lilongen · April 26, 2016 07:07
diff --git a/tcpdump-http-capture b/tcpdump-http-capture
 #dump http response
 tcpdump -s 0 -A 'src port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]=0x48545450'
 tcpdump -s 0 -A 'src port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'HTTP')")

 #dump http post request, following two are equal, 0x504f5354 <-> POST
 tcpdump -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]=0x504f5354'
 tcpdump -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'POST')")

 #dump http get request
 tcpdump -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'GET ')")
 tcpdump -e -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'GET ')")' and tcp[(((tcp[12:1]&0xf0)>>2)+4):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in '/v1/')")
	#dump http response
	tcpdump -s 0 -A 'src port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]=0x48545450'
	tcpdump -s 0 -A 'src port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'HTTP')")

	#dump http post request, following two are equal, 0x504f5354 <-> POST
	tcpdump -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]=0x504f5354'
	tcpdump -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'POST')")

	#dump http get request
	tcpdump -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'GET ')")
	tcpdump -e -s 0 -A 'dst port 80 and tcp[((tcp[12:1]&0xf0)>>2):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in 'GET ')")' and tcp[(((tcp[12:1]&0xf0)>>2)+4):4]='$(python -c "print '0x' + ''.join(hex(ord(i))[2:] for i in '/v1/')")