UPWORK superadmin blog

Tips and Tricks for clients

How to display HTTP Headers via tcpdump

without comments

To display the HTTP Headers using just tcpdump the following syntax can be used :

You can read – tcpdump_advanced_filters
or http://www.wains.be/pub/networking/tcpdump_advanced_filters.txt

Analyzing:

cat /tmp/tcpdump* | sed -e s/^.*Host:/Host:/ | egrep Host | sort | uniq -c

1.

tcpdump -vvv -s 1024 -i eth0 -l -A  "src X.X.X.X and (dst port 80 or dst port 443)" | egrep 'User-Agent|Host'

2. To monitor HTTP traffic including request and response headers and message body:

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

3. To monitor HTTP traffic including request and response headers and message body from a particular source:

tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

4. To monitor HTTP traffic including request and response headers and message body from local host to local host:

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo

Written by spectre

November 23rd, 2014 at 11:39 pm

Leave a Reply

*