Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I use tcpdump to get HTTP requests, response header and response body?

I am using tcpdump to get HTTP data by executing the below command:

sudo tcpdump -A -s 1492 dst port 80 

The result of above command:

  1. Headers, I think request and response headers.
  2. Unreadable data.
  3. The url GET /modules/mod_news_pro_gk1/cache/stories.ilbalad.ajayeb.strange-tractor.jpg.

I need a more clear result, for example, readable request > response header > response body etc. How can I filter my results?

like image 205
kimo Avatar asked Jan 23 '11 22:01

kimo


People also ask

Which option can be passed to tcpdump to display the ascii and hex representation of the packet contents?

To display the packet value you can use tcpdump command. This command with option -XX captures the data of each packet, including its link level header in HEX and ASCII format.


1 Answers

There are tcpdump filters for HTTP GET & HTTP POST (or for both plus message body):

  • Run man tcpdump | less -Ip examples to see some examples

  • Here’s a tcpdump filter for HTTP GET (GET = 0x47, 0x45, 0x54, 0x20):

    sudo tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' 
  • Here’s a tcpdump filter for HTTP POST (POST = 0x50, 0x4f, 0x53, 0x54):

    sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' 
  • Monitor HTTP traffic including request and response headers and message body (source):

    tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' 

For more information on the bit-twiddling in the TCP header see: String-Matching Capture Filter Generator (link to Sake Blok's explanation).

like image 190
paulz Avatar answered Oct 09 '22 17:10

paulz