How do I filter tcpdump results based on a missing header?

Question

My HAProxy adds 'X-Proto: SSL' as a header to requests that are over HTTPS.

I'd like to use tcpdump to see the 'Host:' header of all requests that do not have that 'X-Proto: SSL' header.

Here's what a sample request looks like with it (captured with sudo tcpdump -AA port 80):

14:06:48.834405 IP x.x.x.x.39989 > hostname.com.http: Flags [P.], seq 1:809, ack 1, win 58, length 808: HTTP: GET /req/?key=value&timeid=52989238 HTTP/1.1
..>........
...
.......GET /req/?key=value&timeid=52989238 HTTP/1.1
Host: r457.hostname.com
Origin: https://originhostname.com
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; TA-1044 Build/OPR1; wv) AppleWebKit/537 (KHTML, like Gecko) Version/4.0 Chrome/65 Mobile Safari/53;]
Accept: */*
Referer: https://originhostname.com/2018/
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es-MX;q=0.9,en-US;q=0.8
Cookie: cookieid
X-Requested-With: com.request.lite
X-Proto: SSL
X-Forwarded-For: x.x.x.x

I would like to exclude this and only see the output of:

Host: r457.hostname.com

If the 'X-Proto: SSL' header is not present.

score 0 · Accepted Answer · answered Apr 10 '18 at 21:59

Here's a very hacky solution I came up with but I'm still interested in The Right Way™:

cd /mnt
mkdir -p ngrep/no-ssl
cd ngrep/
sudo ngrep -qW byline port 80 > all-traffic
awk -v RS= '{print > ("request-" NR ".ngrep")}' all-traffic
mv all-traffic ../
for x in $(ls); do if [ $(grep -c 'X-Proto: SSL' $x) -eq 0 ]; then mv $x no-ssl/; fi; done
cd no-ssl/
for x in $(ls); do grep 'Host:' $x; done|sort|uniq

How do I filter tcpdump results based on a missing header?

1 Answers1