To see what AMI events are actually coming on the wire you will need to perform the following steps.
- Capture Packets
- Convert Into Readable Text
- with tshark command
- with Wireshark
Capture Packets
tcpdump -i lo -nqtttt -s 0 -A '((src port 5038) or (dst port 5038))' -w ami.pcap
In above command from loopback (not ethernet) and saved into ami.pcap
tcpdump -i eth0 -nqtttt -s 0 -A '((src port 5038) or (dst port 5038))' -w ami.pcap
In above command from ethernet0 (might be different on your system) and saved into ami.pcap
Boxdocker…all the programs are using loopback in the container.
sudo su -
tcpdump -i lo -nqtttt -s 0 -A '((src port 5038) or (dst port 5038))' -w ami.pcap
install tshark and you don’t have to download to your local system for wireshark.
Convert The pcap Into A Readable File with tshark (easier)
Run the following command
tshark -r ami.pcap -V -T text | grep ^[0-9] | cut -c57- | tr -d '\n' | sed 's/\.\./\n/g'
Move the ami.pcap file to a place you can download
mv ami.pcap /var/www/html/
Then download it on to your system which has wireshark installed.
wget http://boxdocker.aavaz.biz/ami.pcap
Convert The pcap Into A Readable File with Wireshark
In Wireshark got to File -> Export Packet Dissections -> As Plain Text…
Save it as ami.txt
Make ami.txt Readable
Then run grep/cut/tr/sed (probably can do with just sed)
cat ami.txt | grep ^[0-9] | cut -c57- | tr -d '\n' | sed 's/\.\./\n/g' > readable.txt
You can then open readable.txt in your editor of choice.
Understand the commands (Ignore this if you don’t want to learn)
Breakdown and explanation of above oneline with temporary files for interim steps
grep ^[0-9] ami.txt > t3
Remove all lines that don’t start with a 0
cut -c57- t3 > t4
Remove all hex data
cat t4 | tr -d '\n'
Join all the lines together into 1 large line
sed 's/\.\./\n/g' t5
Add line breaks by replacing all “..” with line feed character
