Tcpdump Colors With Rainbow

March 11, 2020

🌈

As you know, tcpdump is a handy command line version of Wireshark. Among its use cases is running from a headless server, from within tmux, or just feeling more l33t by running everything from the command line.

While using tcpdump recently for some in-depth monitoring and debugging, my soul pined for colored output to highlight IP addresses, ports, MAC addresses, etc. There is an old feature request for this very option, not yet implemented. tshark has a --color option which adds handy Wireshark-themed coloring to your packet summary — cool, but not what I was looking for.

Long story short, I finished the project without colors, but later did a presentation and demo and finally got some colored output using the Python rainbow tool:

And here’s an exmaple without -X. Notice the TCP flags highlighting. SYN, SYN ACK, ACK, etc.

I shared my tcpdump.cfg file, so it’s now included with rainbow’s builtin config files. The colors are loosely inspired by ip addr --color.

I like to install Python command line tools using pipx:

pipx install rainbow

Once installed, one may run rainbow by prepending rainbow to whatever command you were going to run. Here’s an example rainbow + tcpdump command:

rainbow tcpdump -i lo -X -vne

Note: This command requires root. If you’re not root and trying to use sudo, you may have some tricky details to work with (pipx is designed to work well as non-root). For me, sudo -H python3 -m pip install pipx and sudo pipx run rainbow tcpdump worked on Ubuntu 19.04.

The coloring scheme could use:

IPv6 highlighting.
Highlighting for payload portion of packet data.
An implementation in tcpdump itself to allow more precise and accurate coloring.

If you’d like to contribute any cool coloring ideas, feel free to submit a PR for rainbow, or better yet, add coloring directly to tcpdump!

While it may change, here is the tcpdump.cfg at time of writing:

[filters]
# IPv4 address+port:
reset-all-after: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,5}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
magenta-before: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
blue-after: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.
reset-after: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

# MAC address:
yellow: ([0-9a-f]{2}\:){5}[0-9a-f]{2}

# TCP/UDP flags:
# 1.  TCP Flags
# 2.  UDP indicator
# 3.  UDP indicator with checksum indicator
#         Note: Bare "[udp sum ok]" is highlighted because tcpdump will
#         sometimes omit the "UDP"
cyan: (?<=Flags )\[[SP\.RFU]+\]
      (?<=\: )UDP
      (?<=\: )\[udp sum ok\]( UDP)?

# error conditions (UDP, TCP, IPv4):
red: (?<=\: )\[bad udp cksum.*?\]
     cksum \S+ \(incorrect.*?\)
     bad cksum .*?!

# Network-layer Description (e.g. "IP")
# 1.  With -e flag
# 2.  With -e flag where no link layer addresses exist (e.g. VPN interface)
# 3.  Without -e flag
bold: (?<=ethertype )\S+ \S+(?=,)
      (?<=^\d{2}\:\d{2}\:\d{2}\.\d{6} AF )[^\s\:]+\s
      (?<=^\d{2}\:\d{2}\:\d{2}\.\d{6} )[^\s\:]+\s

# Time stamp:
faint: \d{2}\:\d{2}\:\d{2}\.\d{6}

Cheers!