42

To monitor HTTP traffic between a server and a web server, I'm currently using tcpdump. This works fine, but I'd like to get rid of some superfluous data in the output (I know about tcpflow and wireshark, but they're not readily available in my environment).

From the tcpdump man page:

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

This command

sudo tcpdump -A 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

provides the following output:

19:44:03.529413 IP 192.0.32.10.http > 10.0.1.6.52369: Flags [P.], seq 918827135:918827862, ack 351213824, win 4316, options [nop,nop,TS val 4093273405 ecr 869959372], length 727

E.....@....... ....P..6.0.........D...... __..e=3...__HTTP/1.1 200 OK Server: Apache/2.2.3 (Red Hat) Content-Type: text/html; charset=UTF-8 Date: Sat, 14 Nov 2009 18:35:22 GMT Age: 7149
Content-Length: 438

<HTML> <HEAD> <TITLE>Example Web Page</TITLE> </HEAD> <body>
<p>You have reached this web page ...</p> </BODY> </HTML>

This is nearly perfect, except for the highlighted part. What is this, end -- more importantly -- how do I get rid of it? Maybe it's just a little tweak to the expression at the end of the command?

quanta
  • 50,327
  • 19
  • 152
  • 213
otto.poellath
  • 545
  • 1
  • 5
  • 9

7 Answers7

39

tcpdump prints complete packets. "Garbage" you see are actually TCP package headers.

you can certainly massage the output with i.e. a perl script, but why not use tshark, the textual version of wireshark instead?

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

it takes the same arguments as tcpdump (same library) but since its an analyzer it can do deep packet inspection so you can refine your filters even more, i.e.

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

Aleksandar Ivanisevic
  • 3,327
  • 19
  • 24
  • 1
    Thanks -- after trying out all the suggestions, tshark seems like the best tool for the job. I'm currently using "tshark -d tcp.port==8070,http -R 'http.request or http.response'". Now if only I could get tshark to "follow the tcp stream" just like wireshark can (This gets asked a lot, but I still haven't found the answer). "-V" displays info about the TCP and IP packets and so on, which I'm not interested in. But I guess I can remove that using a script. – otto.poellath Nov 18 '09 at 15:39
  • 4
    You can also search for "GET" in a capture filter by matching the ASCII values for each character: `tcp port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420`. I added a page to the Wireshark web site a while back that helps you create string matching capture filters: http://www.wireshark.org/tools/string-cf.html – Gerald Combs Sep 13 '11 at 20:03
18

take a look at ngrep - it mighe be of some use for you.

as reference for others httpry [ server seems to be down now but i hope it's temporary ] and tshark are also useful for passive protocol analysis - first one just for http, second - for much more.

pQd
  • 29,561
  • 5
  • 64
  • 106
5

Try httpry or justniffer

Justniffer works well on tcp packets reordering retrasmissions and ip fragmentation

Mole24
  • 51
  • 1
  • 1
  • 1
    Thanks! justniffer is what I was looking for (I think it's the only tool mentioned that is very simple *and* measures request duration). – gkop Dec 08 '11 at 21:24
1

I would suggest using a dumbed down tcpdump command line that stores everything in a pcap file for post process. Depending on what exactly you are looking at diagnosing tcpflow works great for putting communications back together in a coherent way for analysis.

Some other good information including some usages for httpry can be found at: http://taosecurity.blogspot.com/2008/06/logging-web-traffic-with-httpry.html

ScottZ
  • 467
  • 2
  • 7
0

There are several tools available on the market designed specially for monitoring the HTTP Traffic. Fiddler2 (http://www.fiddler2.org) and HTTP Debugger Pro are examples of such tools.

  • 4
    Thanks for your suggestions. Unfortunately, both tools seem to work on Windows only. I hadn't mentioned it, but I'm loooking for something that works on Linux. – otto.poellath Jul 21 '10 at 09:30
0

Does the webserver you're using not produce logs? Surely that'd be a much better way to monitor HTTP traffic, there's a plethora of tools to analyse the data and any competent webserver should produce reliable logs.

JamesHannah
  • 1,731
  • 2
  • 11
  • 22
  • 4
    Clearly. I imagine he already thought of that, though. Sometimes it's useful to monitor the actual data being sent between point A and point B. – tylerl Nov 15 '09 at 06:37
0

Your "issue" while using the TCPDUMP is that it is showing you the content of the header of the package.

If you still want to use TCPDUMP just remove the -A. Doing this should remove that from the output.

sudo tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
kenlukas
  • 2,886
  • 2
  • 14
  • 25
BANJOSA
  • 350
  • 1
  • 3
  • 15