Sniffing/recording application layer only

Question

I am looking for a tool (preferably on Linux) that can sniff UDP traffic and record only the application layer to file(s).

I couldn't make tcpdump/wireshark to do so, as they always write the lower layers' headers too. I tried working with snort (./snort -qd -l ./logs), but it kept storing data to files even if there was no application layer data in a packet.

Perhaps somebody knows such a tool...

oh, and the UDP traffic is also multicast...

I tried also the multicat (VideoLAN's). They claim it's the netcat of multicast. But I don't know, besides the payload that I send manually using the netcat, it also stores some other binary garbage (for me)... Anyone familiar with multicat?

Answer 1

Wireshark has filters that parse most protocols headers, and will definitely recognize UDP, IP, Ethernet, etc headers. I am not sure what you want to accomplish with the logging, but if the format of the file is important (i.e. that no headers should even be stored to file), you could try using a UDP proxy.

Using netcat, you could do something like

nc -u -l 12345 | tee mydumpfile.out | nc -u target.example.com 12345

You have to do the reverse as well to dump 2-way communication. If you are doing this for reverse engineering, you may have to edit your /etc/hosts file as well to point the target DNS name to localhost. I did this for TCP connections a couple of times, but I did not try it for UDP, there may be problems with packet boundaries etc due to buffering of the piped data.

If you want maximum control, write it yourself (it is only a dozen or so lines if you use e.g. Python+Twisted)