To display the HTTP Headers using just tcpdump the following syntax can be used :
You can read – tcpdump_advanced_filters
or http://www.wains.be/pub/networking/tcpdump_advanced_filters.txt
Analyzing:
cat /tmp/tcpdump* | sed -e s/^.*Host:/Host:/ | egrep Host | sort | uniq -c
1.
tcpdump -vvv -s 1024 -i eth0 -l -A "src X.X.X.X and (dst port 80 or dst port 443)" | egrep 'User-Agent|Host'
2. To monitor HTTP traffic including request and response headers and message body:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
3. To monitor HTTP traffic including request and response headers and message body from a particular source:
tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
4. To monitor HTTP traffic including request and response headers and message body from local host to local host:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo