Menu
I am using tcpdump to get HTTP data by executing the below command:
sudo tcpdump -A -s 1492 dst port 80 The result of above command:
GET /modules/mod_news_pro_gk1/cache/stories.ilbalad.ajayeb.strange-tractor.jpg. I need a more clear result, for example, readable request > response header > response body etc. How can I filter my results?
205
To display the packet value you can use tcpdump command. This command with option -XX captures the data of each packet, including its link level header in HEX and ASCII format.
There are tcpdump filters for HTTP GET & HTTP POST (or for both plus message body):
Run man tcpdump | less -Ip examples to see some examples
Here’s a tcpdump filter for HTTP GET (GET = 0x47, 0x45, 0x54, 0x20):
sudo tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' Here’s a tcpdump filter for HTTP POST (POST = 0x50, 0x4f, 0x53, 0x54):
sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' Monitor HTTP traffic including request and response headers and message body (source):
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' For more information on the bit-twiddling in the TCP header see: String-Matching Capture Filter Generator (link to Sake Blok's explanation).
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
