tcpdump output is diffferent than pcap file

Question

I am trying to understand what should be correct command in which i can get tcpdump command output same as pcap file have.

Current commmand : tcpdump -s 0 -A -vvv -i eth0 port 5060

It's output is same as below :

E..G.M..@. ... .T.<......3`.

While on pcap same packate have below output :

I�b��))A�U�&E�{@a� ���O����S

How can i get same output as showing in pcap file using tcpdump command ?

Thanks in advance for your help.

Answer 1

As @Jboullianne surmised, you're probably just viewing the raw pcap file by printing it to a terminal window.

Pcap files are not text files, and the "terminal emulator" program that provides your terminal window is probably assuming the text it's seeing is UTF-8; not all sequences of raw bytes are valid UTF-8. The ? is probably the Unicode "REPLACEMENT CHARACTER", which the terminal is putting out as a replacement for invalid UTF-8 sequences.

And not everything in a pcap file is packet data, so some of those "weird characters" don't correspond to packet data.

Tcpdump has no option to print the bytes of the packet as UTF-8, so there's no way for the packet dump to show the packet data in that form.