I am trying to display only the data section of an udp packet using tcpdump. In some other words, is it any way to filter the header section of the udp package?
The below command
sudo tcpdump -Aq -i lo udp port 1234
returns:
E..".J@[email protected]~.........v.....!HELLO
How can I discard the E..".J@[email protected]~.........v.....! part?
Here are a few ways. In the examples below I am using echo to print the specific string from your answer but you can replace the echo 'blah blah' | command with sudo tcpdump -Aq -i lo udp port 1234 | command.
awk
$ echo 'E..".J@[email protected]~.........v.....!HELLO' | awk -F'!' '{print $NF}'
HELLO
awk splits the input lines into fields by splitting on the character given as -F. In this case, !. $NF is a special variable that means the last field. So, the command above, takes ! as the field separator and prints the last field, i.e. whatever comes after the last !.
grep
echo 'E..".J@[email protected]~.........v.....!HELLO' | grep -oP '!K.+?$'
The -o flag causes grep to print only the matched portion of the line and -P activates Perl Compatible Regular Expressions which give us K. The regex is looking for a ! and the shortest string possible (.+?, the ? makes it look for the shortest) up to the end of the line ($). The K means : discard what was matched before the K. The result is that the ! (which is before the K) is discarded and only the HELLO is printed.
cut
echo 'E..".J@[email protected]~.........v.....!HELLO' | cut -d'!' -f2
cut is a utility that, well, cuts lines. In this case, I am setting the field delimiter to ! and printing the 2nd field, the HELLO.
perl
echo 'E..".J@[email protected]~.........v.....!HELLO' | perl -pe 's/.+!//'
The -p means "print every line after applying the script given with -e to it". The script itself uses the substitution operator (s/pattern/replacement/) to replace everything up to the last ! (here, since there is no ?, the .+ will match the longest possible string) with nothing, effectively leaving only the HELLO.
