Using tcpdump to watch which websites are accessed on my network

Question

I've just got my hands on a Raspberry Pi and I've set it up to act as the DNS and DHCP server on my home network. This means that all network requests go through it before they are released into the wild... Which offers me a great opportunity to use tcpdump and see what is happening on my network!

I am playing around with the tcpdump arguments to create the perfect network spy. The idea is to capture HTTP GET requests.

This is what I have so far and it's pretty good:

tcpdump -i eth0 'tcp[((tcp[12:1] & 0xf0)>> 2):4] = 0x47455420' -A

• The -i eth0 tells it which interface to listen to
• The bit in quotes is a nifty bit of hex matching to detect a GET request
• The -A means "print the ASCII contents of this packet"

This fires every time anything on my network sends a GET request, which is great. My question, finally, is how can I filter out boring requests like images, JavaScript, favicons etc?

Is this even possible with tcpdump or do I need to move onto something more comprehensive like tshark?

Thanks for any help!

DISCLAIMER: Currently the only person on my network is me... This is not malicious, it's a technical challenge!

Answer 1

Grep is your friend :-) tcpdump ... | grep -vE "^GET +(/.*\.js)|(/favicon.ico)|(.*\.png)|(.*\.jpg)|(.*\.gif)|... +HTTP will hide things like GET /blah/blah/blah.js HTTP 1/.0, GET /favicon.ico HTTP 1/.0, GET /blah/blah/blah.png HTTP 1/.0, etc.