Tcpdump抓取http GET/POST requests

目录

• 抓取HTTP GET 请求
• 抓取HTTP POST 请求
• 目的端口为80的HTTP GET请求
• 目的端口为80或443的HTTP GET 和POST请求(来自192.168.0.1)
• 抓取HTTP GET和POST request和response
• 监测所有的HTTP request URL（GET/POST）
• 抓取POST请求里的password
• 抓取Request和response里的cookie
• 过滤HTTP header

抓取HTTP GET 请求

tcpdump -i enp0s8 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

解释：

tcp[((tcp[12:1] & 0xf0) >> 2):4]定义了我们所要截取的字符串的位置（http header的后面）的4 bytes。

0x47455420是G E T 的ASCII码。

Character	ASCII Value
G	47
E	45
T	54
Space	20

抓取HTTP POST 请求

tcpdump -i enp0s8 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354

0x504F5354代表的是 P O S T的ASCII码.

输出示例：

[root@mwiws01 ~]# tcpdump -i enp0s8 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
08:12:59.552588 IP 192.168.10.1.60651 > mwiws01.http: Flags [P.], seq 1817631852:1817632015, ack 3385979723, win 4117, options [nop,nop,TS val 399453898 ecr 6715402], length 163: HTTP: POST /new.html HTTP/1.1
E.....@.@..C..
...

...PlV.l...K...........
.....fx
POST /new.html HTTP/1.1
Host: 192.168.10.10
User-Agent: curl/7.54.0
Accept: */*
X-Requested-By: middlewareinventory
TestHeader: TestValue
MyName: SaravAK


^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel
[root@mwiws01 ~]#

目的端口为80的HTTP GET请求

tcpdump -i enp0s8 -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

输出示例：

[root@mwiws01 ~]# tcpdump -i enp0s8 -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
06:50:12.424996 IP 192.168.10.1.58034 > mwiws01.http: Flags [P.], seq 1518079346:1518079506, ack 1444634698, win 4117, options [nop,nop,TS val 394486908 ecr 1748275], length 160: HTTP: GET /new.html HTTP/1.1
E..._.@.@.E7..
...

...PZ|.rV.`J.....u.....
..d|...3GET /new.html HTTP/1.1
Host: 192.168.10.10
User-Agent: curl/7.54.0
Accept: */*
X-Requested-By: middlewareinventory
TestHeader: TestValue
MyName: Sarav

目的端口为80或443的HTTP GET 和POST请求(来自192.168.0.1)

tcpdump -i enp0s8 -s 0 -A 'tcp dst port 80 or tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' and host 192.168.10.1

抓取HTTP GET和POST request和response

tcpdump -i enp0s8 -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F and host 192.168.10.1'

过滤目的端口为80，host为192.168.10.1，http get/post 的request和response

0x3C21444F是'<' 'D' 'O' 'C'的ASCII码，作为html文件的标识符

0x48545450是'H' 'T' 'T' 'P'的ASCII码，用来抓取HTTP response

监测所有的HTTP request URL（GET/POST）

tcpdump -i enp0s8 -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

抓取POST请求里的password

tcpdump -i enp0s8 -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

抓取Request和response里的cookie

tcpdump -i enp0s8 -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

过滤HTTP header

#从header里过滤出user-agent
tcpdump -vvAls0 | grep 'User-Agent:'