Can I use TCP dump to just get the host/domain/ip and port of a packet so it can be easily parsed by PHP?

Question

I am trying to collect hostname/ip and port from tcp dump.

I get kinda close using :

 -s 0 -A -q 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

but it contains way too much garbage and I dont see a logical way to parse it:

18:04:26.935060 IP 51.234.18.40.60495 > 74.125.226.201.80: tcp 664
E...>)@.@...3..(J}...O.Pqc.y.rs......h.....
.......UGET /embed/QobxnFYhMos HTTP/1.1

Host: www.youtube.com

Connection: keep-alive

Referer: http://www.businessinsider.com/fake-house-pumping-stations-2014-1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

x-wap-profile: http://device.sprintpcs.com/Samsung/SPH-L710/MK3.rdf

User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SPH-L710 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Accept-Encoding: gzip,deflate

Accept-Language: en-US

Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

Cookie: VISITOR_INFO1_LIVE=lFsDZ5g6OfM; YSC=Ofbb0cz2kXU; PREF=fms1=10000&fms2=10000&f1=50000000&fv=0.0.0

Answer 1

What is bothering you here is that by setting the snaplength to 0 (-s 0) you are effectively setting it to the default of 65535. That's why you get all the content on your capture.

From man tcpdump:

-s Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for backwards compatibility with recent older versions of tcpdump.

Try lowering that value and you should get a neat line of output for each packet, easily parseable for IP addresses and ports with any regex function, be it php or whatever.

Edit: Forgot to say that you may want to try starting with a snaplength value of 96. I think that is the default... if it is, you may want to leave out the option alltogether. Then you can move up or down depending on how that works for you.