.  You can then open that file in any text editor and determine the field names from the XML.

Advertisements

Blog at WordPress.com.