Getting HTTP traffic details from tcpdump
Yestarday i had one issue to verify where i had to make sure that our backend part is sending POST requests with id's to third party server. Server didn't have GUI , so i couldn't use Wireshark for that ( or could, but just don't know how:) ) and i googled for possible solutions. So, here're two possible ways that could help you out in such case :
1) Basic one is simply run
2) Or you could try to analyze it in console with this commands :) :
2) But the easiest and way more better looking option is to use Chaosreader . The script is called chaosreader0.94. See here for more details. So, you just need to :
1) Basic one is simply run
tcpdump -w output.logand then download this file on your computer, open it in Wireshark and analize with it
2) Or you could try to analyze it in console with this commands :) :
# tcpdump filter for HTTP GET
sudo tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
# tcpdump filter for HTTP POST
sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
# monitor HTTP traffic including request and response headers and message body
# cf. https://sites.google.com/site/jimmyxu101/testing/use-tcpdump-to-monitor-http-traffic
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2 data-blogger-escaped--="" data-blogger-escaped-tcp="" data-blogger-escaped-xf0="">>2)) != 0)'
tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2 data-blogger-escaped--="" data-blogger-escaped-tcp="" data-blogger-escaped-xf0="">>2)) != 0)'
2) But the easiest and way more better looking option is to use Chaosreader . The script is called chaosreader0.94. See here for more details. So, you just need to :
- Run this
- You can use both IP address of the server or it's direct http url
- Generate traffic
- Hit Ctrl+C and look for resuls in html file that chaosreader0.94 will generate for us.
tcpdump host 93.23.40.50 -s 9000 -w outputfile; perl chaosreader0.94 outputfile