LinuxCommandLibrary

ipsumdump

Analyze and summarize network packet streams

TLDR

Print the source and destination IP addresses of all packets in a PCAP file

$ ipsumdump --src --dst [path/to/file.pcap]
copy

Print the timestamps, source address, source port, destination address, destination port and protocol of all packets read from a given network interface
$ ipsumdump --interface [eth0] -tsSdDp
copy

Print the anonymised source address, anonymised destination address, and IP packet length of all packets in a PCAP file
$ ipsumdump --src --dst --length --anonymize [path/to/file.pcap]
copy

SYNOPSIS

ipsumdump [options] [capture_file]

PARAMETERS

-d
    Dump data from packets (default).

-h
    Print a help message and exit.

-i
    Listen on for network traffic.

-n
    Process only the first packets.

-o
    Write output to instead of stdout.

-s
    Print summary statistics.

-t
    Include a timestamp in the output.

-w
    Write raw packets to .

-f
    Use a Berkeley Packet Filter (BPF) expression to filter packets.
Note:This uses the same syntax as tcpdump.

[capture_file]
    The pcap or tcpdump capture file to read. If not specified, ipsumdump will listen on the network.

DESCRIPTION

ipsumdump is a command-line utility used for extracting and displaying TCP data streams from captured network traffic. It reads packet capture files (typically in pcap or tcpdump format) and attempts to reassemble TCP streams. The extracted data is then printed to standard output. This is useful for examining the content of network conversations, such as HTTP requests and responses, SMTP email exchanges, or other protocol data flowing over TCP. ipsumdump is a powerful tool for network forensics, security analysis, and troubleshooting network applications by providing a convenient way to view the underlying data exchanged between network endpoints. It can filter data based on various criteria like source/destination IP addresses or ports.

Note: ipsumdump focuses primarily on TCP, and not UDP. Be mindful when analyzing traffic. It is also worth noting that the reassembly of TCP streams might not be perfect in all cases, especially with out-of-order packets, retransmissions, or data corruption. Understanding network protocols is crucial for interpreting the extracted data effectively.

CAVEATS

TCP stream reassembly might be imperfect due to packet loss, out-of-order packets, or retransmissions. Requires appropriate permissions to capture network traffic. Can be resource-intensive when processing large capture files.

EXAMPLES

  • ipsumdump -i eth0: Captures and displays data from the eth0 interface.
  • ipsumdump capture.pcap: Reads and displays data from the capture.pcap file.
  • ipsumdump -f 'port 80' capture.pcap: Reads data from capture.pcap, filtering for traffic on port 80.

SECURITY CONSIDERATIONS

The extracted data might contain sensitive information such as passwords, API keys, or confidential communications. Handle the output with care and avoid exposing it to unauthorized parties. Properly securing the capture file is also important.

HISTORY

ipsumdump has been around for a while. The exact origins and early development history are difficult to pinpoint. It's designed for a specific need: quickly extracting human-readable content from network captures. The usage is more targeted towards text-based network protocols.

SEE ALSO

tcpdump(1), wireshark(1), tshark(1), ngrep(1)

Copied to clipboard